Enhance Security Mode in Edge using Intune

Photo of author
Jatin Makhija
0

In this blog post, I will show you how to configure enhance security mode in Edge using Intune. Enhance security mode in Edge enhances security by mitigating memory-related vulnerabilities through several protective measures.

It disables just-in-time (JIT) JavaScript compilation and enables additional operating system defenses, such as Hardware-enforced Stack Protection and Arbitrary Code Guard (ACG). These safeguards help reduce the risk of attacks by enforcing stricter security settings on unfamiliar websites while gradually adapting to your browsing habits. There are other security measures you can take to enhance the security of the Edge browser. These are Microsoft Defender SmartScreen, typosquatting protection, and Enhance Security Mode. 

  • Microsoft Defender SmartScreen: Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
  • Typosquatting Protection: It is a security feature designed to mitigate the risks associated with typosquatting by protecting users from typographical errors when entering URLs. This helps prevent users from inadvertently accessing websites that mimic legitimate ones and could be used for malicious purposes.
  • Enhance Security Mode: Apply strict security policies on unfamiliar sites while adapting to your browsing habits.

When you enable Enhance Security Mode via Intune, there are three options available to select from. Standard Mode, Balanced Mode and Strict mode. Let’s check more details about these options.

  • Standard mode: If you set this policy to Standard Mode, the enhance security mode will be turned off and Microsoft Edge will fallback to its standard security mode.
  • Balanced mode: Microsoft Edge enhances security protections for unfamiliar or infrequently visited sites, while excluding those you visit regularly. Most websites will function as expected.
  • Strict mode: By default, Microsoft Edge enhances security protections for all websites. However, in Strict mode, some website features may not function properly, which could affect your ability to complete certain tasks online. You can add domains or sites to the exception list if you face any issues.

Enhance Security Mode Edge Intune Policy

Let’s configure enhance security mode in Edge using an Intune device configuration policy:

  • Sign in to Intune admin center > Devices > Windows > Configuration > Create > New Policy.
  • Platform: Windows 10 and later
  • Profile type: Settings catalog
  • Click Create.
  • On the Basics tab, provide a Name and Description of the policy and click Next.
  • On Configuration settings tab, click on + Add settings. On Settings picker, select Microsoft Edge category and select the below settings:
    • Enhance the security state in Microsoft Edge.
    • Configure the list of domains for which enhance security mode will not be enforced.
Enhanced the security state in Microsoft Edge
  • Enhance the security state in Microsoft Edge: Use the toggle switch to turn on the policy and select the enhance security mode. I would recommend starting with balanced mode and move to strict mode if required after testing it on a couple of devices. For the demonstration purposes, I would go with Strict mode.
  • Configure the list of domains for which enhance security mode will not be enforced: To bypass any domain from enhance security mode, you can turn on this policy and provide the list of domains to bypass.
Edge Enhanced Security mode Intune configuration
  • Scope tags: Click Next.
  • Assignments: Assign this policy to an entra security group containing users or devices. It’s a best practice to test the policy on a few devices first. If it’s working fine, then extend it to other devices.
  • Review + create: Review the policy settings and click on Create.

Monitoring Enhance Security Mode Edge Policy

  • Sign in to the Intune admin center > Devices > Configuration.
  • Select the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
  • Click on View report to access more detailed information.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.

End User Experience

After the configuration deployment is completed successfully, launch edge browser and type edge://policy in the address bar. You will find the Enhance Security mode value is set to 2 (Strict mode) and Enhance Security mode bypass list domains is set to apple.com as per the configuration profile.

Policy options mapping:

  • 0- StandardMode
  • 1- BalancedMode
  • 2- StrictMode
edge://policy Enhanced security mode mapping

Visit any website apart from apple.com as its in the bypass list, and you will find that additional security is applied to the site. Click on the lock icon next to the site URL to confirm if enhanced security is active for this site. If you experience any issues with a site due to enhanced security, you can add the website or domain to the bypass list.

When you visit any website or domain in the bypass list—for example, apple.com, as per our device configuration profile—you will not see enhanced security is active for this site message for that site after clicking on the lock icon. This confirms that additional security is not applied to the website.

enhanced security is active for this site

Leave a Comment

Step-by-Step guides for Setup/Troubleshooting/Configuration solutions on Intune, Microsoft 365, Powershell, Windows, Azure, and other Cloud technologies.

About the author
Contact Us
Privacy Policies
Comment Policies
Cookie Policies

Let's Connect!