Blog Post

Microsoft Security Baselines Blog
3 MIN READ

Security baseline for Microsoft Edge version 114

Rick_Munck's avatar
Rick_Munck
Icon for Microsoft rankMicrosoft
Jun 05, 2023

We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 114!

 

We have reviewed the settings in Microsoft Edge version 114 and updated our guidance with the removal of two settings. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the new package from the Security Compliance Toolkit.

 

Microsoft Edge’s Password Manager (Removed)

This release also brings some exciting password management changes that we have been discussing for quite some time.

 

Previously, the Microsoft Edge security baseline has called for disabling the built-in password manager (Enable saving passwords to the password manager). We are now removing that recommendation and moving this setting to Not Configured based on the availability of several new features that alter the security tradeoffs introduced by Microsoft Edge’s improved Password Manager. Each organization needs to make an informed decision about how they configure the password manager based on their specific environment.

By default, Microsoft Edge’s Password Manager is enabled. We will highlight what we feel are compelling reasons for Enterprises to consider leaving the Password Manager enabled and configuring additional settings that increase the security value of the Password Manager.

 

Note: Enhanced password management features do require connectivity, meaning an Azure Active Directory (AAD) or Microsoft Account (MSA) must be used. Two existing settings, “Browser sign-in settings” and “Force synchronization of browser data and do not show the sync consent prompt”, allow you to control whether users are signed into the browser and able to benefit from improvements to the password manager that require sync.

 

The Password Monitor (Allow users to be alerted if their passwords are found to be unsafe) introduced in version 88 monitors for the compromise of users’ credentials. More details on password monitoring can be found here. Note: If your organization supports MSA users and they are allowed to sync data then this feature will be enabled automatically. This setting does require end-user consent, so even if set to Enabled the end user must acknowledge its use before the setting goes into effect.

 

 

The Password Generator (Allow users to get a strong password suggestion whenever they are creating an account online), also introduced in Microsoft Edge 88, helps generate strong passwords on the user’s behalf. Further details can be found here. By default, password generation is available.

 

 

The Require Authentication Before Autofill option (Configures a setting that asks users to enter their device password while using password autofill) helps prevent misuse of passwords by other users with access to an unlocked PC. When enabled, passwords will not autofill until the user proves their identity using their fingerprint, facial recognition, PIN, or password. By default, when set to either a customer primary password or the device password, the user will be prompted to enter this before the first password is filled in each browsing session. Further details can be found here. This setting is not enabled by default.

 

 

Password Reuse Detection (Configure password protection warning trigger) detects when a user enters a password for one site on another site. It has two dependent settings; “Configure the change password URL” and “Configure the list of enterprise login URLs where the password protection service should capture salted hashes of a password” that will need to be configured to properly identify password reuse.

 

With the introduction of these password manager enhancements, we believe that many organizations will now find that their environments are more secure when the password manager is left enabled.

Lastly, because we know there will be questions about the security trade-offs in using the password manager, we cover the details in the password manager documentation.

 

Minimum TLS version enabled (Removed)

This is a cleanup item. In version 98, Microsoft Edge removed the ability for a user to “click through” to a HTTPS page that was secured by the now obsolete TLS 1.0 and 1.1 protocols. Now that support for TLS 1.0 and TLS 1.1 has been fully removed, this policy is now obsolete.

 

Microsoft Edge version 114 introduces 5 new computer settings and 5 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them.

 

As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.

 

Please continue to give us feedback through the Security Baseline Community or in comments on this post.

 

Published Jun 05, 2023
Version 1.0
compliance
final
guides
microsoft edge
security
security baseline
security compliance toolkit
updates

18 Comments

Sort By
Show More
  • Happyuppy123's avatar
    Happyuppy123
    Copper Contributor
    Jun 13, 2023

    We are also having this issue - definitely that specific setting as I manually disabled it in the registry and it started working again.

    Issue also exists currently in Canary builds 115 and 116.

  • MichaelOliv's avatar
    MichaelOliv
    Iron Contributor
    Jun 12, 2023

    Good to know that I am not alone. 😉

    I will back here when I will have answer from support.

  • Jameskennedy's avatar
    Jameskennedy
    Copper Contributor
    Jun 12, 2023

    MichaelOliv I get the same when applying the PrimaryPasswordSetting just displays a blank page on the password setting page. call logged

  • MichaelOliv's avatar
    MichaelOliv
    Iron Contributor
    Jun 09, 2023

    HEllo,

     

    I don't know you but when I activate the setting PrimaryPasswordSetting (Configures a setting that asks users to enter their device password while using password autofill) : 

    The password setting page (edge://settings/passwords) for the user don't show. It stays blank:

    I open a support case.

    Did you try on your side?

  • MZONDERLAND's avatar
    MZONDERLAND
    Brass Contributor
    Jun 06, 2023

    Rick_Munck 

    thanks for your quick reply, removing these 2 policies for the baseline is also done quickly manually, but it is indeed desirable that the baseline in Intune is the same as SCT.

  • Rick_Munck's avatar
    Rick_Munck
    Icon for Microsoft rankMicrosoft
    Jun 06, 2023

    MZONDERLAND I will let Julia_Idaewor answer that since her team owns the Intune portion of the release but what I can say is we are going to close the gap as much as possible between SCT and Intune, I dont see it being the same day but I see it becoming much closer than in the past. The good news with 112 to 114 is we only had two settings removed. Going forward we won't always be the lucky 🙂

  • MZONDERLAND's avatar
    MZONDERLAND
    Brass Contributor
    Jun 06, 2023

    Rick_Munck 

    Thanks for the update!

     

    Now I'm curious, finally the security baseline for Edge has been updated for version 112 in Microsoft Intune (05/25/23), will we now also see this update of 114 in Microsoft Intune soon? Or is the release schedule in Microsoft Intune less frequent?