Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Security baseline (DRAFT) for Chromium-based Microsoft Edge, version 79
Published Dec 13 2019 02:33 PM 20K Views
Former Employee

Microsoft is pleased to announce the draft release of the recommended security configuration baseline settings for the next version of Microsoft Edge based on Chromium, version 79. Please evaluate this proposed baseline and send us your feedback through the Baselines Discussion site.

 

The settings recommended in this baseline are identical to the ones we recommended in the version 78 draft. None of the settings introduced in the version 79 policies meet the bar for inclusion in the baseline for broad use. We are republishing the baseline package because the names of several of the recommended settings were changed (for example, references to “SSL” were replaced with “HTTPS” or “TLS”).

 

Like all our baseline packages, the downloadable draft baseline package (attached to this blog post) includes importable GPOs, a script to apply the GPOs to local policy, a script to import the GPOs into Active Directory Group Policy, and all the recommended settings in spreadsheet form, as Policy Analyzer rules, and as GP Reports. It also includes a spreadsheet showing the changes in the available GPO settings between versions 78 and 79.

 

Microsoft Edge is being rebuilt with the open-source Chromium project, and many of its security configuration options are inherited from that project. These Group Policy settings are entirely distinct from those for the original version of Microsoft Edge built into Windows 10: they are in different folders in the Group Policy editor and they reference different registry keys. The Group Policy settings that control the new version of Microsoft Edge are located under “Administrative Templates\Microsoft Edge,” while those that control the current version of Microsoft Edge remain located under “Administrative Templates\Windows Components\Microsoft Edge.” You can download the latest policy templates for the new version of Microsoft Edge from the Microsoft Edge Enterprise landing page. To learn more about managing the new version of Microsoft Edge, see Configure Microsoft Edge for Windows.

 

As with our current Windows and Office security baselines, our recommendations for Microsoft Edge configuration follow a streamlined and efficient approach to baseline definition when compared with the baselines we published before Windows 10. The foundation of that approach is essentially this:

  • The baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights.
  • A baseline enforces a setting only if it mitigates a contemporary security threat and does not cause operational issues that are worse than the risks they mitigate.
  • A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user:
    • If a non-administrator can set an insecure state, enforce the default.
    • If setting an insecure state requires administrative rights, enforce the default only if it is likely that a misinformed administrator will otherwise choose poorly.

 

(For further explanation, see the “Why aren’t we enforcing more defaults?” section in this blog post.)

 

Version 79 of the Chromium-based version of Microsoft Edge has 217 enforceable Computer Configuration policy settings and another 201 User Configuration policy settings. Following our streamlined approach, our recommended baseline configures a grand total of twelve Group Policy settings. You can find full documentation in the download package’s Documentation subdirectory.

 

8 Comments
Silver Contributor

@Aaron Margosis, Is there a security baseline for Microsoft Edge in Intune?

Microsoft

@Jeffrey Allen Yes, there is. Go to the new Endpoint Manager Admin Center (this is an easier UI for Intune) then click Endpoint Security --> Security Baselines --> Microsoft Edge Baseline. Then proceed as usual: Create a policy, apply the baseline (modify settings if needed) and assign users/devices.

Silver Contributor

@Dom Cote, thanks!  I'll take a look at that today!

Silver Contributor

@Dom Cote, I looked at the Security Baseline for Edge in Intune and after I made the policy changes and hit saved.  It erred and when I click to find out, I got nothing and it diverted back so basically this policy or baseline is useless.  :sad:

Microsoft

Interesting. It worked for me. Although I just applied the defaults tbh. Do the defaults work for you? Which settings did you change?

Silver Contributor

@Dom Cote, I am uploading a screenshot of my settings, I believe.  I tried 5 times and so think this was the settings I wanted but wouldn't save.MSEdgeSecBaseSettings1.png

Microsoft

Confirmed - You're right. It's the "Control which extensions cannot be installed" setting that breaks the policy when it's changed from the default of "Enabled". Seems like a bug to me. @Aaron Margosis Can you comment on this?

 

Slightly OT: It looks like you're weakening a few key settings, such as being allowed to bypass SmartScreen. Obviously, we can't recommend that. ;)

Silver Contributor

Thanks @Dom Cote  and @Aaron Margosis!  I also understand the not recommending any changes regarding SmartScreen and I may change them back.  :smile:

Co-Authors
Version history
Last update:
‎Nov 29 2021 08:34 AM
Updated by: