Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET)

• Author
• Recent Posts

Kyle Beckman

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in higher education. He has 17+ years of systems administration experience.

Latest posts by Kyle Beckman (see all)

• Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
• Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
• Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016

The Enhanced Mitigation Experience Toolkit is provided as an MSI file, making manual installation or deployments very straightforward.  First, go to the Microsoft Download center and download EMET 5.5.

Install EMET manually

After downloading the EMET MSI file, double-click it.  Click Next to bypass the welcome screen and the installation folder screens.

EMET 5.5 Select Installation Folder screen

Accept the license agreement, click Next two more times, accept the UAC prompt, and EMET will install.  When the install process completes, the EMET Configuration Wizard will run.

Enhanced Mitigation Experience Toolkit Configuration Wizard

If you’re planning on testing out EMET, the Use Recommended Settings option is a good way to get started with some of the more common settings.  If you’ll be pushing out a configuration to this system later or want to configure EMET manually, skip the recommended settings and use Configure Manually Later.  (The second option is a bit deceptive if you’re planning on deploying settings to multiple systems.  You can still configure EMET through Group Policy using this option.)

Install EMET silently

The EMET installer is an MSI, so installing via your favorite systems management suite (like System Center Configuration Manager) is fairly easy.  Just use the following command line:

msiexec.exe /i “EMET Setup.msi” /qn /norestart

Please note that using this method installs EMET with very minimal configuration; it will still be necessary to configure EMET after installing it.

Configuring EMET

After installing EMET, you can access the EMET GUI application on the Start Menu in the Enhanced Mitigation Experience Toolkit folder.  If you’re looking for a way to get a quick start, EMET comes with pre-configured XML Protection Profiles that can be imported into the application.  To use one of these pre-configured options, click the Import button, select one of the XML files, and click Open.

Import pre-configured protection profiles into EMET

Clicking on the Apps button in EMET will show the applications that were part of the pre-configured profile:
Application configuration for recommended software in EMET

From here, you can make changes as your testing shows problems with these preconfigured mitigations or add additional mitigations for your own applications.

To add an application, click the Add Application button.  Browse to the executable of the application you want to add to EMET, click on the exe, and click Open.  At this point, you should see the new application with the default rules EMET adds.
Add a new application to EMET

Deploy rules using Group Policy

The EMET GUI can deploy the rules you’ve configured on your local client to a group of machines using Group Policy.  First, ensure that the Remote Server Administration Tools (RSAT) are installed on the local computer.  Next, click the Group Policy button in the EMET GUI.  If you have an existing Group Policy Object (GPO) you’d like to use, you can select it here and then click OK.  Alternately, you can click the New button and create a new GPO.
Deploy the EMET configuration with Group Policy

Next, go to the Group Policy Management Console (GPMC) and link the GPO to an existing OU that contains computers.  If these computers have the EMET client installed, they’ll receive this new configuration the next time a Group Policy refresh runs.