News

Microsoft Clarifies Its EMET Plans for Windows 10

• By Kurt Mackie
• August 15, 2017

Microsoft recently shared more of its plans for its Enhanced Mitigation Experience Toolkit (EMET), which will take a somewhat different form in the upcoming Windows 10 Fall Creators Update.

Late last year, Microsoft explained that EMET would only be supported until July 31, 2018. EMET, a security solution that provides protections against general hacking attack techniques, is getting "deprecated" as a standalone Windows client solution, meaning that it won't get developed and no security updates will arrive for it in the near future. Organizations with older applications typically might use EMET to ward off common exploit techniques.

Microsoft more recently announced that EMET's protections are getting moved into the "Windows Defender Exploit Guard" feature of the Windows 10 Fall Creators Update, which is expected to arrive this September or October.

Windows Defender Exploit Guard, along with new Windows Defender Application Guard and Windows Defender Device Guard solutions, will all get added to the Windows Defender Advanced Threat Protection (ATP) service about the time when the Windows 10 Fall Creators Update arrives. To use Windows Defender ATP (and hence get EMET's protections), organizations will need to have volume licensing subscriptions to the Windows 10 Enterprise or Education E5 plans. Alternatively, they'll need Secure Productive Enterprise E5 plan licensing (now renamed as "Microsoft 365"). These licensing details for Windows Defender ATP are shown in this "Minimum Requirements" Microsoft document.

EMET Getting Blocked
While EMET technically ends as a standalone solution in late July of 2018, Microsoft announced last week that Windows 10 users will find EMET blocked when the Fall Creators Update arrives, either next month or in October (possibly, the Fall Creators Update will be labeled "Windows 10 version 1709"). Here's Microsoft's warning about EMET support on Windows 10 in its announcement:

Note: To prevent possible compatibility, performance, and stability issues, Windows will automatically block or remove EMET on Windows 10 systems starting with the Windows 10 Fall Creators Update.

Users of Windows 10 version 1703, released in April, also have problems using the standalone EMET solution, according to Microsoft's lifecycle support page for EMET. Here's what that support page states about EMET 5.5 versions on Windows 10 version 1703:

Under current plans, EMET will not be supported or operable on Windows versions that are released after Windows Server 2016 and Windows 10 version 1703.

It seems that only Windows 10 version 1607, released in August of last year, will support using EMET 5.5 versions. Older Windows client versions (such as Windows 7, etc.) continue to have EMET support until its end date next year.

In essence, IT shops that regularly apply major Windows 10 updates, which now arrive twice per year, could see the loss of EMET support a little earlier than perhaps they might have expected, depending on which Windows 10 update channel (formerly called "branch") they follow.

EMET Parity
Microsoft's announcement last week also claimed that its EMET efforts are bringing "parity between Windows 10 mitigation support and all of the mitigation features provided by EMET." The statement seems to be a response to a critique by the security organization CERT that Windows 10 "does not provide the additional protections that EMET does." CERT specifically pointed to Control Flow Guard (CFG) protections lacking in Windows 10, which protect against application memory corruption vulnerabilities.

Microsoft is now pointing its customers who can't use Control Flow Guard toward using Windows Defender Exploit Guard (WDEG) instead:

While we strongly recommend the use of Control Flow Guard (CFG) to provide the strongest protections available, we understand that many enterprises depend on legacy apps to run their business operations, many of which may never get recompiled with CFG. These users can now use Exploit Guard to help secure such apps on modern systems by configuring control flow protections for legacy apps, similar to those offered by EMET but built-in directly to Windows 10 as part of WDEG.

Since Windows Defender Exploit Guard is becoming part of Windows Defender ATP product, organizations currently relying on EMET may have to look toward Windows 10 E5 plans to get the support that was previously offered by EMET.

Tooling Support
Thus, EMET protections are getting pushed into Microsoft's upper end client product offerings (Microsoft also hinted that the protections would be coming to Windows Server as well). In addition to those announcements, Microsoft had a few tooling updates to relate last week.

Microsoft announced that organizations will be able to "audit, configure, and manage Windows system and application exploit mitigations right from the Windows Defender Security Center" when the Windows 10 Fall Creators Update arrives. The Windows Defender Security Center centralizes some Windows security settings and is a new user-interface screen that first appeared in Windows 10 version 1703. The coming audit support will be bringing "audit mode support for both EMET legacy app mitigations as well as existing native mitigations provided by Windows," the announcement clarified.

Lastly, Microsoft indicated it added "a new PowerShell module that converts existing EMET XML settings files into Windows 10 mitigation policies for WDEG [Windows Defender Exploit Guard]." The new PowerShell module, called "ProcessMitigations," is for organizations that have already customized their EMET policies and want to export them when they move to using Windows Defender Exploit Guard.