1.1.21 Ensure 'Allow users to open files using the DirectInvoke protocol' is set to 'Disabled'

Information

This policy setting allows users to utilize the DirectInvoke protocol for opening files via applications inside of Microsoft Edge instead of downloading them to their device.

The recommended state for this setting is: Disabled.

Rationale:

Allowing users to configure DirectInvoke could potentially allow malicious files to be automatically opened within Microsoft Edge. By not allowing this the end-user will need to download files allowing for the file to be scanned before opening.

Impact:

Users will have to download files to their device and will be unable to open them directly in Microsoft Edge. Disabling DirectInvoke could also prevent some SharePoint functions from working properly.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Allow users to open files using the DirectInvoke protocol

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from Microsoft here.

Default Value:

Enabled.

See Also

https://workbench.cisecurity.org/files/3907

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.1

Plugin: Windows

Control ID: a0f208ad56619627800bffb5d7bd426a1471bb522d83587a43866432284cf7a7