locked
Certificate Trust (Pinning) disabled after silent installation RRS feed

  • Question

  • When we install EMET 4.1 (MSIEXEC.exe /qb!- /i "EMET Setup.msi" ALLUSERS=1 REBOOT=REALLYSUPPRESS) and import te Popular Software.xml and CertTrust.xml settings with EMET_Conf.exe the Quick Profile Name is set to custom Security setting and the Certificate Trust (Pinning) option is disabled. The import of the CertTrust.xml worked because the pinning rules en protected websites are visible.

    How can we use the Recommended Security Settings and enable the Certificate Trust (Pinning) option after installation? I tried to use a Group Policy but there are no group policy settings for the Certificate Trust (Pinning) option.

    Has someone else experienced this and how cal we solve this?

    Regards,

    RK



    • Edited by R._K._ Wednesday, February 19, 2014 8:35 AM
    Saturday, February 15, 2014 10:47 PM

Answers

  • The Group Policy settings for EMET 5.0 look the same as those for EMET 4.1. The 'problem' that is the system mitigation Certificate Trust (Pinning) is disabled after a silent installation is not (yet) fixed in EMET 5.0 technical preview. On the other hand I found out that "EMET_CONF.exe --system Pinning=Enbled" enables the system mitigation Certificate Trust (Pinning). The Quick Profile Name remains set to custom Security setting but I guess that's the settings are te same as Recommended Security Settings.

    Regards,

    RK

    • Marked as answer by R._K._ Friday, February 28, 2014 11:57 AM
    Friday, February 28, 2014 11:57 AM

All replies

  • Is this problem fixed in EMET 5.0? Does the new version also have a group policy setting for the Certificate Trust (Pinning) option?

    Regards,

    RK

    Tuesday, February 25, 2014 9:09 PM
  • The Group Policy settings for EMET 5.0 look the same as those for EMET 4.1. The 'problem' that is the system mitigation Certificate Trust (Pinning) is disabled after a silent installation is not (yet) fixed in EMET 5.0 technical preview. On the other hand I found out that "EMET_CONF.exe --system Pinning=Enbled" enables the system mitigation Certificate Trust (Pinning). The Quick Profile Name remains set to custom Security setting but I guess that's the settings are te same as Recommended Security Settings.

    Regards,

    RK

    • Marked as answer by R._K._ Friday, February 28, 2014 11:57 AM
    Friday, February 28, 2014 11:57 AM