The security baselines for Edge are outdated in Intune. They were last updated in november 2020 and are based on Edge 85. Today we’re using MS Edge version 112.0.1722.64 in the stable channel.
See release notes : Microsoft Edge release notes for Stable Channel | Microsoft Learn
What I did was creating my own Edge Security baseline by converting the Microsoft Intune Security Baseline to a settings catalog configuration profile.
A nice place to get more information is the Microsoft Security Baselines Blog which can be found here https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines
For now, Microsoft has reviewed the settings in Microsoft Edge version 112 and updated a guidance with the removal of three obsolete settings.
A new Microsoft Edge security baseline package was released to the Download Center. You can download the new package from the Security Compliance Toolkit.
Obsolete settings in Edge 112
Allow using the deprecated U2F Security Key API (Removed)
This setting became obsolete in version 104 and is now being removed from the security baseline.
Enable 3DES cipher suites in TLS (Removed)
This setting became obsolete in version 97 and is now being removed from the security baseline.
Specifies whether the display-capture permissions-policy is checked or skipped (Removed)
This setting became obsolete in version 110 and is now being removed from the security baseline.
Microsoft Edge version 112 introduced 5 new computer settings and 5 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them.
As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.
Additional to the v 107 baseline consider this settings : TLS Encrypted ClientHello Enabled (Consider).
Encrypted ClientHello (ECH) is an extension to TLS that encrypts the sensitive fields of ClientHello to improve privacy. If ECH is enabled, Microsoft Edge might or might not use ECH depending on server support, the availability of the HTTPS DNS record, or the rollout status. If you enable or do not configure this policy, Microsoft Edge will follow the default rollout process for ECH. |
2 recommended settings were not available in the Security baseline v 107 and could not be set via the Settings catalog.
One of the settings is now available in the settings catalog. The other one needs to be set via Powershell.
These 2 settings are:
Via settings catalog:
Force WebSQL to be enabled – Disabled
Via Powershell:
Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context – Disabled
# Regkey for Microsoft Edge recommended settings that can not be set via settings catalog
# Force WebSQL to be enabled - Disabled
# Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context - Disabled
$RegistryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Edge"
# Check if the Microsoft Edge registry key already exists
if (!(Test-Path $RegistryPath)) {
New-Item -Path $RegistryPath -Force
}
# If not exists create Regkey
# New-ItemProperty -Path $RegistryPath -Name "WebSQLAccess" -Value "0" -PropertyType dword -Force
New-ItemProperty -Path $RegistryPath -Name "SharedArrayBufferUnrestrictedAccessAllowed" -Value "0" -PropertyType dword -Force
To check your system settings you can use the HardeningKitty tool which is a tool that helps to support hardening of a Windows system. It can be found here https://github.com/scipag/HardeningKitty
HardeningKitty supports hardening of a Windows system. The configuration of the system is retrieved and assessed using a finding list. In addition, the system can be hardened according to predefined values. HardeningKitty reads settings from the registry and uses other modules to read configurations outside the registry.
The script was developed for English systems. It is possible that in other languages the analysis is incorrect. Please create an issue if this occurs.
My created Edge baseline can be downloaded here : https://github.com/poely04/Intune
How to import and export Intune settings can be found here : https://www.cloudshark.nl/blog/2023/04/11/intune-import-export-settings-policies-and-profiles-with-intunemanagement-tool/
Other documentation :
Release notes for Microsoft Edge Stable Channel
https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnote-stable-channel
Microsoft Edge – Policies
https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies
Microsoft Edge – Update policies
https://learn.microsoft.com/en-us/deployedge/microsoft-edge-update-policies
Microsoft Security Compliance Toolkit 1.0
https://www.microsoft.com/en-us/download/details.aspx?id=55319
Microsoft Security Baselines discussions
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bd-p/Security-Baselines
List of the settings in the Microsoft Edge security baseline in Intune
https://learn.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-edge?pivots=edge-sept-2020