Security baseline (FINAL) for Chromium-based Microsoft Edge, version 79

Published Jan 15 2020 09:25 PM 34.3K Views
Former Employee

Microsoft is pleased to announce the enterprise-ready release of the recommended security configuration baseline settings for the next version of Microsoft Edge based on Chromium, version 79. The settings recommended in this baseline are identical to the ones we recommended in the version 79 draft, minus one setting that we have removed and that we discuss below. We continue to welcome feedback through the Baselines Discussion site.


The baseline package is now available as part of the Security Compliance Toolkit. Like all our baseline packages, the downloadable baseline package includes importable GPOs, a script to apply the GPOs to local policy, a script to import the GPOs into Active Directory Group Policy, and all the recommended settings in spreadsheet form, as Policy Analyzer rules, and as GP Reports.


Microsoft Edge is being rebuilt with the open-source Chromium project, and many of its security configuration options are inherited from that project. These Group Policy settings are entirely distinct from those for the original version of Microsoft Edge built into Windows 10: they are in different folders in the Group Policy editor and they reference different registry keys. The Group Policy settings that control the new version of Microsoft Edge are located under “Administrative Templates\Microsoft Edge,” while those that control the current version of Microsoft Edge remain located under “Administrative Templates\Windows Components\Microsoft Edge.” You can download the latest policy templates for the new version of Microsoft Edge from the Microsoft Edge Enterprise landing page. To learn more about managing the new version of Microsoft Edge, see Configure Microsoft Edge for Windows.


As with our current Windows and Office security baselines, our recommendations for Microsoft Edge configuration follow a streamlined and efficient approach to baseline definition when compared with the baselines we published before Windows 10. The foundation of that approach is essentially this:

  • The baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights.
  • A baseline enforces a setting only if it mitigates a contemporary security threat and does not cause operational issues that are worse than the risks they mitigate.
  • A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user:
    • If a non-administrator can set an insecure state, enforce the default.
    • If setting an insecure state requires administrative rights, enforce the default only if it is likely that a misinformed administrator will otherwise choose poorly.

(For further explanation, see the “Why aren’t we enforcing more defaults?” section in this blog post.)


Version 79 of the Chromium-based version of Microsoft Edge has 216 enforceable Computer Configuration policy settings and another 200 User Configuration policy settings. Following our streamlined approach, our recommended baseline configures a grand total of eleven Group Policy settings. You can find full documentation in the download package’s Documentation subdirectory.


The one difference between this baseline and the version 79 draft is that we have removed the recommendation to disable “Force Microsoft Defender SmartScreen checks on downloads from trusted sources.” By default, SmartScreen will perform these checks. While performing checks on files from trusted sources increases the likelihood of false positives – particularly from intranet sources that host files that are seldom if ever seen in the outside world – we have decided not to apply that decision to all customers adopting our baseline. Depending on who can store files in locations that are considered “trusted sources” and the rigor they apply to restricting what gets stored there, internal sites might in fact end up hosting untrustworthy content that should be checked. Our baseline therefore neither enables nor disables the setting. Organizations choosing to disable this setting can therefore do so without contradicting our baseline recommendations.

New Contributor

Hi @Aaron Margosis 


Hoping you can answer a question.


What is the thinking behind setting:


Enable saving passwords to the password manager


To Disabled


As part of the baseline?


We are considering whether to override this setting and would appreciate your thoughts.


Many thanks

New Contributor

Hi @Aaron Margosis 


We are setting Allow Microsoft Edge Side by Side browser experience to Enabled before installing the stable version of Edge Chromium so we can run old and new Edge side by side.


Is there any reason why we shouldn't apply all the settings prior to installing Edge Chromium?


Many thanks in advance.

Former Employee

There are tradeoffs with password managers as they are currently implemented. They can make stronger passwords more practical for users, but on the other hand, they also make it possible for anything running as the user (including malware) to retrieve all the user's saved passwords. Our baselines for Internet Explorer and the original Windows 10 Edge browser always disabled password managers for this reason. We have opted to remain consistent in the new baseline. However, it's perfectly understandable that some customers might take a different risk assessment. It's one of those settings that's not entirely black-and-white.

New Contributor

@Aaron Margosis- thank you very much

Frequent Visitor

Does the Chromium based Microsoft Edge use FIPS 140-2 validated cryptography modules?   What Crypto Modules does it use: native Windows Crypto, BoringSSL/BoringCrypto,...?   If using BoringSSL/BoringCrypto what is the FIPS Certificate # as thus far Google has only gotten FIPS 140-2 for BoringCrypto on Linux targets.

Version history
Last update:
‎Jan 15 2020 09:25 PM
Updated by: