Blog Post

Microsoft Security Baselines Blog
2 MIN READ

Security baseline (DRAFT) for Chromium-based Microsoft Edge, version 78

Aaron Margosis's avatar
Aaron Margosis
Former Employee
Oct 25, 2019

Microsoft is pleased to announce the draft release of the recommended security configuration baseline settings for the next version of Microsoft Edge based on Chromium, version 78. Please evaluate this proposed baseline and send us your feedback through the Baselines Discussion site.

 

Like all our baseline packages, the downloadable draft baseline package (attached to this blog post) includes importable GPOs, a script to apply the GPOs to local policy, a script to import the GPOs into Active Directory Group Policy, and all the recommended settings in spreadsheet form, as Policy Analyzer rules, and as GP Reports.

 

Microsoft Edge is being rebuilt with the open-source Chromium project, and many of its security configuration options are inherited from that project. These Group Policy settings are entirely distinct from those for the original version of Microsoft Edge built into Windows 10: they are in different folders in the Group Policy editor and they reference different registry keys. The Group Policy settings that control the new version of Microsoft Edge are located under “Administrative Templates\Microsoft Edge,” while those that control the current version of Microsoft Edge remain located under “Administrative Templates\Windows Components\Microsoft Edge.” You can download the latest policy templates for the new version of Microsoft Edge from the Microsoft Edge Enterprise landing page. To learn more about managing the new version of Microsoft Edge, see Configure Microsoft Edge for Windows.

 

As with our current Windows and Office security baselines, our recommendations for Microsoft Edge configuration follow a streamlined and efficient approach to baseline definition when compared with the baselines we published before Windows 10. The foundation of that approach is essentially this:

  • The baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights.
  • A baseline enforces a setting only if it mitigates a contemporary security threat and does not cause operational issues that are worse than the risks they mitigate.
  • A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user:
    • If a non-administrator can set an insecure state, enforce the default.
    • If setting an insecure state requires administrative rights, enforce the default only if it is likely that a misinformed administrator will otherwise choose poorly.

(For further explanation, see the “Why aren’t we enforcing more defaults?” section in this blog post.)

 

Version 78 of the Chromium-based version of Microsoft Edge has 205 enforceable Computer Configuration policy settings and another 190 User Configuration policy settings. Following our streamlined approach, our recommended baseline configures a grand total of twelve Group Policy settings. You can find full documentation in the download package’s Documentation subdirectory.

 

Updated Nov 29, 2021
Version 3.0
  • Adam Fowler's avatar
    Adam Fowler
    Iron Contributor

    Thanks for this!

    I've only just loaded the latest ADMX files for Edge, and comparing against this guide:

     

    Allow users to proceed from the SSL warning page -  is actually Allow users to proceed from the HTTPS warning page in Group Policy.

    Minimun SSL version - is actually Minimum TLS version in Group Policy.

     

    [Aaron Margosis] The policy templates available now are newer than the ones we built the draft with. One of the improvements was to replace "SSL" references with correct terminology.

     

    Configure Microsoft Defender SmartScreen for trusted downloads - this was missing from Group Policy completely.

     

    [Aaron Margosis] Track the registry value (HKLM\Software\Policies\Microsoft\Edge!SmartScreenForTrustedDownloadsEnabled). The policy setting name is now "Force Microsoft Defender SmartScreen checks on downloads from trusted sources."

     

    Other settings were fine!

  • YadwinderD's avatar
    YadwinderD
    Copper Contributor

    Hi,

     

    Could you please share more details on following policy :-

     

    Control which extensions cannot be installed

     

    Baseline recommendation is 1 = * which am not able to understand.

     

    TIA

     

    [Aaron Margosis] Here's the explanation/help text for this setting:

    List specific extensions that users can NOT install in Microsoft Edge. When you deploy this policy, any extensions on this list that were previously installed will be disabled, and the user won't be able to enable them. If you remove an item from the list of blocked extensions, that extension is automatically re-enabled anywhere it was previously installed.
    Use "*" to block all extensions that aren't explicitly listed in the allow list.
    If you don't configure this policy, users can install any extension in Microsoft Edge.
    Example value:
    extension_id1
    extension_id2

    So "*" means users can't install any extensions, unless they are first added (by an admin) to the allow list.

    Hope this helps.