The Security baseline in Intune is based on the Security Baseline for Edge v85.. We are currently on Edge baseline 107 (no new recommended settings for 108 & 109). That is only one reason for creating you own Edge Security baseline using Settings Catalog instead. More reasons are that it is easier to troubleshoot and managed only one policy instead of having some settings in the Baseline and the rest in an Edge policy based on settings catalog.
What are the challenges then? Well for security baseline v.107 (latest downloadable baseline) is that two settings does not exist in the Settings Catalog.
- Force WebSQL to be enabled
- Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context
These two settings are not in the Intune Security baseline either as they were added after v85..Here are the settings that can be set using settings catalog, all policies in green exists.
And here is an exported policy that can be imported using PowerShell for example so you don’t have to do the same detective work as I did. Intune-MEM/Edge Security Baseline 107 Settings catalog at master · Ccmexec/Intune-MEM · GitHub
If you want to set the two last settings here is a simple PowerShell script that will set the values missing in the Settings catalog. I tried importing the MSEdge.admx file and set the settings using the imported .admx feature but that did not work out either. Got duplicates of all settings and about half worked.
PowerShell script
# Registry key to create additional registry value for Microsoft Edge not in Settings catalog
$RegistryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Edge"
# Check if the Microsoft Edge registry key already exists
if (!(Test-Path $RegistryPath)) {
New-Item -Path $RegistryPath -Force
}
# Create the Microsoft Edge additional registry values
New-ItemProperty -Path $RegistryPath -Name "WebSQLAccess" -Value "0" -PropertyType dword -Force
New-ItemProperty -Path $RegistryPath -Name "SharedArrayBufferUnrestrictedAccessAllowed" -Value "0" -PropertyType dword -Force
To verify the settings I used the HardeningKitty toolkit which is simply great! It can be used to check compliance against different Security Baselines, Microsoft, STIG and more. It can be downloaded from here: https://github.com/scipag/HardeningKitty
After adding the script I got all settings verified.
This is how I will manage the security baseline from now on for Microsoft Edge. I hope this is useful!
Next up the Windows Security baseline :D!
Check out this idea for future baselines -> https://www.simsenblog.dk/2023/05/08/security-baseline-latest-as-settings-catalog/