New Microsoft v95 Security Baseline for Group Policy
Microsoft recently released the Chromium-based Microsoft Edge 95 version to Stable channel for Windows and Mac, which coincides with a new security baseline for it as well. Some of the new features of the new Edge version include the following:
- A new efficiency mode that becomes active when a laptop enters battery saver mode so that the two work in tandem to extend the battery life of the machine.
- The ability to pick up where you left off on PDF documents and resume your review of the documents.
- The ability to update your passwords with fewer clicks as the browser will navigate a user to the Change Password page for a given website assuming that the website supports that feature. The browser will also suggest a strong, unique new password.
- Supports free form text boxes within PDF documents that allows users to use them to fill out a form.
Because the browser today is the most frequently used application, it is critically important to keep your security baselines up to date to ensure you are running best practice. MDM administrators that utilize Microsoft Endpoint Management (Intune) are familiar with the concept of Security Baselines. A security baseline is a collection of Microsoft recommended configuration settings that help secure and protect enterprise users and devices. Security baselines are an easy and effective way for admins to ensure that they are consistently enforcing a minimum-security level that will address fundamental security and compliance issues. The Security Baselines for Group Policy are designed around the same principle as the MEM Security Baselines. You can download the new security baseline package here by selecting the Microsoft Edge v95 Security Baseline.zip file.
The Benefits of Using Security Baselines
The next step is to import the new security baselines. You can import these policies either locally or into AD using the enclosed scripts. I am choosing to import them into my AD environment using the appropriate scripts as shown below.
Then choose the location where you want to link the new policy and browse for the new MSFT Edge 95 – Computer.
In my case, I chose the East Sales OU to link it. Note that this is a computer side GPO, so it needs to be linked to an OU that contains computer objects. The screenshot shows the enclosed settings below.
There are two new security baseline settings. The first is “Enable browser legacy extension point blocking” which blocks code injection from third party applications on the new Edge browser. The setting is enabled by default as is shown below.
The other new enforced setting is “Specifies whether the display-capture permissions-policy is checked or skipped. It allows web applications using the getDisplayMedia() API to bypass a permission policy check required by the API specification This setting is only temporary and will be deprecated after Microsoft Edge 100. It is intended to block Enterprise users whose application is non-spec compliant. The setting is enabled by default as is shown below.
All in all there were 1 new computer settings and 1 new user settings for Microsoft Edge version 95 with 3 settings being removed. You can learn more about these settings here.