Security baseline for Microsoft Edge version 85
Published Aug 28 2020 11:05 AM 13.6K Views

We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 85!


We have reviewed the settings in Microsoft Edge version 85 and updated our guidance with the addition of one setting that we will explain below.  A new Microsoft Edge security baseline package was just released to the Microsoft Download Center.  You can download the version 85 package from the Security Compliance Toolkit.



A new (but, ironically, deprecated) setting has been added to version 85: Allow certificates signed using SHA-1 when issued by local trust anchors. While it might seem odd that we are adding a deprecated setting to the baseline, this one is important. Microsoft Edge forbids certificates signed using SHA-1 by default, and the security baseline is enforcing this to ensure Enterprises recognize that allowing SHA-1 chains is not a secure configuration. Should you need to use a SHA-1 chain for compatibility with existing applications that depend on it, moving away from that configuration as soon as possible is critical to the security of your organization. In version 92 of Microsoft Edge (mid-2021) this setting will be removed, and there will be no supported mechanism to allow SHA-1, even for certificates issued by your non-public Certificate Authorities, after that.


App protocol prompts

While they may not seem directly related to security, app protocols are something you should be mindful of, as they provide a mechanism for escaping the browser sandbox. New policies to help manage these might therefore be useful in your organization as you strive to balance security and productivity.


To make managing app protocols easier, we first added a flag in version 82, exposed a user-facing option in version 84, and have added a policy for the IT Pro to manage them in version 85: Define a list of protocols that can launch an external application from listed origins without prompting the user. For a detail discussion on the topic, we recommend reading Eric Lawrence’s blog here.


Commonly seen with applications like Microsoft 365 Apps, Microsoft Teams, Skype, the user is by default prompted to allow the external application to launch as depicted in the below examples.






Leveraging this setting will suppress that prompt and reduce noise to the end user by approving the content at the enterprise level. Reducing end user prompts both improves user productivity and helps them make better decisions when an unexpected request appears by reducing prompt fatigue!


While you are at Eric’s blog, be sure to check out his other posts.


Baseline Package Refresh

Since a new setting has been added we have updated the security baseline package which will include the usual artifacts, as well as a list of new settings from version 84 to 85 and version 80 to 85.  This way, those that have been keeping up with the blog have a smaller set of settings to review, and those only looking at the actual released package can see all the changes.


As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.

Please continue to give us feedback through the Security Baselines Discussion site and via this post!


Version history
Last update:
‎Aug 28 2020 11:05 AM
Updated by: