V-235752

Discussion

This configures the type of downloads that Microsoft Edge completely blocks without allowing users to override the security decision. Set "BlockDangerousDownloads" to allow all downloads except those that carry Microsoft Defender SmartScreen warnings of known dangerous downloads or that have dangerous file type extensions. Set "BlockPotentiallyDangerousDownloads" to allow all downloads except those that carry Microsoft Defender SmartScreen warnings of potentially dangerous or unwanted downloads or that have dangerous file type extensions. Set "BlockAllDownloads" to block all downloads. Set "BlockMaliciousDownloads" to allow all downloads except those that carry Microsoft Defender SmartScreen warnings of known malicious downloads. If this policy is not configured or the "DefaultDownloadSecurity" option is not set, the downloads go through the usual security restrictions based on Microsoft Defender SmartScreen analysis results. Policy options mapping: DefaultDownloadSecurity (0) = No special restrictions BlockDangerousDownloads (1) = Block malicious downloads and dangerous file types BlockPotentiallyDangerousDownloads (2) = Block potentially dangerous or unwanted downloads and dangerous file types BlockAllDownloads (3) = Block all downloads BlockMaliciousDownloads (4) = Block malicious downloads

Check Content

If this machine is on SIPRNet, this is Not Applicable.

The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow download restrictions" must be set to "Enabled" with the option value set to "BlockDangerousDownloads", "Block potentially dangerous or unwanted downloads", or "BlockMaliciousDownloads". The more restrictive option, "Block all downloads", is also acceptable.

Use the Windows Registry Editor to navigate to the following key:
HKLM\SOFTWARE\Policies\Microsoft\Edge

If the value for "DownloadRestrictions" is set to "REG_DWORD = 0", this is a finding.