We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 114!
We have reviewed the settings in Microsoft Edge version 114 and updated our guidance with the removal of two settings. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the new package from the Security Compliance Toolkit.
Microsoft Edge’s Password Manager (Removed)
This release also brings some exciting password management changes that we have been discussing for quite some time.
Previously, the Microsoft Edge security baseline has called for disabling the built-in password manager (Enable saving passwords to the password manager). We are now removing that recommendation and moving this setting to Not Configured based on the availability of several new features that alter the security tradeoffs introduced by Microsoft Edge’s improved Password Manager. Each organization needs to make an informed decision about how they configure the password manager based on their specific environment.
By default, Microsoft Edge’s Password Manager is enabled. We will highlight what we feel are compelling reasons for Enterprises to consider leaving the Password Manager enabled and configuring additional settings that increase the security value of the Password Manager.
Note: Enhanced password management features do require connectivity, meaning an Azure Active Directory (AAD) or Microsoft Account (MSA) must be used. Two existing settings, “Browser sign-in settings” and “Force synchronization of browser data and do not show the sync consent prompt”, allow you to control whether users are signed into the browser and able to benefit from improvements to the password manager that require sync.
The Password Monitor (Allow users to be alerted if their passwords are found to be unsafe) introduced in version 88 monitors for the compromise of users’ credentials. More details on password monitoring can be found here. Note: If your organization supports MSA users and they are allowed to sync data then this feature will be enabled automatically. This setting does require end-user consent, so even if set to Enabled the end user must acknowledge its use before the setting goes into effect.
The Password Generator (Allow users to get a strong password suggestion whenever they are creating an account online), also introduced in Microsoft Edge 88, helps generate strong passwords on the user’s behalf. Further details can be found here. By default, password generation is available.
The Require Authentication Before Autofill option (Configures a setting that asks users to enter their device password while using password autofill) helps prevent misuse of passwords by other users with access to an unlocked PC. When enabled, passwords will not autofill until the user proves their identity using their fingerprint, facial recognition, PIN, or password. By default, when set to either a customer primary password or the device password, the user will be prompted to enter this before the first password is filled in each browsing session. Further details can be found here. This setting is not enabled by default.
Password Reuse Detection (Configure password protection warning trigger) detects when a user enters a password for one site on another site. It has two dependent settings; “Configure the change password URL” and “Configure the list of enterprise login URLs where the password protection service should capture salted hashes of a password” that will need to be configured to properly identify password reuse.
With the introduction of these password manager enhancements, we believe that many organizations will now find that their environments are more secure when the password manager is left enabled.
Lastly, because we know there will be questions about the security trade-offs in using the password manager, we cover the details in the password manager documentation.
Minimum TLS version enabled (Removed)
This is a cleanup item. In version 98, Microsoft Edge removed the ability for a user to “click through” to a HTTPS page that was secured by the now obsolete TLS 1.0 and 1.1 protocols. Now that support for TLS 1.0 and TLS 1.1 has been fully removed, this policy is now obsolete.
Microsoft Edge version 114 introduces 5 new computer settings and 5 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them.
As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.