List of the settings in the Microsoft Edge security baseline in Intune
This article is a reference for the settings that are available in the different versions of the Microsoft Edge security baseline that you can deploy with Microsoft Intune. You can use the tabs below to select and view the settings in the current baseline version and a few older versions that might still be in use.
For each setting you’ll find the baselines default configuration, which is also the recommended configuration for that setting provided by the relevant security team. Because products and the security landscape evolve, the recommended defaults in one baseline version might not match the defaults you find in later versions of the same baseline. Different baseline types could also set different defaults.
Although the settings in the Intune UI for this baseline omit Learn more links, this article includes links to relevant content.
When a new version of a baseline becomes available, it replaces the previous version. Profiles instances that you’ve created prior to the availability of a new version:
- Become read-only. You can continue to use those profiles but can't edit them to change their configuration.
- Can be updated to the latest version. After you update a profile to the current baseline version, you can edit the profile to modify settings.
To learn more about using security baselines, see Use security baselines. In that article you'll also find information about how to:
- Change the baseline version for a profile to update a profile to use the latest version of that baseline.
Microsoft Edge baseline for September 2020 (Edge version 85)
Microsoft Edge baseline for April 2020 (Edge version 80)
Microsoft Edge baseline for October 2019
Note
The Microsoft Edge baseline for October 2019 is in Public Preview.
Microsoft Edge
Supported authentication schemes
Baseline default: Enabled
Learn more- Supported authentication schemes
Baseline defaults: Two items: NTLM and Negotiate
- Supported authentication schemes
Default Adobe Flash setting
Baseline default: Enabled
Learn more- Default Adobe Flash setting
Baseline default: Block the Adobe Flash plugin
Learn more
- Default Adobe Flash setting
Control which extensions cannot be installed
Baseline default: Enabled- Extension IDs the user should be prevented from installing (or * for all)
Baseline default: Not configured by default. Manually add one or more Extension IDs
- Extension IDs the user should be prevented from installing (or * for all)
Allow user-level native messaging hosts (installed without admin permissions)
Baseline default: DisabledEnable saving passwords to the password manager
Baseline default: Disabled
Learn morePrevent bypassing Microsoft Defender SmartScreen prompts for sites
Baseline default: Enabled
Learn morePrevent bypassing of Microsoft Defender SmartScreen warnings about downloads
Baseline default: Enabled
Learn moreEnable site isolation for every site
Baseline default: EnabledMicrosoft Edge also supports IsolateOrigins policy that can isolate additional, finer-grained origins. Intune doesn't support configuring the IsolateOrigins policy.
Configure Microsoft Defender SmartScreen
Baseline default: Enabled
Learn moreThis policy is available only on Windows instances that are joined to a Microsoft Active Director domain, or on Windows 10/11 Pro or Enterprise instances that are enrolled for device management.
Configure Microsoft Defender SmartScreen to block potentially unwanted apps
Baseline default: EnabledThis policy is available only on Windows instances that are joined to a Microsoft Active Director domain, or on Windows 10/11 Pro or Enterprise instances that are enrolled for device management.
Allow users to proceed from the SSL warning page
Baseline default: Disabled
Learn moreMinimum SSL version enabled
Baseline default: Enabled- Minimum SSL version enabled
Baseline default: TLS 1.2
- Minimum SSL version enabled
Prevent bypassing Microsoft Defender SmartScreen prompts for sites
Baseline default: Enabled
Learn moreMinimum SSL version enabled
Baseline default: Enabled- Minimum SSL version enabled
Baseline default: TLS 1.2
- Minimum SSL version enabled
Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads
Baseline default: Enabled
Learn moreAllow users to proceed from the SSL warning page
Baseline default: Disabled
Learn moreDefault Adobe Flash setting
Baseline default: Enabled
Learn more- Default Adobe Flash setting
Baseline default: Block the Adobe Flash plugin
Learn more
- Default Adobe Flash setting
Enable site isolation for every site
Baseline default: EnabledMicrosoft Edge also supports IsolateOrigins policy that can isolate additional, finer-grained origins. Intune doesn't support configuring the IsolateOrigins policy.
Supported authentication schemes
Baseline default: Enabled
Learn more- Supported authentication schemes
Baseline defaults: Two items: NTLM and Negotiate
- Supported authentication schemes
Enable saving passwords to the password manager
Baseline default: Disabled
Learn moreControl which extensions cannot be installed
Baseline default: Enabled- Extension IDs the user should be prevented from installing (or * for all)
Baseline default: Not configured by default. Manually add one or more Extension IDs
- Extension IDs the user should be prevented from installing (or * for all)
Configure Microsoft Defender SmartScreen
Baseline default: Enabled
Learn moreThis policy is available only on Windows instances that are joined to a Microsoft Active Director domain, or on Windows 10/11 Pro or Enterprise instances that are enrolled for device management.
Allow user-level native messaging hosts (installed without admin permissions)
Baseline default: Disabled
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)
Baseline default: DisabledImportant
This setting is deprecated. It is currently supported but will become obsolete in a future release.