3. Select the certificate that was exported earlier.

4. Repeat the steps for importing but this time for Trusted Root Certificate Authorities.

5 . Expand “Computer Management” -> “Policies” -> “Administrative Templates” -> “Windows Components” -> “Windows Update”

6. Enable "Allow signed content from intranet Microsoft update service location” if you do not enable this feature you will receive an error with code 800b0109 when it tries to validate the signature of the file when the client downloads it.

Once the Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes, this means that it can take up to 2 hours for the update to actually apply to your client machines.

If you have a Window 2012 Domain Controller and you have not done this already I recommend you use a New feature in Windows 2012 Domain Controllers that is a templates that will open the correct ports on remote windows machines so as to be able to force a GP Update remotely, this could prove quite useful when one has to push changes in a quick manner like when responding to an incident. On a Domain Controller open PowerShell and run the following command to create and link the GPO, modify the DN so it will match your environment in this case it is for my lab domain acmelabs.com:

Neww-GPO –Name "Configure firewall rules for remote gpupdate" –StarterGpoName "Group Policy Remote Update Firewall Ports" | New-GPLink –target "dc=acmelabs,dc=com" –LinkEnabled yes

Once it is linked and the policy has been applied to all machines in the domain you can invoke a Group Policy update across my domain from a Windows 2012 machine as Domain Admin in PowerShell:

Get-ADComputer –filter * -Searchbase "dc=acmelabs,dc=com" | foreach{ Invoke-GPUpdate –computer $_.name -force}

On a client machine we can verify that the certificate was propagated by using PowerShell to check the store and compare the certificate fingerprints with the one we saw earlier when we generated the cert.

PS C:\Users\Administrator> ls Cert:\LocalMachine\TrustedPublisher Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\TrustedPublisher Thumbprint Subject ---------- ------- 681249451028091B250828DA56D70FD2A3547FE5 CN=WSUS Publishers Self-signed

Creating a EMET 4.0 Update and Publishing It

Before we deploy the package we have to set the ground for it in the case of EMET. First we need to download the MSI and install it on a Management Workstation since the installation will include the ADMX GPO Policy Templates we will use to manage EMET configuration centrally. We can Download the file from http://www.microsoft.com/en-us/download/details.aspx?id=39273 Once installed the ADMX files will be located on:

For x64 Systems C:\Program Files (x86)\EMET 4.0\Deployment\Group Policy Files

On x86 System C:\Program Files\EMET 4.0\Deployment\Group Policy Files

Depending on how you manage your ADMX files either centrally or per Domain Controller you will need to copy the files to their proper location so they can be used (http://technet.microsoft.com/en-us/library/cc709647(v=ws.10).aspx).

On a DC by DC solution you need to copy your ADMX file to SYSTEMDRIVE\Windows\PolicyDefinitions and the ADML to SYSTEMDRIVE\Windows\PolicyDefinitions\en-US if you are using centralized management of the policy files you would copy them to %logonserver%\sysvol\%userdnsdomain%\Policies\PolicyDefinitions and %logonserver%\sysvol\%userdnsdomain%\Policies\PolicyDefinitions\en-US respectably.

We can now set a base configuration for EMET. I recommend you test the settings in your environment first since different vendors have different coding standards and some applications may be affected by EMET. For this example I will use a base configuration using Microsoft recommended settings for popular apps and enable most of the protections.

In the Group Policy Management Console we can create a new GPO or use an existing one for security settings and edit it (Do not use the Default Domain Policy GPO!) Expand “Computer Management” -> “Policies” -> “Administrative Templates” -> “Windows Components” -> “Windows Update” and set the parameters to fit in your environment: