List of the settings in the Microsoft Edge security baseline in Intune

This article is a reference for the settings that are available in the different versions of the Microsoft Edge security baseline that you can deploy with Microsoft Intune. You can use the tabs below to select and view the settings in the current baseline version and a few older versions that might still be in use.

For each setting you’ll find the baselines default configuration, which is also the recommended configuration for that setting provided by the relevant security team. Because products and the security landscape evolve, the recommended defaults in one baseline version might not match the defaults you find in later versions of the same baseline. Different baseline types could also set different defaults.

Although the settings in the Intune UI for this baseline omit Learn more links, this article includes links to relevant content.

When a new version of a baseline becomes available, it replaces the previous version. Profiles instances that you’ve created prior to the availability of a new version:

  • Become read-only. You can continue to use those profiles but can't edit them to change their configuration.
  • Can be updated to the latest version. After you update a profile to the current baseline version, you can edit the profile to modify settings.

To learn more about using security baselines, see Use security baselines. In that article you'll also find information about how to:

Microsoft Edge baseline for September 2020 (Edge version 85)

Microsoft Edge baseline for April 2020 (Edge version 80)

Microsoft Edge baseline for October 2019

Note

The Microsoft Edge baseline for October 2019 is in Public Preview.

Microsoft Edge

  • Supported authentication schemes
    Baseline default: Enabled
    Learn more

    • Supported authentication schemes
      Baseline defaults: Two items: NTLM and Negotiate
  • Default Adobe Flash setting
    Baseline default: Enabled
    Learn more

    • Default Adobe Flash setting
      Baseline default: Block the Adobe Flash plugin
      Learn more
  • Control which extensions cannot be installed
    Baseline default: Enabled

    • Extension IDs the user should be prevented from installing (or * for all)
      Baseline default: Not configured by default. Manually add one or more Extension IDs
  • Allow user-level native messaging hosts (installed without admin permissions)
    Baseline default: Disabled

  • Enable saving passwords to the password manager
    Baseline default: Disabled
    Learn more

  • Prevent bypassing Microsoft Defender SmartScreen prompts for sites
    Baseline default: Enabled
    Learn more

  • Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads
    Baseline default: Enabled
    Learn more

  • Enable site isolation for every site
    Baseline default: Enabled

    Microsoft Edge also supports IsolateOrigins policy that can isolate additional, finer-grained origins. Intune doesn't support configuring the IsolateOrigins policy.

  • Configure Microsoft Defender SmartScreen
    Baseline default: Enabled
    Learn more

    This policy is available only on Windows instances that are joined to a Microsoft Active Director domain, or on Windows 10/11 Pro or Enterprise instances that are enrolled for device management.

  • Configure Microsoft Defender SmartScreen to block potentially unwanted apps
    Baseline default: Enabled

    This policy is available only on Windows instances that are joined to a Microsoft Active Director domain, or on Windows 10/11 Pro or Enterprise instances that are enrolled for device management.

  • Allow users to proceed from the SSL warning page
    Baseline default: Disabled
    Learn more

  • Minimum SSL version enabled
    Baseline default: Enabled

    • Minimum SSL version enabled
      Baseline default: TLS 1.2
  • Prevent bypassing Microsoft Defender SmartScreen prompts for sites
    Baseline default: Enabled
    Learn more

  • Minimum SSL version enabled
    Baseline default: Enabled

    • Minimum SSL version enabled
      Baseline default: TLS 1.2
  • Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads
    Baseline default: Enabled
    Learn more

  • Allow users to proceed from the SSL warning page
    Baseline default: Disabled
    Learn more

  • Default Adobe Flash setting
    Baseline default: Enabled
    Learn more

    • Default Adobe Flash setting
      Baseline default: Block the Adobe Flash plugin
      Learn more
  • Enable site isolation for every site
    Baseline default: Enabled

    Microsoft Edge also supports IsolateOrigins policy that can isolate additional, finer-grained origins. Intune doesn't support configuring the IsolateOrigins policy.

  • Supported authentication schemes
    Baseline default: Enabled
    Learn more

    • Supported authentication schemes
      Baseline defaults: Two items: NTLM and Negotiate
  • Enable saving passwords to the password manager
    Baseline default: Disabled
    Learn more

  • Control which extensions cannot be installed
    Baseline default: Enabled

    • Extension IDs the user should be prevented from installing (or * for all)
      Baseline default: Not configured by default. Manually add one or more Extension IDs
  • Configure Microsoft Defender SmartScreen
    Baseline default: Enabled
    Learn more

    This policy is available only on Windows instances that are joined to a Microsoft Active Director domain, or on Windows 10/11 Pro or Enterprise instances that are enrolled for device management.

  • Allow user-level native messaging hosts (installed without admin permissions)
    Baseline default: Disabled

  • Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)
    Baseline default: Disabled

    Important

    This setting is deprecated. It is currently supported but will become obsolete in a future release.

Next steps