%3CLINGO-SUB%20id%3D%22lingo-sub-1618585%22%20slang%3D%22en-US%22%3ESecurity%20baseline%20for%20Microsoft%20Edge%20version%2085%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1618585%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20pleased%20to%20announce%20the%20enterprise-ready%20release%20of%20the%20security%20baseline%20for%20Microsoft%20Edge%20version%2085!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20reviewed%20the%20settings%20in%20Microsoft%20Edge%20version%2085%20and%20updated%20our%20guidance%20with%20the%20addition%20of%20one%20setting%20that%20we%20will%20explain%20below.%26nbsp%3B%20A%20new%20Microsoft%20Edge%20security%20baseline%20package%20was%20just%20released%20to%20the%20Microsoft%20Download%20Center.%26nbsp%3B%20You%20can%20download%20the%20version%2085%20package%20from%20the%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fdownload%2Fdetails.aspx%3Fid%3D55319%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESecurity%20Compliance%20Toolkit%3C%2FA%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESHA-1%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EA%20new%20(but%2C%20ironically%2C%20deprecated)%20setting%20has%20been%20added%20to%20version%2085%3A%20%3CEM%3EAllow%20certificates%20signed%20using%20SHA-1%20when%20issued%20by%20local%20trust%20anchors%3C%2FEM%3E.%20While%20it%20might%20seem%20odd%20that%20we%20are%20adding%20a%20deprecated%20setting%20to%20the%20baseline%2C%20this%20one%20is%20important.%20Microsoft%20Edge%20forbids%20certificates%20signed%20using%20SHA-1%20by%20default%2C%20and%20the%20security%20baseline%20is%20enforcing%20this%20to%20ensure%20Enterprises%20recognize%20that%20allowing%20SHA-1%20chains%20is%20not%20a%20secure%20configuration.%20Should%20you%20need%20to%20use%20a%20SHA-1%20chain%20for%20compatibility%20with%20existing%20applications%20that%20depend%20on%20it%2C%20moving%20away%20from%20that%20configuration%20as%20soon%20as%20possible%20is%20critical%20to%20the%20security%20of%20your%20organization.%20In%20version%2092%20of%20Microsoft%20Edge%20(mid-2021)%20this%20setting%20will%20be%20removed%2C%20and%20there%20will%20be%20no%20supported%20mechanism%20to%20allow%20SHA-1%2C%20even%20for%20certificates%20issued%20by%20your%20non-public%20Certificate%20Authorities%2C%20after%20that.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EApp%20protocol%20prompts%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWhile%20they%20may%20not%20seem%20directly%20related%20to%20security%2C%20app%20protocols%20are%20something%20you%20should%20be%20mindful%20of%2C%20as%20they%20provide%20a%20mechanism%20for%20escaping%20the%20browser%20sandbox.%20New%20policies%20to%20help%20manage%20these%20might%20therefore%20be%20useful%20in%20your%20organization%20as%20you%20strive%20to%20balance%20security%20and%20productivity.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20make%20managing%20app%20protocols%20easier%2C%20we%20first%20added%20a%20flag%20in%20version%2082%2C%20exposed%20a%20user-facing%20option%20in%20version%2084%2C%20and%20have%20added%20a%20policy%20for%20the%20IT%20Pro%20to%20manage%20them%20in%20version%2085%3A%20%3CEM%3EDefine%20a%20list%20of%20protocols%20that%20can%20launch%20an%20external%20application%20from%20listed%20origins%20without%20prompting%20the%20user%3C%2FEM%3E.%20For%20a%20detail%20discussion%20on%20the%20topic%2C%20we%20recommend%20reading%20Eric%20Lawrence%E2%80%99s%20blog%20%3CA%20href%3D%22https%3A%2F%2Ftextslashplain.com%2F2020%2F02%2F20%2Fbypassing-appprotocol-prompts%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECommonly%20seen%20with%20applications%20like%20Microsoft%20365%20Apps%2C%20Microsoft%20Teams%2C%20Skype%2C%20the%20user%20is%20by%20default%20prompted%20to%20allow%20the%20external%20application%20to%20launch%20as%20depicted%20in%20the%20below%20examples.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rick_Munck_0-1598620693563.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F215231iA35ABE51F72D6501%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Rick_Munck_0-1598620693563.png%22%20alt%3D%22Rick_Munck_0-1598620693563.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rick_Munck_1-1598620693570.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F215230i85E264FB75138E16%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Rick_Munck_1-1598620693570.png%22%20alt%3D%22Rick_Munck_1-1598620693570.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELeveraging%20this%20setting%20will%20suppress%20that%20prompt%20and%20reduce%20noise%20to%20the%20end%20user%20by%20approving%20the%20content%20at%20the%20enterprise%20level.%20Reducing%20end%20user%20prompts%20both%20improves%20user%20productivity%20and%20helps%20them%20make%20better%20decisions%20when%20an%20unexpected%20request%20appears%20by%20reducing%20prompt%20fatigue!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhile%20you%20are%20at%20Eric%E2%80%99s%20blog%2C%20be%20sure%20to%20check%20out%20his%20other%20posts.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EBaseline%20Package%20Refresh%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ESince%20a%20new%20setting%20has%20been%20added%20we%20have%20updated%20the%20security%20baseline%20package%20which%20will%20include%20the%20usual%20artifacts%2C%20as%20well%20as%20a%20list%20of%20new%20settings%20from%20version%2084%20to%2085%20and%20version%2080%20to%2085.%26nbsp%3B%20This%20way%2C%20those%20that%20have%20been%20keeping%20up%20with%20the%20blog%20have%20a%20smaller%20set%20of%20settings%20to%20review%2C%20and%20those%20only%20looking%20at%20the%20actual%20released%20package%20can%20see%20all%20the%20changes.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20a%20friendly%20reminder%2C%20all%20available%20settings%20for%20Microsoft%20Edge%20are%20documented%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FDeployEdge%2Fmicrosoft-edge-policies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%2C%20and%20all%20available%20settings%20for%20Microsoft%20Edge%20Update%20are%20documented%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FDeployEdge%2Fmicrosoft-edge-update-policies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3EPlease%20continue%20to%20give%20us%20feedback%20through%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Security-Baselines%2Fbd-p%2FSecurity-Baselines%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3ESecurity%20Baselines%20Discussion%20site%3C%2FA%3E%20and%20via%20this%20post!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1618585%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Security%20Blog%20Graphics.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F215232iC7D67AF2F400057C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Security%20Blog%20Graphics.jpg%22%20alt%3D%22Security%20Blog%20Graphics.jpg%22%20%2F%3E%3C%2FSPAN%3EWe%20are%20pleased%20to%20announce%20the%20enterprise-ready%20release%20of%20the%20security%20baseline%20for%20Microsoft%20Edge%20version%2085!%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Microsoft

We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 85!

 

We have reviewed the settings in Microsoft Edge version 85 and updated our guidance with the addition of one setting that we will explain below.  A new Microsoft Edge security baseline package was just released to the Microsoft Download Center.  You can download the version 85 package from the Security Compliance Toolkit.

 

SHA-1

A new (but, ironically, deprecated) setting has been added to version 85: Allow certificates signed using SHA-1 when issued by local trust anchors. While it might seem odd that we are adding a deprecated setting to the baseline, this one is important. Microsoft Edge forbids certificates signed using SHA-1 by default, and the security baseline is enforcing this to ensure Enterprises recognize that allowing SHA-1 chains is not a secure configuration. Should you need to use a SHA-1 chain for compatibility with existing applications that depend on it, moving away from that configuration as soon as possible is critical to the security of your organization. In version 92 of Microsoft Edge (mid-2021) this setting will be removed, and there will be no supported mechanism to allow SHA-1, even for certificates issued by your non-public Certificate Authorities, after that.

 

App protocol prompts

While they may not seem directly related to security, app protocols are something you should be mindful of, as they provide a mechanism for escaping the browser sandbox. New policies to help manage these might therefore be useful in your organization as you strive to balance security and productivity.

 

To make managing app protocols easier, we first added a flag in version 82, exposed a user-facing option in version 84, and have added a policy for the IT Pro to manage them in version 85: Define a list of protocols that can launch an external application from listed origins without prompting the user. For a detail discussion on the topic, we recommend reading Eric Lawrence’s blog here.

 

Commonly seen with applications like Microsoft 365 Apps, Microsoft Teams, Skype, the user is by default prompted to allow the external application to launch as depicted in the below examples.

Rick_Munck_0-1598620693563.png

 

 

Rick_Munck_1-1598620693570.png

 

Leveraging this setting will suppress that prompt and reduce noise to the end user by approving the content at the enterprise level. Reducing end user prompts both improves user productivity and helps them make better decisions when an unexpected request appears by reducing prompt fatigue!

 

While you are at Eric’s blog, be sure to check out his other posts.

 

Baseline Package Refresh

Since a new setting has been added we have updated the security baseline package which will include the usual artifacts, as well as a list of new settings from version 84 to 85 and version 80 to 85.  This way, those that have been keeping up with the blog have a smaller set of settings to review, and those only looking at the actual released package can see all the changes.

 

As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.

Please continue to give us feedback through the Security Baselines Discussion site and via this post!

 

6 Comments
Contributor

To save someone else the time of hunting through the registry to find the proper protocol for Teams, it's "msteams".

 

The full, JSON I tested with Group Policy with Edge 85 was: 

[
  {
    "allowed_origins": [
      "https://.teams.microsoft.com"
    ], 
    "protocol": "msteams"
  }
]

 

Regular Visitor

FYI: In Windows 10 go to Settings > Apps > Default-Apps > Choose default apps by protocol. You can find (nearly) every protocol available on your machine. MSTEAMS is listed.

Occasional Visitor

Maybe I am just dense. But where are the ADMX files for Edge 85?

 

EDIT: For those who were losrt likee me, you can find them at the Edge for Business download portal. https://www.microsoft.com/en-us/edge/business/download You can select your build and hit "Get Policy Templates" instead of, or in addition to, "Download".

Occasional Contributor

This is by far one of the more complex Edge policies that I've come across :smile: It makes a lot of sense to implement and great to have this level of flexibility but so far I've hit a few hurdles and was hoping someone could steer me in the right direction.

 

In my example I'm simply trying to suppress the following prompts for Excel/Word:

 

2020-08-31 15_15_19-Full Server 2008R2 OS list.xlsx and 11 more pages - Work - Microsoft​ Edge.png

 

2020-08-31 15_08_29-DOCX File viewer _ Microsoft Teams and 8 more pages - Work - Microsoft​ Edge.png

 

Using the following JSON:

[{"allowed_origins":["live.com","office.com","sharepoint.com"],"protocol":"ms-excel"},{"allowed_origins":["live.com","office.com","sharepoint.com"],"protocol":"ms-word"}]

 

I've pulled the protocols from those defined within Default Apps | Choose Default Applications by Protocol but I'm not entirely sure if these are correct as the example from https://docs.microsoft.com/en-gb/DeployEdge/microsoft-edge-policies#autolaunchprotocolsfromorigins is a little ambiguous. The example JSON includes the protocols spotify, outlook and teams yet none exist on my W10 1909 /w Microsoft 365 Apps for enterprise (16.0.13029.20460) [current channel] - also as @DidiHai76 mentions it's msteams not teams. Granted I don't have Spotify installed but on my device the application Outlook utilises the protocols FEED, FEEDS, MAILTO, STSSYNC and WEBCALS and the application Excel is referenced only for MS-EXCEL. In any case experimented with both ms-excel/excel and ms-word/word. 

 

As far as ensuring all the usual culprits of group policy, I've added the JSON into the "Define a list of protocols that can launch an external application from listed origins without prompting the user" policy by way of the updated ADXM and verified it exists within the AutoLaunchProtocolsFromOrigins REG_SZ value in the "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" key as well as confirming it appears within edge://policy/. I'm testing with (Edge Stable 85.0.564.41 and current admx). 

 

Note: Anyone unfamiliar with JSON (like me) who needs to both validate and convert to a one-liner that GPMC will accept, I've used https://jsonformatter.curiousconcept.com

Contributor

@csrswalch Your policy worked straight away for me - I dropped it straight into the registry at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge and restarted Edge and tried opening an excel & word doc in SharePoint online and it got no prompt. I trimmed some of the domains and combined it with my Teams policy and ended up with

[{"allowed_origins":["officeapps.live.com"],"protocol":"ms-excel"},{"allowed_origins":["officeapps.live.com"],"protocol":"ms-word"},{"allowed_origins":["https://.teams.microsoft.com"],"protocol":"msteams"}]
Occasional Contributor

Thanks for confirming @AndrewT - needed another set of eyes because it's magically started to work for me now too! I've added to yours to include OneNote and PowerPoint which should pretty much cover off our environment and many others I imagine. Thanks again.

 

[{"allowed_origins":["officeapps.live.com"],"protocol":"ms-excel"},{"allowed_origins":["officeapps.live.com"],"protocol":"ms-powerpoint"},{"allowed_origins":["officeapps.live.com"],"protocol":"ms-word"},{"allowed_origins":["https://.teams.microsoft.com"],"protocol":"msteams"},{"allowed_origins":["officeapps.live.com"],"protocol":"onenote"}]