Microsoft is pleased to announce the draft release of the recommended security configuration baseline settings for the next version of Microsoft Edge based on Chromium, version 79. Please evaluate this proposed baseline and send us your feedback through the Baselines Discussion site.
The settings recommended in this baseline are identical to the ones we recommended in the version 78 draft. None of the settings introduced in the version 79 policies meet the bar for inclusion in the baseline for broad use. We are republishing the baseline package because the names of several of the recommended settings were changed (for example, references to “SSL” were replaced with “HTTPS” or “TLS”).
Like all our baseline packages, the downloadable draft baseline package (attached to this blog post) includes importable GPOs, a script to apply the GPOs to local policy, a script to import the GPOs into Active Directory Group Policy, and all the recommended settings in spreadsheet form, as Policy Analyzer rules, and as GP Reports. It also includes a spreadsheet showing the changes in the available GPO settings between versions 78 and 79.
Microsoft Edge is being rebuilt with the open-source Chromium project, and many of its security configuration options are inherited from that project. These Group Policy settings are entirely distinct from those for the original version of Microsoft Edge built into Windows 10: they are in different folders in the Group Policy editor and they reference different registry keys. The Group Policy settings that control the new version of Microsoft Edge are located under “Administrative Templates\Microsoft Edge,” while those that control the current version of Microsoft Edge remain located under “Administrative Templates\Windows Components\Microsoft Edge.” You can download the latest policy templates for the new version of Microsoft Edge from the Microsoft Edge Enterprise landing page. To learn more about managing the new version of Microsoft Edge, see Configure Microsoft Edge for Windows.
The baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights.
A baseline enforces a setting only if it mitigates a contemporary security threat and does not cause operational issues that are worse than the risks they mitigate.
A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user:
If a non-administrator can set an insecure state, enforce the default.
If setting an insecure state requires administrative rights, enforce the default only if it is likely that a misinformed administrator will otherwise choose poorly.
(For further explanation, see the “Why aren’t we enforcing more defaults?” section in this blog post.)
Version 79 of the Chromium-based version of Microsoft Edge has 217 enforceable Computer Configuration policy settings and another 201 User Configuration policy settings. Following our streamlined approach, our recommended baseline configures a grand total of twelve Group Policy settings. You can find full documentation in the download package’s Documentation subdirectory.