Category Microsoft Edge ID 10952, 10953 about hardeningkitty HOT 9 CLOSED

Let's Microsoft answer this question, the documentation or the policy files are different. I posted a comment: https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/bc-p/3733816/highlight/true#M562

If Microsoft recommends configuring Windows Defender for Mircosoft Edge, then the settings must be set in the way of the HardeningKitty list. If this is not a recommendation I'll remove the checks.

I did a check on Windows 11 Pro as well, if I use gpedit.msc then the registry keys are set. If I use the PowerShell script of Microsoft then it is not configured.

from hardeningkitty.

According to the document MS Security Baseline Windows 11 v22H2.xlsx (see URL), the path ...Microsoft\MicrosoftEdge\PhishingFilter... is correct. However, the policy file MSFT-Win11-v22H2.PolicyRules only points to the Internet Explorer one. I don't have a Windows 11 installation around at the moment, could you please configure the policy via group policy and monitor with registry key is changed?

from hardeningkitty.

Both:
`10952,"Microsoft Edge","Configure Windows Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,EnabledV9,,,,,1,=,Medium

10953,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Medium`

settings are here:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System

EnableSmartScreen (10952)

ShellSmartScreenLevel (10953), which can be Block or Warn, Block would be the correct setting.

Don't get confused, the config about Explorer not Edge, I doubt this is any different from win10.

from hardeningkitty.

Here is a output of the Microsoft documentation regarding those settings, which use different path for Explorer and Edge

These settings (rows 2482-2484) are covered in ID 10951 to 10954

from hardeningkitty.

Nope,

10952 and 10953 should match 2842 or 1043 (2 registry path entrys here) in your excel file.
*Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System*

Keys:
EnableSmartScreen
ShellSmartScreenLevel

but in your list it matches 2483 and 2484:
`10952,"Microsoft Edge","Configure Windows Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,EnabledV9,,,,,1,=,Medium

10953,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Medium
`

That's why the settings are reported as "unset", all other Defender settings are ok and don't fail. File Explorer Defender settings are in system and not in any *Edge registry folder.

from hardeningkitty.

I don't get it:

• ID 1043 matches ID's 10766 and 10767
• ID 2482 matches ID's 10951 and 10954
• ID 2483 matches ID 10952
• ID 2484 matches ID 10953

Okay, the category Microsoft Edge of 10952 and 10953 is not as in the Excel list however the registry keys are matching

from hardeningkitty.

Ok, I missed the category before "Starting category Microsoft Edge", but 10952 and 10953 are still empty and not used, even if add the Edge 107 Baseline, it is still: Result=

from hardeningkitty.

That is interesting, I had access to a Win 11 Enterprise machine and used gpedit.msc and monitored for registry changes. Both registry keys were created after configuring the settings:

Is there an error in the source file from Microsoft? I did not check those templates yet.

from hardeningkitty.

Those 2 settings are NOT part of the wi11 computer baseline, and not even part of the edge 107 basline.

only enhanced phishing and explorer are part of win11, the first one your might be missing because of missing ADMX templates.

from hardeningkitty.