List of the settings in the Microsoft Edge security baseline in Intune
This article is a reference for the settings that are available in the Microsoft Edge security baseline for Microsoft Intune.
In May 2023, the settings for the Microsoft Edge baselines updated to a new format. This article provides a reference for Microsoft Edge baselines version 85 and earlier. To view the settings reference for newer baselines, see Microsoft Edge security baseline settings reference for Microsoft Intune.
About this reference article
Each security baseline is a group of preconfigured Windows settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration settings.
The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays:
- A list of each setting with its configuration as found in the default instance of that baseline version.
- When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use.
When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version:
- Become read-only. You can continue to use those profiles but can't edit them to change their configuration.
- Can be updated to the current version. After you update a profile to the current baseline version, you can edit the profile to modify settings.
To learn more about using security baselines, see:
Microsoft Edge baseline for September 2020 (Edge version 85)
Microsoft Edge baseline for April 2020 (Edge version 80)
Microsoft Edge baseline for October 2019
Note
The Microsoft Edge baseline for October 2019 is a Public Preview.
Microsoft Edge
Supported authentication schemes
Baseline default: Enabled
Learn more- Supported authentication schemes
Baseline defaults: Two items: NTLM and Negotiate
- Supported authentication schemes
Default Adobe Flash setting
Baseline default: Enabled
Learn more- Default Adobe Flash setting
Baseline default: Block the Adobe Flash plugin
Learn more
- Default Adobe Flash setting
Control which extensions cannot be installed
Baseline default: Enabled- Extension IDs the user should be prevented from installing (or * for all)
Baseline default: Not configured by default. Manually add one or more Extension IDs
- Extension IDs the user should be prevented from installing (or * for all)
Allow user-level native messaging hosts (installed without admin permissions)
Baseline default: DisabledEnable saving passwords to the password manager
Baseline default: Disabled
Learn morePrevent bypassing Microsoft Defender SmartScreen prompts for sites
Baseline default: Enabled
Learn morePrevent bypassing of Microsoft Defender SmartScreen warnings about downloads
Baseline default: Enabled
Learn moreEnable site isolation for every site
Baseline default: EnabledMicrosoft Edge also supports IsolateOrigins policy that can isolate additional, finer-grained origins. Intune doesn't support configuring the IsolateOrigins policy.
Configure Microsoft Defender SmartScreen
Baseline default: Enabled
Learn moreThis policy is available only on Windows instances that are joined to a Microsoft Active Director domain, or on Windows 10/11 Pro or Enterprise instances that are enrolled for device management.
Configure Microsoft Defender SmartScreen to block potentially unwanted apps
Baseline default: EnabledThis policy is available only on Windows instances that are joined to a Microsoft Active Director domain, or on Windows 10/11 Pro or Enterprise instances that are enrolled for device management.
Allow users to proceed from the SSL warning page
Baseline default: Disabled
Learn moreMinimum SSL version enabled
Baseline default: Enabled- Minimum SSL version enabled
Baseline default: TLS 1.2
- Minimum SSL version enabled
Prevent bypassing Microsoft Defender SmartScreen prompts for sites
Baseline default: Enabled
Learn moreMinimum SSL version enabled
Baseline default: Enabled- Minimum SSL version enabled
Baseline default: TLS 1.2
- Minimum SSL version enabled
Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads
Baseline default: Enabled
Learn moreAllow users to proceed from the SSL warning page
Baseline default: Disabled
Learn moreDefault Adobe Flash setting
Baseline default: Enabled
Learn more- Default Adobe Flash setting
Baseline default: Block the Adobe Flash plugin
Learn more
- Default Adobe Flash setting
Enable site isolation for every site
Baseline default: EnabledMicrosoft Edge also supports IsolateOrigins policy that can isolate additional, finer-grained origins. Intune doesn't support configuring the IsolateOrigins policy.
Supported authentication schemes
Baseline default: Enabled
Learn more- Supported authentication schemes
Baseline defaults: Two items: NTLM and Negotiate
- Supported authentication schemes
Enable saving passwords to the password manager
Baseline default: Disabled
Learn moreControl which extensions cannot be installed
Baseline default: Enabled- Extension IDs the user should be prevented from installing (or * for all)
Baseline default: Not configured by default. Manually add one or more Extension IDs
- Extension IDs the user should be prevented from installing (or * for all)
Configure Microsoft Defender SmartScreen
Baseline default: Enabled
Learn moreThis policy is available only on Windows instances that are joined to a Microsoft Active Director domain, or on Windows 10/11 Pro or Enterprise instances that are enrolled for device management.
Allow user-level native messaging hosts (installed without admin permissions)
Baseline default: Disabled
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)
Baseline default: DisabledImportant
This setting is deprecated. It is currently supported but will become obsolete in a future release.