May 12 2020 05:02 PM - edited May 14 2020 03:15 PM
In the latest security baselines for Microsoft Edge v81, the setting "Allow users to proceed from the HTTPS warning page" is recommended to set as Disabled. Setting to Disabled prevents users from clicking through warning pages about invalid SSL certificates.
With this setting in place, users are prevented from accessing sites with expired SSL certificates, often due to an administrator forgetting to renew it. This happens fairly often to sites/services on the Internet, which of course is something my company cannot control. For example, earlier this year Microsoft forgot to renew a certificate for Teams that caused an outage. I can imagine this recommended setting has potential to cause a significant problem for organizations if users are unable to access a critical site because they are unable to bypass the SSL warning.
That leads me to a few questions:
I'm struggling to see how many companies could implement this setting without increasing the risk of an outage by being unable to access a critical site.
May 28 2020 10:51 AM
I'll agree with Eric.
While this setting may work for my end-users while on premise, it would quickly run afoul for our remote staff as well as IT Staff. Most web admin interfaces leverage a self sign cert. The ability to set overrides for this (using FQDN or IP) would significantly reduce the amount of problems caused.
For now, we can create a separate GPO for those 'admin' computers so IT staff can proceed through the warning page.
Aug 05 2020 03:58 AM
@ericwright Dear Eric, "recommended baselines" are only... recommended, so you can override them in a separate GPO in whatever manner you like. :)
I personally prefer to have good recommendations from Microsoft, as I can create my own exceptions.