1.1.51 Ensure 'Enable Proactive Authentication' is set to 'Disabled'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting controls whether Proactive Authentication is turned on or off. If enabled Microsoft Edge will try to authenticate a signed-in user with Microsoft services at regular intervals.

The recommended state for this setting is: Disabled.

Rationale:

Allowing Microsoft Edge to try and sign-in the user to services with their account could allow sign the user into a service/site which they may not want to be signed in for many reasons including security and protection of files on the system. There is an increased risk with authentication credentials being sent at intervals in an attempt to sign into different services.

Impact:

Users may be asked to sign in to Microsoft services individually as they visit Microsoft sites.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled.

Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Enable Proactive Authentication

Note: This setting works in conjunction with the NonRemovableProfileEnabled setting which will need to be set to Disabled because the setting NonRemovableProfileEnabled disables the creation of an automatically signed in browser profile.
Note #2: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from Microsoft here.

Default Value:

Enabled.

See Also

https://workbench.cisecurity.org/files/3005