Closed FLeven closed 1 year ago
According to the document MS Security Baseline Windows 11 v22H2.xlsx (see URL), the path ...Microsoft\MicrosoftEdge\PhishingFilter... is correct. However, the policy file MSFT-Win11-v22H2.PolicyRules only points to the Internet Explorer one. I don't have a Windows 11 installation around at the moment, could you please configure the policy via group policy and monitor with registry key is changed?
Both: `10952,"Microsoft Edge","Configure Windows Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,EnabledV9,,,,,1,=,Medium
10953,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Medium`
settings are here: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
EnableSmartScreen (10952)
ShellSmartScreenLevel (10953), which can be Block or Warn, Block would be the correct setting.
Don't get confused, the config about Explorer not Edge, I doubt this is any different from win10.
Here is a output of the Microsoft documentation regarding those settings, which use different path for Explorer and Edge
These settings (rows 2482-2484) are covered in ID 10951 to 10954
Nope,
10952 and 10953 should match 2842 or 1043 (2 registry path entrys here) in your excel file. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\
Keys: EnableSmartScreen ShellSmartScreenLevel
but in your list it matches 2483 and 2484: `10952,"Microsoft Edge","Configure Windows Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,EnabledV9,,,,,1,=,Medium
10953,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Medium `
That's why the settings are reported as "unset", all other Defender settings are ok and don't fail. File Explorer Defender settings are in system and not in any *Edge registry folder.
I don't get it:
Okay, the category Microsoft Edge of 10952 and 10953 is not as in the Excel list however the registry keys are matching
Ok, I missed the category before "Starting category Microsoft Edge", but 10952 and 10953 are still empty and not used, even if add the Edge 107 Baseline, it is still: Result=
That is interesting, I had access to a Win 11 Enterprise machine and used gpedit.msc and monitored for registry changes. Both registry keys were created after configuring the settings:
Is there an error in the source file from Microsoft? I did not check those templates yet.
Those 2 settings are NOT part of the wi11 computer baseline, and not even part of the edge 107 basline.
only enhanced phishing and explorer are part of win11, the first one your might be missing because of missing ADMX templates.
Let's Microsoft answer this question, the documentation or the policy files are different. I posted a comment: https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/bc-p/3733816/highlight/true#M562
If Microsoft recommends configuring Windows Defender for Mircosoft Edge, then the settings must be set in the way of the HardeningKitty list. If this is not a recommendation I'll remove the checks.
I did a check on Windows 11 Pro as well, if I use gpedit.msc then the registry keys are set. If I use the PowerShell script of Microsoft then it is not configured.
When executing, on Windows 11 22H2:
Invoke-HardeningKitty -Mode Audit -FileFindingList .\lists\finding_list_msft_security_baseline_windows_11_22h2_machine.csv
the two Edge settings are not found: `[*] 1/29/2023 6:22:34 PM - Starting Category Microsoft Edge
[$] ID 10952, Configure Windows Defender SmartScreen, Result=, Recommended=1, Severity=Medium
[$] ID 10953, Prevent bypassing Microsoft Defender SmartScreen prompts for sites, Result=, Recommended=1, Severity=Medium`
the list points to the reg key: HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,EnabledV9
I could only find this setting here (the second Defender setting is also found here): SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter