SOLVED
Home

Security baseline (DRAFT) for Chromium-based Microsoft Edge, version 79

%3CLINGO-SUB%20id%3D%22lingo-sub-1080021%22%20slang%3D%22en-US%22%3ESecurity%20baseline%20(DRAFT)%20for%20Chromium-based%20Microsoft%20Edge%2C%20version%2079%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1080021%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F171536%22%20target%3D%22_blank%22%3E%40Aaron%20Margosis%3C%2FA%3E%26nbsp%3B%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EFeedback%20and%20questions%20on%20the%20latest%20Edge%20Chromium%20baselines%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EExtensions%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EBlocking%20all%20extensions%20may%20not%20be%20possible%20for%20many%20organizations.%26nbsp%3B%20If%20an%20organization%20wants%20to%20maintain%20a%20list%26nbsp%3Bof%20extensions%20and%20extension%20sources%20that%20are%20allowable%2C%20what%20settings%20are%20required%3F%26nbsp%3B%20I%20have%20configured%20the%20following%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E-%20Allow%20specific%20extensions%20to%20be%20installed%3C%2FP%3E%3CP%3E-%20Configure%20extension%20and%20user%20script%20install%20sources%20(MS%20and%20Google%20URLs%20specified%20here)%3C%2FP%3E%3CP%3E-%20Control%20which%20extensions%20are%20installed%20silently%3C%2FP%3E%3CP%3EHowever%2C%20if%20I%20do%20the%20*%20block%20on%20%22C%3CSPAN%3Eontrol%20which%20extensions%20cannot%20be%20installed%22%2C%20the%20extensions%20that%20are%20specified%26nbsp%3Bas%20allowed%20but%20not%20silently%20installed%20immediately%20disable%20themselves.%26nbsp%3B%20I've%20tried%20different%20combinations%20of%20settings%20over%20the%20last%20several%20months%20with%20no%20success.%26nbsp%3B%20I%20want%20our%20conversion%20from%20Chrome%20to%20move%20us%20from%20the%20wild%20west%20for%20extensions%20to%20a%20curated%2C%20approved%20list.%26nbsp%3B%20How%20can%20this%20be%20achieved%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EPasswords%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E-%20Microsoft%20and%20Google%20have%20recently%20added%20policies%20to%20prevent%20corporate%20password%20reuse%20and%20direct%20users%20to%20change%20passwords%20if%20they%20enter%20it%20on%20a%20phishing%20site.%26nbsp%3B%20I%20think%20these%20would%20be%20good%20to%20encourage%20use%20of%2C%20but%20documentation%20is%20needed%20somewhere%20on%20how%20to%20configure%20these%20for%20a%20typical%20Microsoft%20customer%20(e.g.%2C%20Office%20365).%26nbsp%3B%20References%3A%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-policies%23passwordprotectionchangepasswordurl%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-policies%23passwordprotectionchangepasswordurl%3C%2FA%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.google.com%2Fchrome%2Fa%2Fanswer%2F9102482%3Fhl%3Den%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.google.com%2Fchrome%2Fa%2Fanswer%2F9102482%3Fhl%3Den%3C%2FA%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3ESmartScreen%3A%3C%2FSTRONG%3E%3CBR%20%2F%3E-%20Why%20not%20configure%20%22Configure%20Microsoft%20Defender%20SmartScreen%20to%20block%20potentially%20unwanted%20apps%22%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E-%20Why%20is%20%22Force%20Microsoft%20Defender%20SmartScreen%20checks%20on%20downloads%20from%20trusted%20sources%22%20configured%20to%20Disabled%3F%26nbsp%3B%20Isn't%20it%20better%20to%20have%20SmartScreen%20on%20for%20trusted%20sourced%20(default)%20and%20allow%20the%20user%20to%20turn%20it%20off%20if%20required.%26nbsp%3B%20This%20seems%20like%20a%20configuration%20appropriate%20for%20a%20STIG%2C%20rather%20than%20an%20MS%20baseline.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098737%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20baseline%20(DRAFT)%20for%20Chromium-based%20Microsoft%20Edge%2C%20version%2079%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098737%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F171996%22%20target%3D%22_blank%22%3E%40Doug%20Howell%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECan%20you%20please%20try%20once%20by%20clearing%20this%20policy%3F%20(If%20there%20is%20a%20specific%20reason%20you%20need%20this%20let%20me%20know.)%3C%2FP%3E%0A%3CP%3E-%20Configure%20extension%20and%20user%20script%20install%20sources%20(MS%20and%20Google%20URLs%20specified%20here)%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20trying%20to%20restrict%20user%20from%20installing%20extension%20from%20any%20other%20source%20that%20is%20already%20done%20using%20the%20%22%3CSPAN%3EC%3C%2FSPAN%3E%3CSPAN%3Eontrol%20which%20extensions%20cannot%20be%20installed%22%20policy.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1110778%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20baseline%20(DRAFT)%20for%20Chromium-based%20Microsoft%20Edge%2C%20version%2079%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1110778%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318153%22%20target%3D%22_blank%22%3E%40ashishpoddar%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20gave%20that%20a%20try%20and%20the%20result%20is%20the%20same%3A%20the%20extensions%20that%20are%20not%20silently%20pushed%20get%20disabled.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20complete%20clarity%20I%20have%20attached%20screenshots%20of%20the%20policy%20and%20the%20result.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1110949%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20baseline%20(DRAFT)%20for%20Chromium-based%20Microsoft%20Edge%2C%20version%2079%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1110949%22%20slang%3D%22en-US%22%3E%3CP%3EI%20dug%20into%20edge%3A%2F%2Fpolicy%20and%20found%20the%20issue%3A%20the%20format%20for%20allowed%20extensions%20is%20not%20the%20same%20as%20silently%20extensions%20so%20that%20setting%20was%20in%20an%20error%20state%20(%22Value%20doesn't%20match%20expected%20format.%22).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20I%20fixed%20that%20I%20could%20turn%20on%20the%20*%20for%20%22Control%20which%20extensions%20cannot%20be%20installed%22%20and%20the%20allowed%20extensions%20remain%20on.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EFor%20allowed%20extensions%20it%20is%20just%20the%20extension%20unique%20ID.%3C%2FLI%3E%3CLI%3EFor%20silently%20installed%20extensions%20it%20is%20the%20unique%20ID%20semicolon%20install%20source%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20able%20to%20keep%20the%20install%20sources%20locked%20down%20to%20Microsoft%20and%20Google%20with%20those%20settings%20on.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20nice%20discovery%20from%20diving%20into%20the%20%3CA%20href%3D%22https%3A%2F%2Fsupport.google.com%2Fchrome%2Fa%2Fanswer%2F7532015%3Fhl%3Den%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGoogle%20Chrome%20Enterprise%20docs%3C%2FA%3E%20was%20adding%20a%20JSON%20configuration%20in%20%22Configure%20extension%20management%20settings%22%20to%20deliver%20a%20more%20friendly%20message%20to%20users%20when%20an%20extension%20installation%20is%20blocked%20as%20well.%26nbsp%3B%20The%20formatting%20of%20this%20is%20limited%20(it%20starts%20on%20the%20same%20line%20as%20the%20built-in%20message%20and%20%5Cn%20line%20breaks%20aren't%20honoured.)%20Key%20to%20getting%20this%20to%20work%20was%20the%20%3CA%20href%3D%22https%3A%2F%2Fmythic-byway-180716.appspot.com%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EChrome%20ExtensionSettings%20Policy%20Validator%3C%2FA%3E%26nbsp%3Bto%20both%20validate%20the%20JSON%20and%20compact%20it%20into%20a%20single%20line%20for%20the%20GPO.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20case%20this%20can%20help%20anyone%20else%2C%20I've%20attached%20screen%20shots%20of%20my%20working%20configuration.%26nbsp%3B%20(Of%20course%20the%20specific%20extensions%20your%20organization%20silently%20pushes%20and%20allows%20will%20differ!)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1111958%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20baseline%20(DRAFT)%20for%20Chromium-based%20Microsoft%20Edge%2C%20version%2079%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1111958%22%20slang%3D%22en-US%22%3E%3CP%3EGlad%20that%20you%20were%20able%20to%20get%20it%20to%20work%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F171996%22%20target%3D%22_blank%22%3E%40Doug%20Howell%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGood%20learnings%20for%20us%20as%20well%2C%20and%20will%20see%20if%20we%20can%20improve%20the%20documentation.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20for%20taking%20the%20effort%20to%20add%20the%20pro-tip%20to%20customize%20error%20messages.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

@Aaron Margosis :

 

Feedback and questions on the latest Edge Chromium baselines:

 

Extensions:

Blocking all extensions may not be possible for many organizations.  If an organization wants to maintain a list of extensions and extension sources that are allowable, what settings are required?  I have configured the following:

- Allow specific extensions to be installed

- Configure extension and user script install sources (MS and Google URLs specified here)

- Control which extensions are installed silently

However, if I do the * block on "Control which extensions cannot be installed", the extensions that are specified as allowed but not silently installed immediately disable themselves.  I've tried different combinations of settings over the last several months with no success.  I want our conversion from Chrome to move us from the wild west for extensions to a curated, approved list.  How can this be achieved?

 

Passwords:

- Microsoft and Google have recently added policies to prevent corporate password reuse and direct users to change passwords if they enter it on a phishing site.  I think these would be good to encourage use of, but documentation is needed somewhere on how to configure these for a typical Microsoft customer (e.g., Office 365).  References:

https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#passwordprotectionchangepassword...

https://support.google.com/chrome/a/answer/9102482?hl=en

 

SmartScreen:
- Why not configure "Configure Microsoft Defender SmartScreen to block potentially unwanted apps"?

- Why is "Force Microsoft Defender SmartScreen checks on downloads from trusted sources" configured to Disabled?  Isn't it better to have SmartScreen on for trusted sourced (default) and allow the user to turn it off if required.  This seems like a configuration appropriate for a STIG, rather than an MS baseline.

 

 

4 Replies
Highlighted

@Doug Howell 

 

Can you please try once by clearing this policy? (If there is a specific reason you need this let me know.)

- Configure extension and user script install sources (MS and Google URLs specified here) 

 

If you are trying to restrict user from installing extension from any other source that is already done using the "Control which extensions cannot be installed" policy. 

 

 

Hi @ashishpoddar 

 

I gave that a try and the result is the same: the extensions that are not silently pushed get disabled.

 

For complete clarity I have attached screenshots of the policy and the result.

Highlighted
Solution

I dug into edge://policy and found the issue: the format for allowed extensions is not the same as silently extensions so that setting was in an error state ("Value doesn't match expected format.").

 

Once I fixed that I could turn on the * for "Control which extensions cannot be installed" and the allowed extensions remain on.

 

  • For allowed extensions it is just the extension unique ID.
  • For silently installed extensions it is the unique ID semicolon install source

 

I was able to keep the install sources locked down to Microsoft and Google with those settings on. 

 

Another nice discovery from diving into the Google Chrome Enterprise docs was adding a JSON configuration in "Configure extension management settings" to deliver a more friendly message to users when an extension installation is blocked as well.  The formatting of this is limited (it starts on the same line as the built-in message and \n line breaks aren't honoured.) Key to getting this to work was the Chrome ExtensionSettings Policy Validator to both validate the JSON and compact it into a single line for the GPO.  

 

In case this can help anyone else, I've attached screen shots of my working configuration.  (Of course the specific extensions your organization silently pushes and allows will differ!)

Highlighted

Glad that you were able to get it to work @Doug Howell

 

Good learnings for us as well, and will see if we can improve the documentation. 

 

Thanks for taking the effort to add the pro-tip to customize error messages.