1.1.20 Ensure 'Allow users to open files using the ClickOnce protocol' is set to 'Disabled'

Information

This policy setting allows users to use the ClickOnce protocol for opening files via applications inside of Microsoft Edge instead of downloading them to their device. The ClickOnce protocol allows websites to request that the browser open files from a specific URL using the ClickOnce file handler on the user's computer or device.

The recommended state for this setting is: Disabled.

Rationale:

Allowing users to configure ClickOnce could potentially allow malicious files to be automatically opened within Microsoft Edge. By not allowing this, the end-user will need to download file allowing it to be scanned before opening.

Impact:

Users will have to download files to their system and will be unable to open them directly in Microsoft Edge. Disabling ClickOnce will also prevent ClickOnce applications (.application files) from working properly.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Allow users top open files using the ClickOnce protocol

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from Microsoft here.

Default Value:

Disabled - Users will have the option to enable the use of the ClickOnce protocol with the edge://flags/ page.

See Also

https://workbench.cisecurity.org/files/3907

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.1

Plugin: Windows

Control ID: ea4342b30b8481ea36faefbf3625ee51de270d101eb3c893c7d0981af6a01c43