Microsoft To Block EMET in Windows 10 Fall Creators Update
Microsoft last week explained more about how its Enhanced Mitigation Experience Toolkit (EMET) is getting removed and also how it is getting integrated into the Windows Defender Advanced Threat Protection (ATP) service.
Late last year, Microsoft explained that EMET would only be supported until July 31, 2018. EMET, a security solution that provides protections against general hacking attack techniques, is getting "deprecated" as a standalone Windows client solution, meaning that it won't get developed and no security updates will arrive for it in the near future. Organizations with older applications typically might use EMET to ward off common exploit techniques. Microsoft more recently announced that EMET's protections are getting moved into the "Windows Defender Exploit Guard" feature of the Windows 10 "fall creators update," which is expected to arrive this September or October.
Windows Defender Exploit Guard, along with new Windows Defender Application Guard and Windows Defender Device Guard solutions, will all get added to the Windows Defender ATP service about the time when the Windows 10 fall creators update arrives. To use Windows Defender ATP (and hence get EMET's protections), organizations will need to have volume licensing subscriptions to the Windows 10 Enterprise or Education E5 plans. Alternatively, they'll need Secure Productive Enterprise E5 plan licensing (now renamed as "Microsoft 365"). These licensing details for Windows Defender ATP are shown in this "Minimum Requirements" Microsoft document.
EMET Getting Blocked
While EMET technically ends as a standalone solution in late July of 2018, Microsoft announced last week that Windows 10 users will find EMET blocked when the fall creators update arrives, either next month or in October (possibly, the fall creators update will be labeled "Windows 10 version 1709"). Here's Microsoft's warning about EMET support on Windows 10 in its announcement:
Note: To prevent possible compatibility, performance, and stability issues, Windows will automatically block or remove EMET on Windows 10 systems starting with the Windows 10 Fall Creators Update.
Users of Windows 10 version 1703, released in April, also have problems using the standalone EMET solution, according to Microsoft's lifecycle support page for EMET. Here's what that support page states about EMET 5.5 versions on Windows 10 version 1703:
Under current plans, EMET will not be supported or operable on Windows versions that are released after Windows Server 2016 and Windows 10 version 1703.
It seems that only Windows 10 version 1607, released in August of last year, will support using EMET 5.5 versions. Older Windows client versions (such as Windows 7, etc.) continue to have EMET support until its end date next year.
In essence, IT shops that regularly apply major Windows 10 updates, which now arrive twice per year, could see the loss of EMET support a little earlier than perhaps they might have expected, depending on which Windows 10 update channel (formerly called "branch") they follow.
Microsoft's announcement last week also claimed that its EMET efforts are bringing "parity between Windows 10 mitigation support and all of the mitigation features provided by EMET." The statement seems to be a response to a critique by the security organization CERT that Windows 10 "does not provide the additional protections that EMET does." CERT specifically pointed to Control Flow Guard (CFG) protections lacking in Windows 10, which protect against application memory corruption vulnerabilities.
Microsoft is now pointing its customers who can't use Control Flow Guard toward using Windows Defender Exploit Guard (WDEG) instead:
While we strongly recommend the use of Control Flow Guard (CFG) to provide the strongest protections available, we understand that many enterprises depend on legacy apps to run their business operations, many of which may never get recompiled with CFG. These users can now use Exploit Guard to help secure such apps on modern systems by configuring control flow protections for legacy apps, similar to those offered by EMET but built-in directly to Windows 10 as part of WDEG.
Since Windows Defender Exploit Guard is becoming part of Windows Defender ATP product, organizations currently relying on EMET may have to look toward Windows 10 E5 plans to get the support that was previously offered by EMET.
Thus, EMET protections are getting pushed into Microsoft's upper end client product offerings (Microsoft also hinted that the protections would be coming to Windows Server as well). In addition to those announcements, Microsoft had a few tooling updates to relate last week.
Microsoft announced that organizations will be able to "audit, configure, and manage Windows system and application exploit mitigations right from the Windows Defender Security Center" when the Windows 10 fall creators update arrives. The Windows Defender Security Center centralizes some Windows security settings and is a new user-interface screen that first appeared in Windows 10 version 1703. The coming audit support will be bringing "audit mode support for both EMET legacy app mitigations as well as existing native mitigations provided by Windows," the announcement clarified.
Lastly, Microsoft indicated it added "a new PowerShell module that converts existing EMET XML settings files into Windows 10 mitigation policies for WDEG [Windows Defender Exploit Guard]." The new PowerShell module, called "ProcessMitigations," is for organizations that have already customized their EMET policies and want to export them when they move to using Windows Defender Exploit Guard.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.