Home
%3CLINGO-SUB%20id%3D%22lingo-sub-949991%22%20slang%3D%22en-US%22%3ESecurity%20baseline%20(DRAFT)%20for%20Chromium-based%20Microsoft%20Edge%2C%20version%2078%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-949991%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20is%20pleased%20to%20announce%20the%20%3CEM%3Edraft%3C%2FEM%3E%20release%20of%20the%20recommended%20security%20configuration%20baseline%20settings%20for%20the%20next%20version%20of%20Microsoft%20Edge%20based%20on%20Chromium%2C%20version%2078.%20Please%20evaluate%20this%20proposed%20baseline%20and%20send%20us%20your%20feedback%20through%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Security-Baselines%2Fbd-p%2FSecurity-Baselines%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3EBaselines%20Discussion%20site%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELike%20all%20our%20baseline%20packages%2C%20the%20downloadable%20draft%20baseline%20package%20(attached%20to%20this%20blog%20post)%20includes%20importable%20GPOs%2C%20a%20script%20to%20apply%20the%20GPOs%20to%20local%20policy%2C%20a%20script%20to%20import%20the%20GPOs%20into%20Active%20Directory%20Group%20Policy%2C%20and%20all%20the%20recommended%20settings%20in%20spreadsheet%20form%2C%20as%20Policy%20Analyzer%20rules%2C%20and%20as%20GP%20Reports.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft%20Edge%20is%20being%20%3CA%20href%3D%22https%3A%2F%2Fblogs.windows.com%2Fwindowsexperience%2F2018%2F12%2F06%2Fmicrosoft-edge-making-the-web-better-through-more-open-source-collaboration%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Erebuilt%20with%20the%20open-source%20Chromium%20project%3C%2FA%3E%2C%20and%20many%20of%20its%20security%20configuration%20options%20are%20inherited%20from%20that%20project.%20These%20Group%20Policy%20settings%20are%20entirely%20distinct%20from%20those%20for%20the%20original%20version%20of%20Microsoft%20Edge%20built%20into%20Windows%2010%3A%20they%20are%20in%20different%20folders%20in%20the%20Group%20Policy%20editor%20and%20they%20reference%20different%20registry%20keys.%20The%20Group%20Policy%20settings%20that%20control%20the%20new%20version%20of%20Microsoft%20Edge%20are%20located%20under%20%E2%80%9CAdministrative%20Templates%5CMicrosoft%20Edge%2C%E2%80%9D%20while%20those%20that%20control%20the%20current%20version%20of%20Microsoft%20Edge%20remain%20located%20under%20%E2%80%9CAdministrative%20Templates%5CWindows%20Components%5CMicrosoft%20Edge.%E2%80%9D%20You%20can%20download%20the%20latest%20policy%20templates%20for%20the%20new%20version%20of%20Microsoft%20Edge%20from%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FEdgeEnterprise%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Edge%20Enterprise%20landing%20page%3C%2FA%3E.%20To%20learn%20more%20about%20managing%20the%20new%20version%20of%20Microsoft%20Edge%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fdeployedge%2Fconfigure-microsoft-edge%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EConfigure%20Microsoft%20Edge%20for%20Windows%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20with%20our%20current%20Windows%20and%20Office%20security%20baselines%2C%20our%20recommendations%20for%20Microsoft%20Edge%20configuration%20follow%20a%20streamlined%20and%20efficient%20approach%20to%20baseline%20definition%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fsecguide%2F2015%2F11%2F18%2Fchanges-from-the-windows-8-1-baseline-to-the-windows-10-th11507-baseline%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewhen%20compared%20with%20the%20baselines%20we%20published%20before%20Windows%2010%3C%2FA%3E.%20The%20foundation%20of%20that%20approach%20is%20essentially%20this%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThe%20baselines%20are%20designed%20for%20well-managed%2C%20security-conscious%20organizations%20in%20which%20standard%20end%20users%20do%20not%20have%20administrative%20rights.%3C%2FLI%3E%0A%3CLI%3EA%20baseline%20enforces%20a%20setting%20only%20if%20it%20mitigates%20a%20contemporary%20security%20threat%20%3CEM%3Eand%3C%2FEM%3E%20does%20not%20cause%20operational%20issues%20that%20are%20worse%20than%20the%20risks%20they%20mitigate.%3C%2FLI%3E%0A%3CLI%3EA%20baseline%20enforces%20a%20default%20only%20if%20it%20is%20otherwise%20likely%20to%20be%20set%20to%20an%20insecure%20state%20by%20an%20authorized%20user%3A%3CUL%3E%0A%3CLI%3EIf%20a%20non-administrator%20can%20set%20an%20insecure%20state%2C%20enforce%20the%20default.%3C%2FLI%3E%0A%3CLI%3EIf%20setting%20an%20insecure%20state%20requires%20administrative%20rights%2C%20enforce%20the%20default%20only%20if%20it%20is%20%3CEM%3Elikely%3C%2FEM%3E%20that%20a%20misinformed%20administrator%20will%20otherwise%20choose%20poorly.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E(For%20further%20explanation%2C%20see%20the%20%E2%80%9CWhy%20aren%E2%80%99t%20we%20enforcing%20more%20defaults%3F%E2%80%9D%20section%20in%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fsecguide%2F2015%2F11%2F18%2Fchanges-from-the-windows-8-1-baseline-to-the-windows-10-th11507-baseline%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20blog%20post%3C%2FA%3E.)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EVersion%2078%20of%20the%20Chromium-based%20version%20of%20Microsoft%20Edge%20has%20205%20enforceable%20Computer%20Configuration%20policy%20settings%20and%20another%20190%20User%20Configuration%20policy%20settings.%20Following%20our%20streamlined%20approach%2C%20our%20recommended%20baseline%20configures%20a%20grand%20total%20of%20%3CEM%3Etwelve%3C%2FEM%3E%20Group%20Policy%20settings.%20You%20can%20find%20full%20documentation%20in%20the%20download%20package%E2%80%99s%20Documentation%20subdirectory.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-949991%22%20slang%3D%22en-US%22%3E%3CP%3EThe%26nbsp%3B%3CEM%3Edraft%26nbsp%3B%3C%2FEM%3Erelease%20of%20the%20recommended%20security%20configuration%20baseline%20settings%20for%20the%20next%20version%20of%20Microsoft%20Edge%20based%20on%20Chromium%2C%20version%2078.%20T%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Ehe%20downloadable%20draft%20baseline%20package%20includes%20importable%20GPOs%2C%20a%20script%20to%20apply%20the%20GPOs%20to%20local%20policy%2C%20a%20script%20to%20import%20the%20GPOs%20into%20Active%20Directory%20Group%20Policy%2C%20and%20all%20the%20recommended%20settings%20in%20spreadsheet%20form%2C%20as%20Policy%20Analyzer%20rules%2C%20and%20as%20GP%20Reports.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-949991%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Esecurity%20baselines%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-951295%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20baseline%20(DRAFT)%20for%20Chromium-based%20Microsoft%20Edge%2C%20version%2078%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-951295%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20this!%3C%2FP%3E%0A%3CP%3EI've%20only%20just%20loaded%20the%20latest%20ADMX%20files%20for%20Edge%2C%20and%20comparing%20against%20this%20guide%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAllow%20users%20to%20proceed%20from%20the%20SSL%20warning%20page%20-%26nbsp%3B%20is%20actually%20Allow%20users%20to%20proceed%20from%20the%20HTTPS%20warning%20page%20in%20Group%20Policy.%3C%2FP%3E%0A%3CP%3EMinimun%20SSL%20version%20-%20is%20actually%20Minimum%20TLS%20version%26nbsp%3Bin%20Group%20Policy.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CEM%3E%5BAaron%20Margosis%5D%20The%20policy%20templates%20available%20now%20are%20newer%20than%20the%20ones%20we%20built%20the%20draft%20with.%20One%20of%20the%20improvements%20was%20to%20replace%20%22SSL%22%20references%20with%20correct%20terminology.%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EConfigure%20Microsoft%20Defender%20SmartScreen%20for%20trusted%20downloads%20-%20this%20was%20missing%20from%20Group%20Policy%20completely.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CEM%3E%5BAaron%20Margosis%5D%20Track%20the%20registry%20value%20(HKLM%5CSoftware%5CPolicies%5CMicrosoft%5CEdge!SmartScreenForTrustedDownloadsEnabled).%20The%20policy%20setting%20name%20is%20now%20%22Force%20Microsoft%20Defender%20SmartScreen%20checks%20on%20downloads%20from%20trusted%20sources.%22%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOther%20settings%20were%20fine!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Microsoft is pleased to announce the draft release of the recommended security configuration baseline settings for the next version of Microsoft Edge based on Chromium, version 78. Please evaluate this proposed baseline and send us your feedback through the Baselines Discussion site.

 

Like all our baseline packages, the downloadable draft baseline package (attached to this blog post) includes importable GPOs, a script to apply the GPOs to local policy, a script to import the GPOs into Active Directory Group Policy, and all the recommended settings in spreadsheet form, as Policy Analyzer rules, and as GP Reports.

 

Microsoft Edge is being rebuilt with the open-source Chromium project, and many of its security configuration options are inherited from that project. These Group Policy settings are entirely distinct from those for the original version of Microsoft Edge built into Windows 10: they are in different folders in the Group Policy editor and they reference different registry keys. The Group Policy settings that control the new version of Microsoft Edge are located under “Administrative Templates\Microsoft Edge,” while those that control the current version of Microsoft Edge remain located under “Administrative Templates\Windows Components\Microsoft Edge.” You can download the latest policy templates for the new version of Microsoft Edge from the Microsoft Edge Enterprise landing page. To learn more about managing the new version of Microsoft Edge, see Configure Microsoft Edge for Windows.

 

As with our current Windows and Office security baselines, our recommendations for Microsoft Edge configuration follow a streamlined and efficient approach to baseline definition when compared with the baselines we published before Windows 10. The foundation of that approach is essentially this:

  • The baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights.
  • A baseline enforces a setting only if it mitigates a contemporary security threat and does not cause operational issues that are worse than the risks they mitigate.
  • A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user:
    • If a non-administrator can set an insecure state, enforce the default.
    • If setting an insecure state requires administrative rights, enforce the default only if it is likely that a misinformed administrator will otherwise choose poorly.

(For further explanation, see the “Why aren’t we enforcing more defaults?” section in this blog post.)

 

Version 78 of the Chromium-based version of Microsoft Edge has 205 enforceable Computer Configuration policy settings and another 190 User Configuration policy settings. Following our streamlined approach, our recommended baseline configures a grand total of twelve Group Policy settings. You can find full documentation in the download package’s Documentation subdirectory.

 

1 Comment

Thanks for this!

I've only just loaded the latest ADMX files for Edge, and comparing against this guide:

 

Allow users to proceed from the SSL warning page -  is actually Allow users to proceed from the HTTPS warning page in Group Policy.

Minimun SSL version - is actually Minimum TLS version in Group Policy.

 

[Aaron Margosis] The policy templates available now are newer than the ones we built the draft with. One of the improvements was to replace "SSL" references with correct terminology.

 

Configure Microsoft Defender SmartScreen for trusted downloads - this was missing from Group Policy completely.

 

[Aaron Margosis] Track the registry value (HKLM\Software\Policies\Microsoft\Edge!SmartScreenForTrustedDownloadsEnabled). The policy setting name is now "Force Microsoft Defender SmartScreen checks on downloads from trusted sources."

 

Other settings were fine!