| title | List of settings for the Microsoft Edge security baseline in Intune | ||
|---|---|---|---|
| description | View a list of the settings in the Microsoft Intune security baseline version 112 and later, for the Microsoft Edge browser. This list includes the default values for settings as found in the default configuration of the baseline. | ||
| ms.date | 01/27/2025 | ||
| ms.topic | reference | ||
| ms.reviewer | aanavath | ||
| ms.collection |
|
||
| zone_pivot_groups | dcv2-edge-baselines |
This article is a reference for the settings that are available in the Microsoft Edge security baseline for Microsoft Intune and applies to versions of that baseline that released in May 2023 or later.
If you use a security baseline for Microsoft Edge version 85 or earlier, see List of the settings in the Microsoft Edge security baseline in Intune.
Note
Beginning in May 2023, all new security baseline versions use a new settings format that replaces previous versions. While the last version instance for a baseline that uses the older setting format remains available to use, the older format will no longer receive updates for new settings, or updated default configurations.
Each security baseline is a group of preconfigured Windows settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration settings.
The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays:
- A list of each setting with its configuration as found in the default instance of that baseline version.
- When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use.
When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version:
-
Become read-only. You can continue to use those profiles but can't edit them to change their configuration.
[!TIP] Because the new baselines versions introduced in May 2023 or later exist side-by-side with the last baseline version from the older format, baselines for the last available version of that older format remain accessible to use and to edit.
-
Can be updated to the current version. After you update a profile to the current baseline version, you can edit the profile to modify settings.
To learn more about using security baselines, see:
::: zone pivot="edge-v128"
For information about the most recent baseline versions and settings from Microsoft, including versions of this baseline that might not be available through Intune, download the Microsoft Security Compliance Toolkit from the Microsoft Download Center.
-
Allow unconfigured sites to be reloaded in Internet Explorer mode
Baseline default: Disabled -
Allow users to proceed from the HTTPS warning page
Baseline default: Disabled -
Automatically open downloaded MHT or MHTML files from the web in Internet Explorer mode
Baseline default: Disabled -
Dynamic Code Settings
Baseline default: Enabled- Dynamic Code Settings (Device)
Baseline default: Default dynamic code settings
- Dynamic Code Settings (Device)
-
Enable Application Bound Encryption
Baseline default: Enabled -
Enable browser legacy extension point blocking
Baseline default: Enabled -
Enable site isolation for every site
Baseline default: Enabled -
Show the Reload in Internet Explorer mode button in the toolbar
Baseline default: Disabled -
Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context
Baseline default: Disabled
-
Control which extensions cannot be installed
Baseline default: Enabled- Extension IDs the user should be prevented from installing (or * for all) (Device)
Baseline default: *
- Extension IDs the user should be prevented from installing (or * for all) (Device)
-
Allow Basic authentication for HTTP
Baseline default: Disabled -
Supported authentication schemes
Baseline default: Enabled
Learn more- Supported authentication schemes (Device)
Baseline default: ntlm,negotiate
- Supported authentication schemes (Device)
- Allow user-level native messaging hosts (installed without admin permissions)
Baseline default: Disabled
- Specifies whether to allow insecure websites to make requests to more-private network endpoints
Baseline default: Disabled
-
Configure Microsoft Defender SmartScreen
Baseline default: Enabled
Learn more -
Configure Microsoft Defender SmartScreen to block potentially unwanted apps
Baseline default: Enabled -
Prevent bypassing Microsoft Defender SmartScreen prompts for sites
Baseline default: Enabled
Learn more -
Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads
Baseline default: Enabled
Learn more
- Configure Edge Typo Protection
Baseline default: Enabled
::: zone-end ::: zone pivot="edge-v117"
For information about the most recent baseline versions and settings from Microsoft, including versions of this baseline that might not be available through Intune, download the Microsoft Security Compliance Toolkit from the Microsoft Download Center.
-
Allow unconfigured sites to be reloaded in Internet Explorer mode
Baseline default: Disabled -
Allow users to proceed from the HTTPS warning page
Baseline default: Disabled -
Automatically open downloaded MHT or MHTML files from the web in Internet Explorer mode
Baseline default: Disabled -
Enable browser legacy extension point blocking
Baseline default: Enabled -
Enable site isolation for every site
Baseline default: Enabled -
Enhance images enabled
Baseline default: Disabled -
Force WebSQL to be enabled
Baseline default: Disabled -
Show the Reload in Internet Explorer mode button in the toolbar
Baseline default: Disabled -
Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context
Baseline default: Disabled
-
Control which extensions cannot be installed
Baseline default: Enabled- Extension IDs the user should be prevented from installing (or * for all) (Device)
Baseline default: *
- Extension IDs the user should be prevented from installing (or * for all) (Device)
-
Allow Basic authentication for HTTP
Baseline default: Disabled -
Supported authentication schemes
Baseline default: Enabled
Learn more
- Allow user-level native messaging hosts (installed without admin permissions)
Baseline default: Disabled
- Specifies whether to allow insecure websites to make requests to more-private network endpoints
Baseline default: Disabled
-
Configure Microsoft Defender SmartScreen
Baseline default: Enabled
Learn more -
Configure Microsoft Defender SmartScreen to block potentially unwanted apps
Baseline default: Enabled -
Prevent bypassing Microsoft Defender SmartScreen prompts for sites
Baseline default: Enabled
Learn more -
Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads
Baseline default: Enabled
Learn more -
Configure Edge TyposquattingChecker
Baseline default: Enabled
::: zone-end ::: zone pivot="edge-v112"
For information about the most recent baseline versions and settings from Microsoft, including versions of this baseline that might not be available through Intune, download the Microsoft Security Compliance Toolkit from the Microsoft Download Center.
-
Allow unconfigured sites to be reloaded in Internet Explorer mode
Baseline default: Disabled -
Allow users to proceed from the HTTPS warning page
Baseline default: Disabled -
Enable browser legacy extension point blocking
Baseline default: Enabled -
Enable site isolation for every site
Baseline default: Enabled -
Enhance images enabled
Baseline default: Disabled -
Force WebSQL to be enabled
Baseline default: Disabled -
Minimum TLS version enabled
Baseline default: Enabled- Minimum SSL version enabled (Device)
Baseline default: TLS 1.2
- Minimum SSL version enabled (Device)
-
Show the Reload in Internet Explorer mode button in the toolbar
Baseline default: Disabled -
Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context
Baseline default: Disabled
-
Control which extensions cannot be installed
Baseline default: Enabled- Extension IDs the user should be prevented from installing (or * for all) (Device)
Baseline default: *
- Extension IDs the user should be prevented from installing (or * for all) (Device)
-
Allow Basic authentication for HTTP
Baseline default: Disabled -
Supported authentication schemes
Baseline default: Enabled
Learn more -
Supported authentication schemes (Device)
Baseline default: ntlm,negotiate
- Allow user-level native messaging hosts (installed without admin permissions)
Baseline default: Disabled
- Enable saving passwords to the password manager
Baseline default: Disabled
Learn more
- Specifies whether to allow insecure websites to make requests to more-private network endpoints
Baseline default: Disabled
-
Configure Microsoft Defender SmartScreen
Baseline default: Enabled
Learn more -
Configure Microsoft Defender SmartScreen to block potentially unwanted apps
Baseline default: Enabled -
Prevent bypassing Microsoft Defender SmartScreen prompts for sites
Baseline default: Enabled
Learn more -
Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads
Baseline default: Enabled
Learn more
::: zone-end