In this post, I’ll show you how to enable enhanced security mode in Edge with Intune. I will also explain the different security modes that are available when you enhance the security state in Microsoft Edge.
The Enhanced Security Mode in Edge is a feature that improves browser security by applying stricter policies, such as disabling JIT (Just-in-Time) compilation for JavaScript and enabling additional protections against vulnerabilities. This feature is particularly useful for organizations aiming to safeguard sensitive data and secure web experience.
Organizations looking to enable enhanced security mode in Edge can use Intune for Entra ID-joined devices or Group Policy for AD domain joined computers. For home PC users who want to enhance their browser security without relying on external tools or extensions, the feature can be manually turn on by navigating to Settings > Privacy, search, and services, then locate the Enhance your security on the web section and turn it On.
Prerequisites
- Windows devices must be enrolled in Intune. See the windows enrollment guide.
- Ensure that devices are updated to the latest version of Microsoft Edge for full support of Enhance Security Mode.
- Go through each Edge security modes and determine what works well for your organization.
Enhanced Security Modes in Edge
When you enable the policy setting “Enhance the security state in Microsoft Edge” in settings catalog, you get advanced security options to choose from. The below information is referenced from the policy description itself.
- Standard Mode: If you set this policy to ‘StandardMode‘, the enhanced mode will be turned off and Microsoft Edge will fallback to its standard security mode. This security configuration in Edge
offers better performance compared to strict mode. This policy option mapping for standard mode is 0. - Balanced Mode: If you set Edge browser to ‘BalancedMode‘, the security state will be in balanced mode. The balanced mode aims to strike a balance between security and usability. This mode is recommended for most users as it provides a good level of protection without significantly impacting browsing experience. This policy option mapping for balanced mode is 1.
- Strict Mode: If you set this policy to ‘StrictMode‘, the security state will be in strict mode. This mode applies security mitigations to all websites, regardless of frequency of visits or trust level. One thing to note here is this mode provides maximum security for Edge users but may affect usability and performance for certain websites. This policy option mapping for strict mode is 3.
Note: Starting in Microsoft Edge 113, the Basic Mode is deprecated and is treated the same as Balanced Mode. It won’t work in Microsoft Edge version 116.
Enable Enhanced Security Mode in Edge with Intune
Let’s create a new policy Intune to enable the enhanced security mode for Edge browser. To get started, sign in to the Microsoft Intune admin center. Navigate to Devices > Windows > Configuration > Create > New Policy.
Choose Windows 10 and later as Platform and Settings Catalog as Profile Type. On the Basics tab, specify the name of the profile as “Enable Enhanced Security Mode in Edge.” You may add a brief description about the profile. Click Next to continue.
In the Settings Picker, type “Enhance the Security” in the search box and click Search. From the results, select the Microsoft Edge category. Now select the setting “Enhance the security state in Microsoft Edge” and close the settings picker.
Note: The policy setting Enhance the security state in Microsoft Edge is available separately for Device and User. If you want to apply settings on a device, regardless of who’s signed in, then assign your policies to a devices group. Policy settings assigned to user groups consistently follow the user, regardless of the device they sign in to.
First set the policy setting Enhance the security state in Microsoft Edge to Enabled. Next, open the drop-down menu and choose your preferred option: Standard Mode, Balanced Mode, or Strict Mode.
In the below example, I have selected the Balanced mode for enhancing the security of Edge browser. This mode is recommended for most organizations to avoid compatibility issues. Click Next.
In the scope tags section, you specify scope tags. Specifying scope tags is optional, and you may skip this step. Click Next.
In the Assignments tab, select the Entra ID security user groups to which you want to assign the policy. When deploying this policy for the first time, start by applying it to a few test groups. If the testing proves successful, gradually extend the policy to additional users or devices. Select Next.
Review the policy settings on Review + Create tab and click the Create button. A new policy is created, and you can find it under the list of Configuration Profiles.
Update Intune Policies
After deploying the above policy in Intune to your groups, devices might not receive it immediately. They need to check-in with Intune for the latest policies.
To speed up the policy assignments in your tenant, you can manually sync Intune policies using different methods on your enrolled Windows computers, including PowerShell. The sync action will force devices to immediately check in with Intune and retrieve the latest policies.
Monitor Edge Enhanced Security Mode Policy
To monitor the Edge enhanced security mode policy assignments in Intune, go to Devices > Windows > Configuration and here select the Edge Security Mode profile. On the Policy overview page, check the device and user check-in status.
Here you will find the number of devices or users on which the policy has been applied successfully. The view report button lets you see the names of devices or users for which the policy deployments have been successful.
End-User Experience
In this step, we’ll verify whether the enhanced security mode policy settings have been successfully implemented on the Edge browser through Intune, as configured.
- Open Microsoft Edge browser on a managed device.
- Browse to edge://settings/privacy/security.
- Scroll to the Enhance Security Mode section to confirm the policy settings are applied correctly.
In the below screenshot, we see that as per the Intune policy, the enhanced security mode is configured to Balanced mode. This is exactly what we configured in our Intune policy.
In the Microsoft Edge browser, browse to edge://policy and under Microsoft Edge policies, we see the EnhancedSecurityMode policy value is set to 1. Remember that policy option mapping for balanced mode is 1.
Troubleshooting
- In some cases, the Edge enhanced security mode policy may fail to apply to certain devices. To troubleshoot these issues, review the essential Intune IME logs. In addition, review Event ID 814 in Event Viewer. Use the following path: Applications and Services Logs > Microsoft > Windows > Devicemanagement-Enterprise-Diagnostics-Provider > Admin.
- If you encounter policy assignment failure on a remote device, generate an MDM diagnostic report for IT support. This can be done from Settings > Accounts > Access work or School > Info. Click on the Create Report button.
Conclusion
I hope this guide provided clear steps to help you configure Enhanced Security Mode in the Edge browser using Intune policies. Additionally, I covered the various security modes available in Edge to enhance browsing protection. With such policies you can protect your Edge browser from malware by blocking security threats and enhance overall browser security across your organization. That’s all for this guide, if you need any further help, please let me know in the comments section.
