Now that you’ve decided you want to use the Enhanced Mitigation Toolkit (EMET), you’ll need to install and configure the client.  In this tutorial, I’ll cover the basics of configuring EMET and review how to configure a group of machines.

The Enhanced Mitigation Experience Toolkit is provided as an MSI file, making manual installation or deployments very straightforward.  First, go to the Microsoft Download center and download EMET 5.5.

Install EMET manually

After downloading the EMET MSI file, double-click it.  Click Next to bypass the welcome screen and the installation folder screens.

EMET 5.5 Select Installation Folder screen

EMET 5.5 Select Installation Folder screen

Accept the license agreement, click Next two more times, accept the UAC prompt, and EMET will install.  When the install process completes, the EMET Configuration Wizard will run.

Enhanced Mitigation Experience Toolkit Configuration Wizard

Enhanced Mitigation Experience Toolkit Configuration Wizard

If you’re planning on testing out EMET, the Use Recommended Settings option is a good way to get started with some of the more common settings.  If you’ll be pushing out a configuration to this system later or want to configure EMET manually, skip the recommended settings and use Configure Manually Later.  (The second option is a bit deceptive if you’re planning on deploying settings to multiple systems.  You can still configure EMET through Group Policy using this option.)

Install EMET silently

The EMET installer is an MSI, so installing via your favorite systems management suite (like System Center Configuration Manager) is fairly easy.  Just use the following command line:

msiexec.exe /i “EMET Setup.msi” /qn /norestart

Please note that using this method installs EMET with very minimal configuration; it will still be necessary to configure EMET after installing it.

Configuring EMET

After installing EMET, you can access the EMET GUI application on the Start Menu in the Enhanced Mitigation Experience Toolkit folder.  If you’re looking for a way to get a quick start, EMET comes with pre-configured XML Protection Profiles that can be imported into the application.  To use one of these pre-configured options, click the Import button, select one of the XML files, and click Open.

Import pre-configured protection profiles into EMET

Import pre-configured protection profiles into EMET

Clicking on the Apps button in EMET will show the applications that were part of the pre-configured profile:
Application configuration for recommended software in EMET

From here, you can make changes as your testing shows problems with these preconfigured mitigations or add additional mitigations for your own applications.

To add an application, click the Add Application button.  Browse to the executable of the application you want to add to EMET, click on the exe, and click Open.  At this point, you should see the new application with the default rules EMET adds.
Add a new application to EMET

Deploy rules using Group Policy

The EMET GUI can deploy the rules you’ve configured on your local client to a group of machines using Group Policy.  First, ensure that the Remote Server Administration Tools (RSAT) are installed on the local computer.  Next, click the Group Policy button in the EMET GUI.  If you have an existing Group Policy Object (GPO) you’d like to use, you can select it here and then click OK.  Alternately, you can click the New button and create a new GPO.
Deploy the EMET configuration with Group Policy

Subscribe to 4sysops newsletter!

Next, go to the Group Policy Management Console (GPMC) and link the GPO to an existing OU that contains computers.  If these computers have the EMET client installed, they’ll receive this new configuration the next time a Group Policy refresh runs.

3 Comments
  1. MADHU SUNKE 7 years ago

    Hi Kyle ,

    Thanks for the brief explanation of installing the EMET v5.

    just want to know , why we need to use EMET for the security purpose since we have already others protections software pre-installed in enterprise level.

    Thanks,

    Madhu Sunke

     

     

    • Author
      Kyle Beckman (Rank 2) 7 years ago

      If you think you’re existing protections cover you, you don’t necessarily need to run EMET. EMET is just another option that is available to you to prevent malicious use of executables on your computers. Most antivirus applications don’t contain the protections that are available in EMET.

  2. EJ 7 years ago

    If I make a change to the PopularSoftware.xml file on the SCCM server after EMET and the initial configuration have been applied to a client computer, how do I get the updated PopularSoftware.xml file pushed to the client computers?

    Thanks,
    EJ

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account