EMET (Enhanced Mitigation Experience Toolkit) is a free tool provided by Microsoft that provides a greater level of application security. It is a great addition to your security toolkit, but there is one caveat that we discovered recently on our first implementation.
A few days after machines were deployed we were having issues with Bitlocker prompting for a recovery key with the following message displayed at boot:
Windows Bitlocker Drive Encryption Information
The Boot Configuration Data (BCD) settings for the following boot application have changed since Bitlocker was enabled.
Boot Application: Windowssystem32winload.exe
Changed Setting: 0x25000020
You must supply a Bitlocker recovery key to start this system.
Confirm that the changes to the BCD settings are trusted.
If the changes are trusted then suspend and resume Bitlocker. This will reset Bitlocker to use the new BCD settings.
Otherwise restore the original BCD settings.
EMET is a very small install package and is very lightweight. However, just installing EMET doesn’t actually increase your security. You need to run a small command line after it is installed to activate your desired mitigations:
This tells EMET to look at the group policies and XML configuration files you have provided and to put those settings into effect on the computer.
The majority of mitigations will not cause any problems. However, if you have chosen to change the default system DEP (Data Execution Prevention) settings it will cause Bitlocker to prompt for a recovery if Bitlocker is enabled.
This is because DEP is part of the BCD Settings (OS Boot Options) and is one of the PCRs (Platform Configuration Register) that Bitlocker monitors to determine if someone is trying to access your data without proper permission. You could avoid this by telling Bitlocker to not monitor PCR 10, however this significantly lowers your security posture.
The solution to this EMET and Bitlocker issue is to alter your command line for configuring EMET to add the following:
Manage-bde -protectors -disable C:
Manage-bde -protectors -enable C:
This suspends Bitlocker before you make the change to DEP and then you enable it again afterwards which tells Bitlocker that the new setting for DEP is the correct one.