Certificate pinning configuration
Configures EMET certificate pinning. Click the "Pinned Sites" and "Pinning Rules" buttons to configure sites and rules.
Pinned Sites:
In each row, specify a site to pin in the left column, and the name of a pinning rule in the right column, with an optional + in front of it.
Place a minus sign in front of the rule name to make the rule inactive for that site.
Example:
www.microsoft.com +VerisignRootRule1
tailspintoys.com -AnyVerisignRootRule
Pinning Rules:
In each row, provide the name of a pinning rule in the left column, and rule specifications in the right column, separated by semicolons.
Rule specifications can include:
* One or more certificate thumbprints, separated by semicolons. (Certificate "thumbprints" are also sometimes called "fingerprints.")
* The words BLOCK or WARN, indicating whether the rule should block access to the site on cert validation failure or just display a warning.
* The word "expiration:" followed by the date when the rule should stop being enforced, in yyyy-mm-dd format.
Example:
VerisignRootRule1 BLOCK; expiration:2017-08-31; 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
AnyVerisignRootRule WARN; expiration:9999-12-31; 742C3192E607E424EB4549542BE1BBC53E6174E2,4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
Configures EMET certificate pinning. Click the "Pinned Sites" and "Pinning Rules" buttons to configure sites and rules.
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | Software\Policies\Microsoft\EMET\CertPinning\Sites |
| Value Name | {number} |
| Value Type | REG_SZ |
| Default Value |
In each row, specify a site to pin in the left column, and the name of a pinning rule in the right column.
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | Software\Policies\Microsoft\EMET\CertPinning\Rules |
| Value Name | {number} |
| Value Type | REG_SZ |
| Default Value |
In each row, provide the name of a pinning rule in the left column, and one or more certificate thumbprints in the right column, separated by commas. (Certificate "thumbprints" are also sometimes called "fingerprints.")
emet.admx
- Windows Components
- EMET
- Application Configuration
- Certificate pinning configuration
- Default Action and Mitigation Settings
- Default Protections for Internet Explorer
- Default Protections for Popular Software
- Default Protections for Recommended Software
- EMET Agent Custom Message
- EMET Agent Visibility
- Reporting
- System ASLR
- System DEP
- System SEHOP
- EMET