Microsoft’s latest security review confirms that Edge v148 does not introduce new enforcement requirements, keeping the v139 baseline as the recommended configuration. The article outlines the 16 new settings, provides guidance on migration, and explains the impact for enterprises managing browsers across cloud environments.
What changed in Edge v148?
Microsoft’s Security Compliance team published a review of Microsoft Edge version 148 on May 19 2026. The update adds 16 new Group Policy settings—both computer‑ and user‑level—but the team concluded that none of these settings demand mandatory enforcement. In practice, the v139 security baseline remains the default recommendation, and the new settings are documented in a downloadable spreadsheet (MSFT Edge v147 to v148.xlsx).
Key points of the announcement:
- No additional security controls are required for Edge v148.
- Existing baseline (v139) continues to be the supported configuration.
- All settings are listed in the Microsoft Security Compliance Toolkit (SCT) and can be accessed via the official documentation links.
- Feedback channels remain open through the Security Baselines Discussion site.
Provider comparison – Edge baseline vs. competing browsers
| Feature | Microsoft Edge (v148) | Google Chrome (stable) | Mozilla Firefox (latest ESR) |
|---|---|---|---|
| Recommended baseline version | v139 (still current) | Chrome Enterprise Release 128 | Firefox ESR 128.0 |
| New policy objects in latest release | 16 (non‑mandatory) | 12 (some mandatory) | 9 (mostly optional) |
| Integration with compliance tooling | SCT, Azure Policy, Intune | Chrome Enterprise policies, Google Workspace | GPO templates, Enterprise Policies |
| Pricing for management tools | Included with Windows 10/11, Azure AD | Free, but advanced controls need Google Workspace | Free, open‑source |
| Migration friction | Low – same baseline, just new optional knobs | Medium – some policies deprecated | Low – similar policy model |
Why the comparison matters – Enterprises that run a multi‑cloud stack often standardize browser security across Azure, AWS, and GCP workloads. Edge’s decision to keep the baseline unchanged means minimal disruption for organizations already using the SCT to push policies via Intune or Azure Policy. In contrast, Chrome’s recent shift toward mandatory enterprise policies can require re‑architecting existing scripts, while Firefox’s open‑source model offers flexibility but lacks the deep Azure integration that many Azure‑centric shops rely on.
Business impact and migration considerations
1. Policy continuity reduces operational overhead
Because the baseline has not changed, IT teams can continue to deploy the same Group Policy Objects (GPOs), Intune configuration profiles, or Azure Policy definitions without testing new enforcement rules. The 16 new settings are optional; they appear in the spreadsheet for reference but do not need to be added to existing compliance pipelines.
2. Simplified audit trails
Auditors looking for deviations from the approved baseline will see the same configuration footprint as before. This continuity simplifies evidence collection for PCI DSS, ISO 27001, or FedRAMP assessments, especially when the organization already reports on Edge v139 compliance.
3. Cost implications
There is no additional licensing cost associated with the new settings. Organizations that have already purchased Microsoft 365 or Azure AD can continue to use the Security Compliance Toolkit (SCT) at no extra charge. The alternative would be to purchase third‑party tools for Chrome or to allocate developer time for custom Firefox policy scripts, which could increase total cost of ownership.
4. Migration path for legacy browsers
Enterprises still running older Edge versions (e.g., v140‑v145) can upgrade to v148 without a security‑baseline migration. The recommended process is:
- Back up existing GPOs and export current Edge policy sets via the SCT.
- Deploy the v148 installer through existing software distribution channels (Intune, SCCM, or Azure Automation).
- Validate that the v139 baseline remains enforced using the Policy Analyzer tool included in the SCT.
- Optional – Review the 16 new settings in the spreadsheet and decide if any align with internal hardening goals (e.g., disabling WebRTC, tightening certificate pinning).
5. Multi‑cloud alignment
For workloads that span Azure, AWS, and Google Cloud, keeping a single baseline across browsers reduces the surface area for configuration drift. Edge’s alignment with Azure Policy means you can extend the same JSON policy definitions to other services via Azure Arc, ensuring that VMs, containers, and even Kubernetes pods respect the same browser security posture.
Strategic recommendation
- Maintain the v139 baseline for now; monitor the spreadsheet for any settings that could enhance your security posture without adding enforcement burden.
- Integrate the Edge baseline into your cloud‑agnostic compliance framework (e.g., using Terraform Cloud‑Guardrails or Pulumi) so that any future baseline updates are automatically propagated across environments.
- Engage with the Security Baselines Discussion site to share any edge‑case requirements—Microsoft often incorporates community feedback into subsequent releases.
Next steps
- Download the latest Security Compliance Toolkit from aka.ms/SCT.
- Review the Edge v148 settings spreadsheet linked in the announcement.
- Align your internal policy repository with the v139 baseline and schedule a pilot rollout of Edge v148 on a non‑production tenant.
By treating the Edge v148 release as a maintenance update rather than a baseline shift, organizations can keep their browser security posture steady while focusing resources on higher‑impact cloud security initiatives.
For more details, see the official Microsoft announcement and the downloadable spreadsheet:
Comments
Please log in or register to join the discussion