EMET part three – doing the startup script

http://technet.microsoft.com/en-us/library/cc779329(v=WS.10).aspx


Following this… we build a start up script for our EMET to take effect



Group Policy object/Computer Configuration/Policies/Windows Settings/Scripts (Startup/Shutdown)


Pick Startup


  1. In the details pane, double-click Startup.
  2. In the Startup Properties dialog box, click Add.
  3. In the Add a Script dialog box, do the following:

    • In Script Name, type the path to the script, or click Browse to search for the script file in the Netlogon shared folder on the domain controller.

I just clicked on new text file and wrote this in notepad and saved the file as EMETstart.bat


The location of the emet_conf.exe file is in Program Files (x86) in a 64bit machine, the folder is called EMET (Tech Preview)


Save the file as a .bat file



Browse to our saved script



And the result looks like this



And the group policy script section like that.



Now let’s reboot my PC and see if this worked… I have it set to just apply to my workstation at this point in time.


More good reading here while we’re waiting for a reboot — http://rationallyparanoid.com/articles/microsoft-emet-3.html

8 Thoughts on “EMET part three – doing the startup script

  1. Another way could be Sysinternals “psexec” (used with task planer, if you want automatation). I wrote something on my own blog http://nieronet.wordpress.com/2012/09/21/verteilen-von-emet-via-gruppenrichtlinien/ .I hope you don´t mind that Link, Susan, normally I don´t make “ads” :=)

  2. Another way could be Sysinternals “psexec” (used with task planer, if you want automatation). I wrote something on my own blog http://nieronet.wordpress.com/2012/09/21/verteilen-von-emet-via-gruppenrichtlinien/ .I hope you don´t mind that Link, Susan, normally I don´t make “ads” :=)

  3. The Lazy Slug on September 27, 2012 at 4:39 am said:

    I would suggest you test this on a single workstation before deplying across your network. We have found that a number of applications have been broken as a result of installing EMET.

    (Fortuntely we have learnt from Susan and have good backups!!!)

    Susan: from the way you’ve described the positioning of the EMET group policy in the domain tree, are you implying this should be installed on servers?

  4. I don’t deploy it to servers. What apps – as I’m not seeing impact here?

  5. The Lazy Slug on September 28, 2012 at 2:25 am said:

    From your second article, you said

    Now go to the top of the group policy structure, right mouse click on the domain name and click on “Create a GPO in this domain, and link it here”.

    If you do that, you’ll end up deploying it to the server itself. I think you probably ment right clicking on the Organisational Unit ‘MyBusiness’ ?

    We’ve had problems with xPrint.dll (used with Progress OpenEdge databases.) and custom VBA macros that directly access Bloomberg Professional data feeds throught the ‘Bloomberg Data Type Library’.

    I will be investing further but had to remove EMET for the time being.

  6. No it didn’t get deployed to the server. For one you still have to install it, it doesn’t get pushed out. For two I edited the “applies to” section to only be a couple of computers at this time.

  7. The Lazy Slug on September 28, 2012 at 3:20 am said:

    Sorry, but it gets installed to the server if you have used the GPO to deploy the msi package using the instructions mention at http://www.advancedinstaller.com/user-guide/tutorial-gpo.html, although those instructions are a bit out of date refering to creating the GPO from Active Directory Users and Computers.
    The default Security Filtering of ‘Authenticated Users’ causes this.
    (Already tested this on my backup server before I posted.)

  8. Remove authenticated users and put in the computers you want.

Post Navigation