Many customers still want to use Google Chrome as there default browser because there users are known with the usage of Chrome. We are offering a standard security for Edge and wanted to create a security baseline for Chrome.

Because the settings catalog is general available, It is good to have a look at all the settings we can set for Google Chrome or the settings which are not available (yet). Because there is a Edge Baseline available in Microsoft Endpoint Manager and we are using this as a base security layer for Edge this would be nice to try and create this for Google Chrome as well.

Which setting are set/available in the Edge Baseline

  • Supported authentication schemes
    Baseline default: Enabled
    • Supported authentication schemes
      Baseline defaults: Two items: NTLM and Negotiate
  • Default Adobe Flash setting
    Baseline default: Enabled
    • Default Adobe Flash setting
      Baseline default: Block the Adobe Flash plugin
  • Control which extensions cannot be installed
    Baseline default: Enabled
    • Extension IDs the user should be prevented from installing (or * for all)
      Baseline default: Not configured by default. Manually add one or more Extension IDs
  • Allow user-level native messaging hosts (installed without admin permissions)
    Baseline default: Disabled
  • Enable saving passwords to the password manager
    Baseline default: Disabled
  • Prevent bypassing Microsoft Defender SmartScreen prompts for sites
    Baseline default: Enabled
  • Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads
    Baseline default: Enabled
  • Enable site isolation for every site
    Baseline default: EnabledMicrosoft Edge also supports IsolateOrigens policy that can isolate additional, finer-grained origins. Intune doesn’t support configuring the IsolateOrigins policy.
  • Configure Microsoft Defender SmartScreen
    Baseline default: Enabled
    This policy is available only on Windows instances that are joined to a Microsoft Active Director domain, or on Windows 10/11 Pro or Enterprise instances that are enrolled for device management.
  • Configure Microsoft Defender SmartScreen to block potentially unwanted apps
    Baseline default: EnabledThis policy is available only on Windows instances that are joined to a Microsoft Active Director domain, or on Windows 10/11 Pro or Enterprise instances that are enrolled for device management.
  • Allow users to proceed from the SSL warning page
    Baseline default: Disabled
  • Minimum SSL version enabled
    Baseline default: Enabled
    • Minimum SSL version enabled
      Baseline default: TLS 1.2

Edge vs Chrome settings (Settings Catalog)

When searching in the settings catalog and comparing the items in the Edge baseline and what is available for chrome there where a lot of settings there to set:

Found:

  • Supported authentication schemes (same name)
  • Default Adobe Flash setting (There is a setting but placed in Removed policies)
  • Control which extensions cannot be installed (Configure extension installation blocklist)
  • Allow user-level native messaging hosts (same name)
  • Enable saving passwords to the password manager (same name)
  • Prevent bypassing Microsoft Defender SmartScreen prompts for sites (not there)
  • Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (not there)
  • Enable site isolation for every site (Enable Site Isolation for specified origins)
  • Allow users to proceed from the SSL warning page (Allow proceeding from the SSL warning page)
  • Minimum SSL version enabled (same name)

Create Setting Catalog policy

Click Next

Get all the settings in a listed above in the Edge vs Chrome settings with the settings from the baseline in it.

Policy in JSON for importing

I have created the policy and exported it. so you can import it to the tenant for testing purposes before heading over to production. You can download it at Github or copy paste to a file

Conclusion

Because there are still people using chrome and not the Edge Browser I wanted to create a security baseline just like we use for Edge. For what I have seen it possible to recreate a big portion of the policy set except the Defender part.

Maybe it is good to have a good conversation about why to use Edge above Chrome because of the possibility to use Defender SmartScreen options and many other features.

2 thoughts on “Create the Chrome baseline via Settings Catalog”

Comments are closed.