An update is available for EMET Certificate Trust default rules

Article translations Article translations
Article ID: 2961016 - View products that this article applies to.
Expand all | Collapse all


This article describes an update to the Enhanced Mitigation Experience Toolkit. A link to download the update is provided.

More information

The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this goal by using security mitigation technologies. These technologies function as special protections and obstacles that a malicious hacker must defeat in order to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible. 

EMET also includes the Certificate Trust feature. This feature detects Man in the Middle attacks that take advantage of maliciously issued certificates. The Certificate Trust feature lets users configure a set of pinning rules to validate digitally signed certificates (SSL certificates) while browsing. These rules are designed to bind the SSL certificates of specific domains with one or more trusted Root Certificate Authorities (Root CAs) that issued the certificate. When EMET detects the variation of an issuing Root CA for a specific SSL certificate that's configured for a specific domain, it reports this anomaly as a potential symptom of an ongoing Man in the Middle attack. 

For more information about EMET, click the following article number to view the article in the Microsoft Knowledge Base:
2458544 The Enhanced Mitigation Experience Toolkit
EMET’s default configuration includes a list of Certificate Trust rules for the logon services of Microsoft Account, Microsoft Office 365, Skype, and other popular online services such as Twitter, Facebook, and Yahoo!. These default rules can become obsolete over time, as SSL certificates expire. Organizations can decide to issue new SSL certificates for their services by using a Root CA that has not been defined in an EMET configuration.

This page contains the most up-to-date set of rules for EMET’s Certificate Trust feature for the services that are listed earlier. The rules are delivered as an easy-to-install Fix it package that automatically updates Certificate Trust rules.

The Fix it package will update EMET’s Certificate Trust default configuration rules for versions 4.0 and 4.1. EMET must be installed in the default directory (%ProgramFiles(x86)%\EMET 4.0 or %ProgramFiles(x86)%\EMET 4.1). Only the default rules will be updated. Custom rules will be kept "as is."

Fix it for me

To download the Fix it solution to update EMET’s Certificate Trust default rules, click the Fix it button or link. Click Run in the File Download dialog box, and then follow the steps in the Fix it wizard.
Collapse this imageExpand this image
assets fixit1
Fix this problem
Microsoft Fix it 51012
Collapse this imageExpand this image
assets fixit2


Article ID: 2961016 - Last Review: April 29, 2014 - Revision: 1.0
Applies to
  • Enhanced Mitigation Experience Toolkit 4.1
atdownload kbexpertiseinter kbsecurity kbsecvulnerability kbmsifixme kbfixme KB2961016

Give Feedback


Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from