View Blog

Nov 2021
10

New Microsoft v95 Security Baseline for Group Policy

Microsoft recently released the Chromium-based Microsoft Edge 95 version to Stable channel for Windows and Mac, which coincides with a new security baseline for it as well.  Some of the new features of the new Edge version include the following:

 

  • A new efficiency mode that becomes active when a laptop enters battery saver mode so that the two work in tandem to extend the battery life of the machine.
  • The ability to pick up where you left off on PDF documents and resume your review of the documents.
  • The ability to update your passwords with fewer clicks as the browser will navigate a user to the Change Password page for a given website assuming that the website supports that feature.  The browser will also suggest a strong, unique new password. 
  • Supports free form text boxes within PDF documents that allows users to use them to fill out a form. 


Because the browser today is the most frequently used application, it is critically important to keep your security baselines up to date to ensure you are running best practice.  MDM administrators that utilize Microsoft Endpoint Management (Intune) are familiar with the concept of Security Baselines.  A security baseline is a collection of Microsoft recommended configuration settings that help secure and protect enterprise users and devices.  Security baselines are an easy and effective way for admins to ensure that they are consistently enforcing a minimum-security level that will address fundamental security and compliance issues.  The Security Baselines for Group Policy are designed around the same principle as the MEM Security Baselines.  You can download the new security baseline package here by selecting the Microsoft Edge v95 Security Baseline.zip file

The Benefits of Using Security Baselines

While it is perfectly ok to configure your own MDM profile or GPO to select and configure available settings, baselines are a quick and easy way to enforce a default baseline that prevents users from making changes that will result in an insecure state.  There are several benefits of using security baselines offered by Microsoft.

  • They are already configured by Microsoft security experts
  • They enforce settings that mitigates contemporary security threats.
  • Baseline settings have been pretested to ensure that they do not cause operational issues that are worse than the risks they mitigate
  • They ensure that users and device configuration settings are compliant with the baseline

Installing the Microsoft Edge v93 Security Baseline

Once downloaded, you will see that the package contains multiple folder directories as is shown below.  Note that unlike other packages, this one doesn’t include a Template folder as this package does not include the ADMX/ADM template files.  You can download the template files directly from the Microsoft website for any of the current Edge versions.  You must have the required template files in your central store for the package to work.

The next step is to import the new security baselines.  You can import these policies either locally or into AD using the enclosed scripts.  I am choosing to import them into my AD environment using the appropriate scripts as shown below.

Then choose the location where you want to link the new policy and browse for the new MSFT Edge 95 – Computer.

In my case, I chose the East Sales OU to link it.  Note that this is a computer side GPO, so it needs to be linked to an OU that contains computer objects.  The screenshot shows the enclosed settings below.

There are two new security baseline settings.  The first is “Enable browser legacy extension point blocking” which blocks code injection from third party applications on the new Edge browser.  The setting is enabled by default as is shown below.

The other new enforced setting is “Specifies whether the display-capture permissions-policy is checked or skipped.  It allows web applications using the getDisplayMedia() API to bypass a permission policy check required by the API specification This setting is only temporary and will be deprecated after Microsoft Edge 100.  It is intended to block Enterprise users whose application is non-spec compliant.  The setting is enabled by default as is shown below.

All in all there were 1 new computer settings and 1 new user settings for Microsoft Edge version 95 with 3 settings being removed.  You can learn more about these settings here.

 

Comments (0)

No Comments!