Ensuring Browser Extension Security in a Microsoft 365 Business Premium Environment

Introduction

Browser extensions can introduce security vulnerabilities if not properly managed. Malicious or vulnerable extensions can steal data, hijack accounts, or serve as an entry point for attacks[2]. In an organization using Microsoft 365 Business Premium (which includes Defender for Business endpoint protection), it’s important to understand what is covered out-of-the-box and how to fill any gaps in protection. This report examines whether Microsoft 365 Business Premium’s security features include Microsoft Defender Vulnerability Management (MDVM) for scanning browser extensions, and if not, the most cost-effective ways to enable this capability. It also covers alternative solutions, best practices for browser extension security, and recommendations for ongoing protection.

Microsoft 365 Business Premium Security Features

Microsoft 365 Business Premium is a comprehensive plan for small and medium businesses that combines productivity apps with advanced security. Key included features are:

Office 365 Applications and Services: Email, cloud storage, and the full suite of Office apps, enabling productivity and collaboration.
Azure AD Premium P1: Enhanced identity and access management (for example, conditional access and multi-factor authentication policies).
Microsoft Intune (Endpoint Manager): Mobile device and PC management to enforce security policies on devices and apps.
Microsoft Defender for Office 365 (Plan 1): Protection against phishing, unsafe attachments, and malicious links in email.
Microsoft Defender for Business (Endpoint Protection): An enterprise-grade, AI-powered endpoint security solution optimized for SMBs. This provides next-generation antivirus, endpoint detection and response (EDR), and threat & vulnerability management capabilities[8].

Note: Defender for Business is essentially a subset of Microsoft Defender for Endpoint features tailored for Business Premium. It does include basic vulnerability management (VM) capabilities, such as detecting OS and application vulnerabilities on devices[7]. However, as discussed below, some advanced VM features are not included.

Microsoft Defender Vulnerability Management (MDVM) Capabilities

Microsoft Defender Vulnerability Management is an add-on service that enhances Defender’s built-in vulnerability management with more advanced, risk-based scanning and asset inventory. Core capabilities of MDVM (some of which overlap with Defender for Business) include[6]:

Device and Software Inventory: Discovering devices and software in your environment, and listing installed applications and versions.
Vulnerability & Configuration Assessment: Identifying known vulnerabilities (e.g., missing patches or CVEs) and misconfigurations on endpoints[6].
Risk-Based Prioritization: Evaluating which vulnerabilities pose the highest risk, so security efforts can focus on the most critical issues[6].
Remediation Tracking: Providing guidance and tracking the status of fixes for identified issues.
Continuous Monitoring: Ongoing scanning to catch new vulnerabilities as they arise.

Premium MDVM capabilities extend this further and are available with a specific MDVM license (or add-on). These premium features include advanced asset insights such as[6]:

Browser Extensions Assessment: Visibility into browser extensions installed on endpoints and their associated risks.
Digital Certificates Assessment: Inventory and risk info for certificates on devices.
Network Shares, Hardware/Firmware Assessment: Scanning for vulnerabilities in network share configurations and device firmware.
Security Baselines Assessment & Blocking Vulnerable Apps: Checking compliance with security baseline settings and enabling the ability to block applications or browser add-ons known to be vulnerable[6].

Does Business Premium Include Browser Extension Scanning?

Out-of-the-box, Microsoft 365 Business Premium does not include the specialized capability to scan browser extensions for vulnerabilities. Business Premium’s Defender for Business provides “core” vulnerability management (covering OS and software vulnerabilities), but the Browser Extensions Assessment feature is only available with the Defender Vulnerability Management premium add-on or standalone license[6]. In Microsoft’s terminology, Business Premium gets you “Vulnerability Management Core” features, whereas Browser Extension assessments are a premium feature not included in the core set[6].

In fact, Microsoft documentation explicitly notes that Defender Vulnerability Management (MDVM) is not currently available to Defender for Business customers without an add-on[6]. This means that while your Business Premium subscription offers strong endpoint protection and some vulnerability scanning, it will not automatically discover or report vulnerable browser extensions in Microsoft Edge (or other browsers) unless you extend its capabilities.

Supported Browsers: When MDVM’s Browser Extension Assessment is enabled (via the appropriate license), it covers extensions in Microsoft Edge, Google Chrome, and Mozilla Firefox on Windows devices[5][2]. The Microsoft Defender for Endpoint sensor on Windows collects the list of installed extensions in those browsers, including their names, versions, the devices and users where they’re installed, and the permissions they require[5]. This data is then available in the security portal under Endpoints > Vulnerability Management > Inventories > Browser extensions, where security teams can review extension details and risk levels[5]. Without the MDVM add-on, Business Premium admins will not see this Browser extensions page or related insights in the Defender security portal.

Edge-Specific Considerations: Microsoft Edge shares its extension framework with Chrome (both are Chromium-based), so MDVM’s approach for extension scanning in Edge is similar to Chrome’s. The MDVM extension inventory will include Edge extensions (whether from the Microsoft Store or Chrome Web Store) and assess their requested permissions. It will indicate if an extension has high-risk permissions (for example, the ability to read all data on websites could be flagged as higher risk)[2]. However, note that this assessment is about visibility and risk reporting – it does not automatically block any extension. It helps admins decide if they should allow or remove a given extension.

How to Enable Browser Extension Vulnerability Scanning in Business Premium

Since M365 Business Premium doesn’t include browser extension scanning by default, you have a few options to gain this capability in a cost-effective way:

Option 1: Add Microsoft Defender Vulnerability Management

The most straightforward method is to purchase a Microsoft Defender Vulnerability Management license for your endpoints. Microsoft offers two licensing options:

Defender Vulnerability Management Add-on: For customers who already have Microsoft Defender for Endpoint Plan 2 (e.g., E5 customers), the MDVM add-on enables the premium features for about $2.00 USD per user per month (annual commitment)[3]. This would unlock browser extension assessments in their existing environment.
Defender Vulnerability Management Standalone: For customers without Defender for Endpoint P2 (for example, Business Premium users, since they have a different edition), Microsoft provides a standalone MDVM subscription at roughly $3.00 USD per user per month[3]. This standalone license includes all MDVM capabilities for your devices, working alongside your current Defender for Business endpoint protection. It’s designed to complement any EDR solution, which means you can use it with the Defender agents you already run on Business Premium endpoints[6].

Cost-Effectiveness: In terms of cost, this is much more affordable than upgrading all the way to an E5 plan. For a Business Premium environment, adding MDVM standalone at ~$3/user/month is the most cost-effective Microsoft-native solution to gain extension vulnerability scanning[3]. It avoids having to pay for a full Microsoft 365 E5 license (which is significantly more expensive per user). You can selectively license only the users/devices that need this capability. Microsoft also offers a 90-day free trial for MDVM add-on/standalone to evaluate its value[2].

Once MDVM is enabled in your tenant, you would get:

A “Browser extensions” inventory in the Defender portal listing all extensions discovered across Edge/Chrome/Firefox[5].
Details per extension: which devices and users have it, whether it’s enabled, its version, and a risk rating based on permissions[5][2].
The ability to run advanced hunting queries or reports on extensions organization-wide (for example, find all devices with a particular extension)[2].
Insights to decide if an extension should be allowed or if it poses enough risk to justify blocking or removal.

Option 2: Third-Party Browser Extension Security Tools

If you prefer not to purchase MDVM licenses, there are third-party solutions that can help monitor and secure browser extensions. Some notable approaches include:

CrowdStrike Falcon Spotlight – Browser Extension Assessment: CrowdStrike’s Exposure Management platform offers a feature to inventory and assess browser extensions similar to MDVM. It provides a comprehensive view of extensions and flags high-risk extensions with dangerous permissions, plus workflows to alert and remediate risks. Adopting this would require using CrowdStrike’s agent and platform in addition to or instead of Defender on endpoints.
Spin.AI SpinOne and SpinMonitor: Spin.AI provides a SaaS security platform that includes browser extension risk assessments. Notably, Spin.AI’s solution can integrate with Chrome Enterprise. For example, the SpinOne platform continuously evaluates Chrome extensions and even assigns risk scores[1]. Outbrain (a tech company) implemented Chrome Enterprise with Spin.AI to automate extension reviews, allowing employees to request extensions and have security teams approve or deny them based on risk reports[1]. Spin.AI also offers a free Extension Security Checker (SpinMonitor) that detects and assesses the risk of all browser extensions installed in an organization, giving visibility into potential security and compliance risks. This free tool can be a cost-effective way to get basic insight into extensions, though a paid tier may be needed for continuous monitoring and policy enforcement.
Duo Security (CRXcavator/Extend): Duo Security (now part of Cisco) created a free tool called CRXcavator (and its successor, Cisco’s “Extend” tool) which analyzes Chrome extensions for known vulnerabilities and risky permissions. This can provide security ratings for extensions in use. While it may require some integration work (and primarily focuses on Chrome), it’s another low-cost way to evaluate extension safety in your environment.
Traditional Vulnerability Scanners: Some vulnerability management tools like Tenable or Qualys may include checks or scripts to enumerate browser extensions on endpoints during scans. These are not as tailored as the above solutions but can sometimes be configured to pull extension information as part of an endpoint scan and flag known vulnerable versions.

Cost and Integration Considerations: Many third-party solutions might require separate licensing. For instance, if you already use a third-party EDR or are considering one, see if extension visibility is included. The Spin.AI SpinMonitor tool is free, making it attractive cost-wise; whereas full platforms (CrowdStrike, SpinOne, etc.) will have associated costs and integration effort. It’s important to weigh how well these solutions integrate with your existing M365 Business Premium setup. Using MDVM has the advantage of tight integration with Microsoft Defender and Intune, whereas third-party tools might involve deploying additional agents or using separate management consoles.

Option 3: Manual or Policy-Based Approaches

In addition to or instead of dedicated extension-scanning tools, consider using the management capabilities you already have:

Intune Scripting: With Microsoft Intune (included in Business Premium), you can deploy PowerShell scripts to endpoints to collect a list of installed browser extensions. For example, community scripts exist that enumerate extensions by checking the file system or registry locations for Edge/Chrome user profiles[4]. These scripts can report back data (for instance, writing to a log or a spreadsheet via a Logic App, as one admin described[4]). While this method doesn’t provide real-time continuous monitoring, it can be run periodically to generate an inventory of extensions at no extra license cost (just the effort to set it up).
Edge and Chrome Enterprise Policies: Without needing any new tool, you can leverage built-in group policies or Intune configuration profiles to control extension usage. Both Microsoft Edge and Google Chrome support policies to block or allow specific extensions by their extension ID. You could use Intune’s Settings Catalog to deploy a policy that blocks all extensions except a pre-approved list (a “whitelist”)[2][2]. This approach doesn’t scan for vulnerable extensions per se, but it prevents users from installing unvetted extensions and even removes any extensions that are not on the allowed list[2]. For instance, you can enforce that only certain productivity or security extensions are permitted, and everything else is automatically disabled. This dramatically reduces the risk, since unknown or risky extensions never get a foothold. The downside is administrative overhead in maintaining the allowed list and potentially limiting user flexibility or productivity if they need an extension that isn’t yet approved.

In summary, the most direct way to gain extension vulnerability scanning within a Business Premium environment is to invest in MDVM (Standalone), which is relatively low-cost and integrates with your existing Defender for Business setup[3]. If budgets are zero, using Intune policies to restrict extensions and maybe running periodic audits via scripts or free tools can partially compensate, though with more manual effort and less comprehensiveness.

Best Practices for Ongoing Browser Extension Security

Regardless of which solution you choose to implement, consider these best practices to ensure the ongoing security of browser extensions in your organization:

Implement Extension Allow/Block Lists: Limit extension installations to a pre-approved list wherever practical[2][2]. By whitelisting known safe extensions and blocking all others, you prevent employees from inadvertently installing malicious or unvetted add-ons. Both Edge and Chrome allow policy-based control of extensions, which can be pushed via Intune or Group Policy. This proactive measure greatly reduces exposure.
Regularly Review Extension Inventory: Keep track of what extensions are in use. If you have MDVM or a similar tool, schedule periodic reviews of the extension inventory and risk reports. Without an automated tool, perform audits (using scripts or free scanners) quarterly or whenever a major vulnerability is announced. Look for any extensions that should be removed (e.g., those no longer needed or found to be risky).
Educate Users: Train your users about the risks of browser extensions. Make sure they understand that even extensions from official stores can sometimes be compromised or malicious. Encourage them to only request or use extensions that are necessary for work, and to avoid installing extensions for personal use on work browsers. Users should report if they see any strange browser behavior (which might indicate a rogue extension).
Keep Browsers and Extensions Updated: Ensure that browsers (Edge/Chrome/Firefox) are kept up-to-date with the latest version – Business Premium can enforce Edge updates and you can use Microsoft Update policies for others. Also, allow extensions to auto-update. Many security issues in extensions get patched by developers; having the latest version can mitigate known vulnerabilities.
Leverage SmartScreen and Reputation Services: Microsoft Edge’s SmartScreen (and Chrome’s Safe Browsing) can block known malicious extensions or warn about them. Ensure these protective features are enabled. Additionally, if using MDVM, pay attention to the Permissions risk ratings it provides[5][2] – an extension asking for very broad or sensitive permissions might warrant blocking even if it’s not explicitly flagged as “malicious.”
Minimize Browser Diversity: Every additional browser in use is another surface to secure. If possible, standardize on one or two browsers for your organization. For example, if everyone uses Edge (and Chrome only for legacy app needs), it’s easier to manage extensions via one set of policies. Fewer browsers mean fewer places for risky add-ons to hide (this was suggested by admins noting that having Edge, Chrome, Firefox, Brave, etc., all in use made extension control unwieldy[4]).
Monitor Threat Alerts: Stay informed about emerging threats related to browser extensions. Subscribe to security advisories or threat intelligence feeds. Microsoft’s security alerts or the MDVM dashboard might notify you if a particular extension is identified as harmful in the wild. If you hear news of a compromised popular extension (as happened with examples like *“Where is Cookie?” or certain password managers[2]), immediately search your environment for that extension and remove or block it.

By implementing these practices, you create multiple layers of defense: preventing most problems up front (via policy and education) and quickly detecting/mitigating any issues that do slip through (via scanning and audits).

Risks of Not Securing Browser Extensions

To underscore the importance of the above, consider the risks if browser extensions are left unchecked:

Data Theft and Privacy Breaches: Extensions run with significant privileges in the browser. A malicious extension can read everything on the web pages you visit, including sensitive corporate information or personal data. It could quietly siphon this data out to an attacker. For example, some malicious extensions have been caught stealing cookies and credentials from over 600,000 users[2], leading to compromise of online accounts. In a business context, that could mean leaks of customer data or confidential documents.
Account Compromise: If an attacker controls an extension, they can potentially hijack sessions (via stolen cookies) or act as the user on important sites. An extension could, for instance, take over a logged-in email session or a financial web app session, leading to fraud or unauthorized transactions.
Malware Installation and Lateral Movement: Vulnerable extensions (even those that aren’t outright malicious initially) can be exploited by malware. An attacker might exploit a flaw in an extension to run arbitrary code on the endpoint, effectively breaching that computer. From there, malware could spread or persist in the environment. Additionally, some extensions may download and execute additional payloads.
Evasion of Detection: Extensions operate at the browser level, which might not always be monitored by traditional antivirus. A well-crafted malicious extension can maintain a low profile, making it harder for standard security tools to notice. Without specific extension visibility, your IT team might be blind to an ongoing attack vector.
Non-Compliance and Legal Risks: For organizations under regulations (GDPR, HIPAA, etc.), a data breach via a browser extension could still result in compliance violations and fines. Moreover, some extensions could be inadvertently transmitting data to third-party servers (for example, an extension that injects ads or tracking), which might violate company policy or privacy laws if not authorized.
Productivity and Performance Issues: Beyond security, unregulated extensions can impact browsers’ stability and performance, and by extension employee productivity. While this is a secondary concern, excessive or poorly coded extensions can slow down systems or cause conflicts – another reason to keep a handle on what’s installed.

In short, the browser is effectively another attack surface. Treat extensions just like you treat installed applications: they should be inventoried, vetted, kept updated, and limited to what’s necessary. Ignoring this area could undermine your otherwise strong security posture from Business Premium’s protections.

Recommendations and Conclusion

1. Enable Extension Visibility: Given that Microsoft 365 Business Premium does not natively include extension vulnerability scanning, it is recommended to augment your security with Microsoft Defender Vulnerability Management. The Stand-alone MDVM license (~$3/user/month)[3] is a cost-effective solution to gain full visibility into browser extensions and other advanced vulnerability insights without a major license overhaul. Start with a pilot or trial to see the benefits; once enabled, review the Browser Extension inventory and address any high-risk extensions identified. This will directly answer your need to “scan browser extensions for vulnerabilities” on an ongoing basis.

2. Implement Policy Controls Now: In parallel to planning or deploying MDVM, take immediate action by using Intune (Endpoint Manager) to set up extension control policies for Microsoft Edge (and Chrome, if used). For example, consider enforcing a rule that blocks all extensions except a defined allowed list of essential extensions[2]. At the very least, you might block known disallowed extensions or categories (e.g., prevent installation of extensions not from the official store, or block those with remote administration capabilities). This ensures that while you work toward improved visibility, you are already reducing the risk surface. Microsoft’s documentation and community scripts can help implement these policies and even remove unapproved extensions from user browsers automatically[2][2].

3. Evaluate Third-Party Tools as Supplements: If budget allows or if your environment has multi-browser complexity, evaluate third-party solutions like SpinOne or security browser platforms. These can provide an extra layer of analysis (such as risk scoring of extensions) and may integrate with non-Microsoft ecosystems (e.g., Google Workspace) if that’s relevant to you. For instance, Spin.AI’s free extension risk scanner could be run to get an initial risk report of extensions in your organization right away. While the preference in an M365 environment would be to leverage Microsoft’s own tooling, a third-party tool could fill any specific gaps (for example, if you have a lot of Google Chrome usage with Google’s management, SpinOne’s integration might be appealing[1]).

4. Maintain an Extension Security Policy: Develop an internal policy regarding browser extensions. This policy should state that only authorized extensions are allowed for use on company devices/browsers. Have a process for employees to request new extensions, where the security team reviews the extension’s necessity and safety (taking into account information from MDVM or other sources – e.g., if MDVM shows an extension has a “Critical” permission risk level, you might deny the request). This policy formalizes the governance around extensions and sets expectations for users. Outbrain’s case showed that having a workflow for extension requests coupled with automated risk assessment greatly improved their security posture[1].

5. Continuously Monitor and Update: Security is an ongoing process. Ensure that whatever solution you implement (MDVM, third-party, or a manual process) is continuously used. Regularly check the dashboards or reports for new extensions or vulnerabilities. Update your allow/block lists as new trusted extensions are required or if formerly safe extensions become risky. Also keep an eye on Microsoft’s updates; Defender for Business and related services get updated capabilities over time (for example, Microsoft could extend some MDVM features to Business in the future, or release new policies for Edge). Staying current will help you take advantage of improvements in the platform you already pay for.

Conclusion: Microsoft 365 Business Premium delivers robust security for SMBs, but it does not include everything – specifically, browser extension vulnerability management is one gap. By investing in a small add-on license for MDVM or carefully using third-party/free tools and Intune policies, you can close this gap cost-effectively. The goal should be a layered defense: gain visibility into what extensions are present and their risks, actively control what can be installed, and keep users informed of the dangers. Following the strategies above will significantly enhance the security of browser usage in your organization, ensuring that browser extensions do not become the weak link in your defense.

References

[1] Outbrain: Taking control of extension security with Chrome Enterprise

[2] How to check and block “malicious” browser extensions with Microsoft …

[3] Microsoft Defender Vulnerability Management

[4] Get a list of installed Browser Extensions : r/Intune – Reddit

[5] Browser extensions assessment in Microsoft Defender Vulnerability …

[6] Compare Microsoft Defender Vulnerability Management plans and …

[7] M365 Business Premium – Defender for Business | Microsoft Community Hub

[8] What is Microsoft Defender for Business?

Securing Microsoft Edge Browser with M365 Business Premium: Best Practices & Deployment Guide

Microsoft Edge is a modern, secure-by-default browser, but organizations can further harden it using tools in Microsoft 365 Business Premium – especially Microsoft Intune – to protect users and data. This post outlines best practice security settings for Microsoft Edge and details how to deploy and manage these settings across a fleet of devices using Intune. We also cover ongoing management, monitoring, and user awareness to ensure maximum day-to-day protection.

Introduction: Why Secure Edge with Intune

Microsoft Edge for Business provides a dedicated work browser experience that is secure by default, separating work and personal browsing data to prevent leaks[6]. It includes robust built-in security features (like Microsoft Defender SmartScreen) and supports enterprise controls. However, to achieve a consistent security posture across all devices, IT administrators should enforce configurations via Intune. Microsoft Intune (part of M365 Business Premium) allows centralized management of Edge’s security settings on Windows PCs, Macs, and mobile devices. By leveraging Intune policies, security baselines, and integration with other Microsoft 365 security tools, organizations can:

Enforce security best practices on every Edge browser used for work (e.g. enable phishing protection, restrict unsafe features).
Deploy these settings at scale to all managed endpoints (Windows, macOS, mobile) in a uniform way.
Ensure compliance with organizational security requirements and industry recommendations.
Monitor and update Edge configurations over time, responding to new threats and updates.

In the sections below, we’ll first explore the key Edge browser security settings and best practices. Then we’ll provide a step-by-step guide to implement these via Intune, discuss deployment to multiple devices, and cover management, updates, and user training.

Best Practice Security Settings for Microsoft Edge

To secure Edge browsers in an enterprise environment, administrators should focus on several critical security areas. Microsoft provides an Edge security baseline – a template of recommended settings – which we will use as a reference for best practices. This baseline reflects the latest security team recommendations for Edge’s configuration[1]. Below is a summary of key Edge security settings and their recommended state (as per Microsoft’s baseline and industry best practices), along with their purpose:

Security Setting	Recommended Configuration	Purpose / Protection
Microsoft Defender SmartScreen	Enabled (On)	Blocks access to phishing sites, malicious downloads, and other threats in real-time.
SmartScreen – Potentially Unwanted Apps (PUA)	Enabled (On)	Blocks download of adware, browser hijackers, and other low-reputation apps.
SmartScreen Bypass	Disallow user bypass	Prevents users from clicking through warning pages for malicious sites or files.
Typosquatting Checker	Enabled	Warns users if they mistype URLs and helps avoid look-alike malicious sites.
Site Isolation (Strict Site Per Process)	Enabled (On)	Isolates each website in its own process, mitigating spectre-type attacks between sites.
Legacy Browser Mode (IE mode)	Disabled unless needed	Avoids using Internet Explorer mode except for approved legacy sites, reducing exposure to older insecure web technologies.
HTTP/Legacy Authentication	Disable Basic auth	Blocks legacy HTTP Basic authentication to prevent sending credentials in cleartext; only allow modern auth (NTLM/Kerberos).
Browser Extensions	Restrict add-ons (block unapproved)	Block all unauthorized extensions – by default, no extensions are allowed unless whitelisted. This prevents installation of malicious or unvetted add-ons which could hijack the browser.
Legacy Extension Points	Enabled (Block legacy hooks)	Blocks old-style extension injection points, preventing malware from using unsupported methods to hook into Edge.
Application Bound Encryption	Enabled	Encrypts browser data tied to user identity or device, adding a layer of protection for stored credentials/cookies.
Insecure Network Requests	Blocked	Blocks requests from HTTP websites to local or more secure network resources (protects against cross-network attack vectors).
TLS/Encryption Protocols	Enforce TLS 1.2+	Ensure only modern TLS versions (1.2 or 1.3) are used, preventing fallback to deprecated 1.0/1.1 protocols that have known weaknesses.
Password Manager / Autofill	Configured securely	Consider disabling password save for sensitive accounts or ensure saved passwords are protected by OS credentials. (The baseline doesn’t disable it entirely, but organizations may choose to manage this depending on policy.)
Automatic Updates	Enabled (Auto-update Edge)	Allow Edge to update itself automatically on all devices for timely security patches. Do not disable the built-in update mechanism.

As shown above, Microsoft’s Edge security baseline already sets most of these configurations to the recommended values by default.[1] By using this baseline (or configuring equivalent settings manually), you achieve a hardened browser configuration that significantly reduces risk.

Below we further explain some of these best practices and why they are important:

SmartScreen & Phishing Protection:
Microsoft Defender SmartScreen is a cloud-based URL and app reputation service built into Edge. Enabling SmartScreen (with no user bypass) is critical – it provides industry-leading protection against phishing websites, malicious drive-by downloads, and other web threats[2][1]. SmartScreen will block known dangerous sites and files, and with Potentially Unwanted App blocking enabled, Edge also prevents users from inadvertently downloading unwanted software like adware[1]. The baseline sets SmartScreen and PUA blocking on, and even stops users from bypassing the warnings[1], ensuring maximum protection.
Typosquatting Checker:
This feature warns users if they mistype a popular URL (for example, “micros0ft.com” instead of “microsoft.com”) and might have landed on a fraudulent look-alike site. Enabling typo protection helps prevent credential theft via spoofed domains[2]. The Edge security baseline enables this by default[1].
Site Isolation:
Site Isolation (also known as strict site-per-process) forces each website to run in a separate browser process. This is a defense against attacks like Spectre, which attempt to read data across sites via speculative execution vulnerabilities. With site isolation enabled, a malicious site cannot easily access data from other sites’ sessions[7][3]. Microsoft’s baseline now enables full site isolation for every site (earlier versions had it off, but it’s enabled in newer baseline versions)[3].
Legacy Content (Internet Explorer Mode):
Edge can use IE mode for legacy web apps, but IE’s outdated rendering can pose security risks. Best practice is to minimize the use of IE mode. The baseline disables loading unconfigured sites in IE mode[1] and hides the “Reload in IE mode” button[1], so IE is only used for sites explicitly configured by IT. This reduces exposure to old ActiveX or insecure controls. Only enable IE mode for trusted internal sites that absolutely require it.
Encryption and Network Protections:
Edge and Windows support modern encryption protocols. Force strong encryption by disallowing legacy protocols. The baseline, for instance, disables old TLS 1.0/1.1 (Edge already deprecated these by default) and ensures TLS 1.2 is the minimum[7]. It also disables HTTP Basic authentication in the browser[1] – Basic auth sends credentials in plaintext and should be avoided in favor of NTLM or OAuth flows[1]. Additionally, Edge baseline disables insecure cross-network requests (Private Network Access)[1], which stops public websites from reaching into internal resources by default – mitigating certain CSRF and lateral movement scenarios.
Extensions Management:
Browser extensions can greatly increase productivity but also introduce risk. Malicious or poorly made extensions might redirect users to phishing sites, inject ads or scripts, or steal data[7]. A best practice is to allow only approved extensions. The Intune Edge baseline helps here by including a setting to block all extensions by default[1]. Administrators can then maintain an allow-list of specific extensions if needed (by specifying permitted extension IDs and leaving others blocked). This way, users can’t install random add-ons – reducing malware and data leak risks. If your organization needs certain extensions (password managers, etc.), explicitly approve those and keep the list minimal and reviewed.
Legacy Plug-ins and Code:
Edge has a setting to block legacy extension points (legacy plug-in APIs or injection mechanisms used by older apps/malware). The baseline keeps this blocking enabled[1] to prevent any unsupported mechanism from loading into Edge’s process. This hardening measure protects against malware that tries to use outdated hooks to compromise the browser.
Application Bound Encryption:
Newer versions of Edge support Application Bound Encryption, which ties data encryption to the application context or user’s corporate identity. The security baseline enables this by default[1]. In effect, it ensures certain sensitive data that Edge stores (like cookies or credentials) are additionally encrypted such that only Edge (or only the user’s profile) can use them. This reduces the risk of sensitive browser data being stolen and used outside the browser, even if the underlying OS is compromised.
Auto-Updates for Edge:
Keeping Edge up-to-date is one of the simplest yet most vital security practices. Microsoft Edge receives frequent security updates (aligned with a 4-week stable channel cycle). Allow Edge to update automatically in your environment. By default, Edge’s internal updater will periodically check and install updates[5]. Intune can enforce the update check frequency if needed (via Edge Update policies)[5], but generally the key is: do not disable or delay Edge updates. Ensuring all users run the latest Edge version means known browser vulnerabilities are patched and the latest protections are active. We will discuss later how Intune can help monitor or enforce update compliance.

By implementing the above settings, you establish a strong defensive baseline for web browsing. Next, we’ll describe how to use Intune to configure these settings across all your devices in a scalable way.

Implementing Edge Security Policies with Intune

Microsoft Intune (part of the Endpoint Manager) is the primary tool to enforce the Edge configurations described. Intune offers multiple methods to deploy browser policies:

Security Baselines – Microsoft provides a pre-packaged Microsoft Edge Security Baseline profile in Intune. This is a template with a comprehensive set of recommended settings (many of which we summarized above) that you can deploy with minimal effort. The baseline ensures a default secure posture for Edge aligned with Microsoft security team guidance[1].
Configuration Profiles – For more granular control or to implement settings not in the baseline, Intune allows custom Configuration Profiles. Using the Settings Catalog or Administrative Templates in Intune, admins can configure individual Edge policies (analogous to Group Policy settings) and deploy them. This can supplement or fine-tune the baseline.

We’ll focus first on using the Edge Security Baseline, as it covers best practices out-of-the-box.

Using the Microsoft Edge Security Baseline in Intune

Intune’s Security Baseline for Edge is the fastest way to apply a broad set of hardened settings to Edge browsers. It includes dozens of configurations with Microsoft’s recommended defaults. Follow these steps to create and deploy an Edge baseline profile:

Open Endpoint Security > Security Baselines in Intune: Sign in to the https://endpoint.microsoft.com/ and navigate to Endpoint security > Security baselines. You’ll see a list of available baseline templates (Windows 10, Defender for Endpoint, Microsoft Edge, etc.)[3].
Select the Edge baseline and create a profile: Choose Microsoft Edge (version 112 and later) from the list (this is the Edge for Windows 10/11 baseline)[3]. Click + Create profile. Give the profile a name (e.g. “Edge Browser Security Baseline”) and optional description[3].
Review and configure settings: On creation, you can review the baseline’s settings groups. By default, all settings are set to Microsoft’s recommended value (as summarized in the table above). You can leave them as-is for a standard deployment. Optionally, you may customize specific settings – for example, if you want to allow a particular extension or adjust a policy, you can modify that before deployment. Intune’s interface lets you expand categories (Security, Privacy, Extensions, etc.) and see each setting and its default[3]. Insights (lightbulb icons) may be available next to settings to indicate how many other organizations enable a setting, which can guide you[3].
Assign the baseline profile to device groups: Once the profile is ready, proceed to the Assignments step. Select one or more Azure AD groups containing the target users or devices to include[3]. For example, you might assign it to an “All Corporate Devices” group. (You can also exclude certain groups if necessary, e.g., a pilot or IT testing group.) Note: The Edge baseline contains both computer and user settings, and Intune will handle applying them appropriately. At least one group must be assigned, otherwise the profile won’t deploy[3].
Finish and deploy: Click Review + create and then Create. As soon as you create the baseline profile, Intune will push it to all devices in the assigned groups[3]. Managed PCs will receive the settings policy over the air. Users might need to restart Edge for certain policies to take effect immediately, but many settings apply dynamically.

Tip: It’s recommended to test new baselines on a small set of devices before broad deployment. Intune allows creating multiple baseline profiles – you could assign a baseline first to a pilot group, verify the impact, then roll out to everyone[3]. You can also duplicate a baseline profile and update it (e.g., when a new baseline version is released) for testing before replacing the old one[3].

Monitor deployment status: After deployment, you can check Intune > Endpoint security > Security baselines > [Your Edge baseline] > Device status to see a report of devices and whether the policy succeeded, is pending, or has errors. A successful status indicates the device has applied the Edge settings. We’ll cover more on monitoring in a later section.

Using the security baseline is often the best method, as it bundles all essential settings. However, you might want to adjust or add policies outside the baseline. For instance, maybe you want to configure a new Edge setting that the current baseline doesn’t include, or you want a slightly different value for a particular setting. This is where custom configuration profiles come in.

Custom Edge Configuration via Settings Catalog (Optional)

Intune’s Settings Catalog provides access to all available Edge policies (equivalent to the Chrome/Edge ADMX settings) that you can configure in a profile. This approach is useful if you need to:

Add settings beyond what the baseline covers (for example, a brand-new Edge feature or a less common setting).
Relax or tighten a baseline setting for specific groups (e.g., allow a certain extension for developers while baseline blocks all others).
Manage Edge settings on platforms like macOS (the Windows baseline might not apply there, so you’d create a separate macOS configuration profile for Edge).

To create a custom Edge policy profile:

In the Intune admin center, go to Devices > Configuration profiles and create a new profile. Choose the appropriate platform (Windows 10/11, macOS, etc.) and pick Settings Catalog as the profile type.
Under Configuration settings, click Add settings. Search for “Edge” to see categories of Edge browser settings. Intune lists hundreds of available settings derived from the Edge administrative template.
Select the desired settings and set their values. For example, to enforce extension blocking manually: find “Control which extensions cannot be installed” and add it, then set it to Enabled and specify “*” (block all) as the prohibited extensions list[1]. Likewise, you can configure SmartScreen (Enable Microsoft Defender SmartScreen = Enabled)[1], “Prevent bypass of SmartScreen warnings” (Enabled)[1], “Enable site isolation” (Enabled) etc., matching the best practices discussed. Each setting in the catalog includes a description of what it does, and often a link to documentation.
Once you’ve configured all needed settings, assign the profile to your device/user groups similar to the baseline assignment. Intune will deploy these settings to those devices.
Monitor the profile deployment under the profile’s Device status, and resolve any conflicts. (If a device has both a baseline and a custom profile with overlapping settings, ensure they are consistent. Intune will mark a conflict if two policies set the same setting differently. It’s usually best to avoid duplicates – you can stick mostly to baseline OR custom for a particular setting, but not both with different values.)

Using the Settings Catalog approach requires more manual work to select and configure each setting, but it provides flexibility. Many organizations will start with the Edge security baseline (for broad coverage) and layer any additional needed settings via a small custom profile.

Intune App Protection (MAM) for Edge on Mobile

In addition to device configuration profiles (which apply to managed devices), M365 Business Premium allows App Protection Policies for scenarios where you manage only the app (Edge) on a mobile device. For example, if employees access corporate web apps via Edge on their personal phone (without enrolling the phone in Intune), you can use Intune’s MAM (Mobile Application Management) policies on Edge for iOS/Android.

These policies can require a PIN to open the app, prevent data from Edge being copied to personal apps, require Edge to open links from corporate emails, etc. Edge for Business on mobile can be managed such that corporate data viewed in the browser is containerized and protected[6]. If this scenario applies, configure an App Protection Policy targeting the Edge app for your user group – enabling features like app-level encryption, disable “Save-as” for files, block screenshots, and so on, to secure corporate web access on unmanaged devices[6]. This extends your Edge security to BYOD cases.

Deploying Policies Across Your Device Fleet

Deploying the Edge security settings across a fleet is straightforward with Intune once the profiles (baseline or custom) are set up. Here are some best practices for fleet-wide deployment:

Organize devices into Azure AD groups: Intune assignments are group-based. Ensure all company endpoints are members of a group (or multiple groups) that you target with the Edge policy. Many admins use an “All Managed Devices” dynamic group. Alternatively, separate groups by platform if you have different profiles for Windows vs. macOS.
Include new devices automatically: If using dynamic device groups (e.g., all devices with a specific enrollment tag or all Windows 10 devices), any new device enrolled into Intune will automatically receive the Edge policies shortly after enrollment. This is useful for autopilot scenarios – when a new PC is set up, it joins Intune and moments later the Edge hardening policy is applied, ensuring compliance from day one.
User vs Device targeting: The Edge baseline can be assigned to device groups (then user settings in it apply to any user on those devices) or to user groups (then when that user logs into any managed device, the settings apply). Microsoft documentation notes that you may need multiple profiles if you want to cover both device-targeted and user-targeted scenarios[3]. However, for simplicity, many organizations assign Edge policies to devices (since browsers are generally used on company devices). Choose the approach that fits your management model.
Monitoring deployment: After a broad deployment, use Intune’s reports to ensure all devices have received the policies. Under Reports > Endpoint security or under the baseline profile’s per-setting status, you can identify if any device is in error or conflict. Ideally, all managed devices should show the Edge profile status as “Succeeded”. Any failures should be investigated (e.g., perhaps a PC is offline, or a setting is not applicable to Windows Home edition, etc.).
Policy refresh: Intune-managed devices typically check in and refresh policies periodically (every ~8 hours by default, with some variance). If a device is powered off or offline, it will get the Edge policy next time it comes online and syncs. You can expedite testing on a specific device by using “Sync” from the Intune portal (or Company Portal app) for that device.

By thoughtfully targeting groups and monitoring, you can achieve near 100% coverage of your fleet with these Edge security settings. This ensures every user’s browser adheres to your security standards, whether they are in the office or remote.

Managing User Access and Identities in Edge

Securing the browser also involves managing how users access corporate resources through Edge and what they can do with their accounts:

Require Azure AD Sign-In for Edge (Work Profile): Encourage or enforce that users sign into Edge with their work (Entra ID/Azure AD) account. This turns on “Edge for Business” mode automatically, separating work browsing from any personal profiles[6]. When signed-in, enterprise policies (like the ones deployed via Intune) are enforced on that profile. You can use Azure AD Conditional Access policies to ensure that only compliant, domain-joined, or Intune-managed devices can access certain resources – indirectly this means they must use the managed Edge (or other compliant apps) to log in. For example, a Conditional Access policy could block access to Office 365 from unmanaged browsers, guiding users to use their Intune-managed device with Edge.
Multiple Profile Control: Edge allows multiple browser profiles (e.g., personal and work). Admins can set policies to limit the mixing of profiles, such as disabling the ability to add additional profiles or at least controlling sign-in modes. One policy of interest is ”BrowserSignin” which can force users to sign into Edge with a work account or block personal sign-in. Coupled with “Enterprise Profile Separation”, this ensures work content stays in the work profile. While not always enforced in Business Premium environments, these settings can be considered if data separation is a concern.
Permissions and Capabilities: Through Intune’s Edge settings, you can also manage specific browser capabilities for users:
- For instance, you might disable the Edge Password Manager or Form Autofill for highly sensitive environments, or require a primary password. The security baseline doesn’t outright disable password saving, but it’s something to review based on your org’s password management strategy.
- You can restrict printing or saving of work data via Edge if needed (e.g., disable printing from Edge to avoid physical data leakage, or restrict downloads to only certain locations).
- Manage Favorites and data sync: Corporate Entra ID accounts can sync Edge favorites, history, etc. to Microsoft cloud. This is generally useful and encrypted, but some orgs might disable cloud sync for confidentiality. Intune can control that (“Allow syncing of browsing data” policy).
Conditional Access App Control: For web apps, Azure AD Conditional Access can integrate with Defender for Cloud Apps to apply session controls in Edge (e.g., preventing downloads of sensitive files via the browser for unmanaged sessions). This is more of an Azure AD/M365 E5 feature, but mentionable as an additional layer if Business Premium customers opt for add-ons: effectively, even if a user is in Edge, the access can be limited by cloud policy if certain risk conditions are met.

In summary, leverage Intune and Azure AD to ensure that Edge is used in a managed, authenticated context. By tying Edge usage to the user’s corporate identity, you gain better control (policies follow the user) and visibility (logs of sign-ins, conditional access reports). Edge for Business will keep personal and work browsing separate[6], reducing the chance of corporate data mixing with personal accounts.

Monitoring and Compliance

After deploying security policies, ongoing monitoring is crucial to maintain Edge’s secure state across all devices.

Intune Policy Compliance: Intune provides compliance and configuration reports. Regularly review the Device compliance dashboard in Intune. While Edge settings themselves are configuration profiles (not “compliance policies” in Intune’s terminology), a device’s overall compliance can be tied to whether required settings are in place. For example, you might create a Custom Compliance Policy that checks if a particular registry key (set by the Edge policy) exists, though this is advanced. More straightforward: check each managed device in Intune – under Device Configuration > Setting status, verify that no Edge setting is in error or conflict. Any misapplied setting should be fixed promptly.
Security Baseline Compliance: If you used the Edge baseline, Intune has a dedicated report for baseline compliance. It will show each setting and how many devices deviated or had issues. Pay attention to any settings showing non-compliance. Perhaps a user changed something or a machine is missing the policy. Intune can’t usually be “undone” by the user (since these are enforced), but a user might install an unsupported extension if they found a workaround, etc. If an Edge policy was misapplied (e.g., due to concurrent GPO in Hybrid AD scenarios), Intune will flag a conflict.
Defender for Endpoint Signals: M365 Business Premium includes Defender for Endpoint (Plan 1). If onboarded, Defender for Endpoint will monitor browser threats. Edge is tightly integrated with Defender – SmartScreen blocks, for instance, are reported. Check the Microsoft 365 Security Center for any alerts related to Edge, such as attempts to visit malicious sites that were blocked. While Plan 1 might not have full Threat & Vulnerability Management, it will still log detected threats. If you see repeated SmartScreen blocks for certain users, that might prompt further training or investigation.
Browser Update Compliance: Ensure all devices are running a recent version of Edge. Because Edge auto-updates, this is generally the case if internet access is available. For compliance, you can use Intune Proactive Remediations (a scripting feature) or a reports to see Edge versions installed. If some devices fell behind (perhaps auto-update was disabled or failed), Intune can push an update. One method is to deploy the latest Edge installer as a Win32 app to those devices, but normally enabling auto-update is simpler. Consider implementing the Edge Update policy via Intune that sets Auto-update check period override to a reasonable interval (e.g., every 4 hours)[5], to ensure frequent update checks. Intune doesn’t have a native “Edge version compliance” policy, but you could use Azure AD or Endpoint analytics to query versions.
Logging and Auditing: Edge itself produces logs/events for policy enforcement. For example, if an extension is blocked by policy, that event can be found in the Event Viewer under Applications and Services Logs -> Microsoft -> Edge. In a security audit, you might review such logs or use a log aggregator. However, this is typically only done if investigating an incident. Day-to-day, rely on Intune and Defender dashboards for a high-level view.
User Feedback Loops: Sometimes users will report an issue (e.g., “I can’t install an extension” or “Edge won’t let me bypass a certificate warning”). These reports are actually signs that your security policies are working! Nonetheless, monitor helpdesk tickets or user feedback to identify if a policy is too restrictive or causing workflow issues. For instance, if a developer legitimately needs a certain extension, you might adjust the allowed list. Monitoring isn’t just technical – it’s also listening to user impact and balancing security with usability.

By actively monitoring these areas, you can verify that your Edge security measures remain effective and that all devices stay in line with the policy. It’s far easier to address compliance drift or new threats early than to remediate after a breach.

Keeping Edge Up-to-Date and Patched

Maintaining the latest browser version is a non-negotiable aspect of browser security. New Edge releases often patch security vulnerabilities and introduce improved defenses. Here’s how to manage updates:

Built-in Auto-Update: Microsoft Edge’s built-in updater is the primary mechanism to get updates. By design, Edge will automatically download and install updates in the background for users, without needing full admin rights. This should be kept enabled in all environments. The good news is that, on a standard Windows install, users typically cannot easily disable Edge updates (especially if governed by Intune policies). Verify that no Intune policy or GPO is inadvertently turning off updates. The default (no special policy) is that Edge checks for updates approximately every 12 hours[5]. You can shorten this interval via policy if needed[5].
Intune Management of Updates: While there isn’t a dedicated “Edge update” slider in Intune like there is for Windows Update, you can deploy Edge update configurations via Administrative Templates. For instance, using Intune’s administrative template for Edge, set “Update policy override default” or “Target Channel override” if you want to lock Edge to a particular channel (Stable vs. Extended Stable). Small businesses usually stay on the Stable channel. You might also configure “Allow Edge browser to automatically update” (should be enabled) and “Restore failed updates” (Edge can rollback if an update fails, which is fine). Intune can enforce that Edge continues to update itself normally.
Forced Updates: In scenarios where a critical fix is out and you want to ensure users restart Edge to apply it, you can send a notice or use Intune’s endpoint analytics messaging or a toast notification script. There is no native Intune button to “reboot all Edge browsers,” because it’s generally not needed (Edge will eventually enforce a restart after update, and users often restart the browser daily). However, in high-security environments, you might instruct users to restart Edge or even schedule a device reboot after a major security update rollout.
Update Compliance Monitoring: As part of monitoring, review the Edge versions in use. Microsoft’s Security Center or Defender for Endpoint Threat & Vulnerability Management (TVM)—if you had it—would list outdated browsers as vulnerabilities. Without TVM, you can still periodically generate a report using a script: for example, an Intune Proactive Remediation script can query the version of msedge.exe on devices and report it. Ensure it’s at the expected version (e.g., if the current version is 114.x, no one should be on 112.x). If some devices are lagging significantly, investigate if their update service is broken or if they are rarely online.
Edge on Mac and Mobile: Don’t forget non-Windows platforms. Edge on Mac updates via Microsoft AutoUpdate (MAU). Intune on macOS can enforce MAU settings. Edge on iOS/Android updates via the respective app stores – ensure your mobile application management doesn’t block app updates. Generally, encourage users to keep apps updated, possibly using Apple’s managed App Store updates or the Google Play Enterprise management for controlled devices.

In summary, let Edge do its job with automatic updates, and use Intune policies only to monitor or fine-tune if necessary. Keeping browsers patched closes the door on many vulnerabilities attackers might exploit.

Integration with the Microsoft 365 Security Ecosystem

One advantage of standardizing on Edge and Intune is tight integration with other M365 security features. Here are ways the Edge security initiative ties into your broader security landscape:

Microsoft Defender for Endpoint (MDE): As mentioned, Edge shares threat intelligence with Defender. For example, SmartScreen phishing blocks in Edge provide signals to your Security Operations Center via Defender[2]. If a user encounters a malicious site, it’s logged and can be correlated with other alerts. MDE can also do web content filtering for any browser, but it has enhanced controls with Edge (e.g., it can block access to certain categories on Edge specifically if configured). With Business Premium’s MDE P1, you at least get basic web threat monitoring. If upgraded to P2, you get vulnerability management that covers Edge settings and version as part of the endpoint’s security score.
Microsoft Purview (Data Loss Prevention): Edge has native hooks for Microsoft Purview DLP on endpoints[2]. If your subscription includes Purview DLP (E5 Compliance or an add-on – note: Business Premium might not include full DLP, except possibly for Office apps), Edge can enforce DLP policies such as blocking copy-paste of sensitive info into web forms or preventing uploads of classified files to unsanctioned websites. This is an area to explore if data exfiltration via web is a concern. Even without full DLP, Edge allows basic controls like printing or download restrictions for trusted vs. untrusted sites if you configure it.
Azure AD Conditional Access: We touched on this under user access, but to reiterate, CA policies can ensure that only devices with Intune policies (compliant devices) access corporate cloud resources. This means even if a user tries a different browser or an unmanaged machine, they’d be blocked. You can specifically target “Browser” as a client app in Conditional Access rules. If you want to enforce Edge usage, one indirect method is to only allow browsers that support integrated Windows authentication or conditional access authentication contexts – in practice, Edge (and Chrome with a plugin) are the primary ones that do. Many orgs simply require “Require device to be marked as compliant” for web app access, which covers Edge since on an Intune-managed device Edge will be compliant.
Global Secure Access / Secure Web Gateway: Microsoft has introduced Microsoft Defender for Cloud Apps and Azure AD Application Proxy, etc., for securing access. While beyond the scope of this report, note that Edge for Business can work with Microsoft’s SSE (Security Service Edge) offerings (such as Global Secure Access) to route traffic through cloud security gateways. In a Business Premium context, you might not have these advanced features, but the ecosystem is ready to integrate if you do invest in them.
Logging and Analytics: By using Edge enterprise policies, you gain visibility. For example, signs of abnormal browser usage (mass downloads, visiting risky sites) may surface in logs that feed into Microsoft Sentinel or other SIEM solutions. If you have Sentinel, there are data connectors for Office 365 and Azure AD that, together with Defender logs, can be used to analyze browser usage patterns for anomalies.

In short, securing Edge is not an isolated task – it reinforces and benefits from all other security layers in Microsoft 365. The identity protection, endpoint protection, and information protection features all intersect at the browser. Taking advantage of these integrations can elevate your security posture beyond just configuring Edge settings.

User Education and Awareness

No security configuration is complete without addressing the human factor. While Intune and Edge can enforce many protections, users should be educated on safe browsing practices to complement these technical measures:

Train employees to recognize browser warnings: Ensure users understand that Edge’s warnings (Smartscreen blocks, certificate errors) are serious. They should not try to circumvent them. In fact, you have disabled bypass for most warnings in policy[1], but explain why. For example, if Edge shows a red phishing warning, the user should know not to proceed (and in our setup, they can’t). Teaching them the importance of those warnings will reduce any temptation to find workarounds.
Phishing awareness: Regular security awareness training should include spotting phishing attempts, not just in email but on the web. Users should be cautious when entering credentials into web pages. Edge will help by identifying known phish sites and showing the domain clearly, but user vigilance is still key. Encourage them to report suspicious web pages to IT.
Extensions caution: Since you blocked extensions by default, users might ask “Why can’t I install this add-on?” Educate them that unapproved extensions can pose risks, and there’s a process to request an extension to be allowed if it’s business-critical. This manages expectations and prevents users from attempting to use unmanaged browsers to get an extension (a risk in itself).
Personal vs Work browsing: Remind users to separate their work and personal web activities. With Edge’s profile separation, it’s easier – work stuff in the work profile (with your policies active) and personal stuff in a personal profile/browser. Users should avoid logging into work sites on personal browsers or devices, as those wouldn’t have Intune protections. Similarly, discourage them from doing personal sensitive transactions on their work browser session.
Policy transparency: Let users know what protections are in place. For instance, inform them that certain file downloads might be blocked if deemed dangerous, certain websites are off-limits, etc. This can prevent frustration and foster a security culture. Many users feel better knowing the organization is actively protecting them with modern tools, as long as they’re aware of the “rules of the road.”
Reporting issues: Encourage users to promptly report if they encounter a website needed for work that is being blocked or not functioning due to the browser settings. There may be cases where a line-of-business web app uses an outdated control that got blocked. Rather than the user trying unsafe tweaks, they should alert IT. You can then assess and possibly adjust policy for that site (e.g., allow an exception for an internal site in IE mode if absolutely required, or add a certain URL to Trusted Sites via policy, etc.). A feedback loop helps maintain security without hampering productivity.

Security awareness training should be an ongoing effort – it reinforces that technology alone isn’t a silver bullet. By combining a locked-down Edge configuration with educated, security-conscious users, your defense-in-depth is much stronger.

Ongoing Maintenance and Policy Review

Finally, securing Edge is not a one-time set-and-forget task. Regular maintenance and review will ensure your policies remain effective and up-to-date:

Stay updated on Edge baseline changes: Microsoft periodically updates the security baseline for Edge (e.g., with each major release or annually). New settings might be added as security features evolve. For example, in version 128 of Edge’s baseline Microsoft added and removed some settings to keep the recommendations current[4]. When Intune offers a new baseline version, review the change log. Plan to update your baseline profiles to the latest version after testing[3]. New settings could include additional protections you want, and outdated ones might be deprecated.
Evaluate new Edge features: Microsoft Edge is continuously improving, including security features (like Enhanced Security Mode, which was introduced to mitigate memory vulnerabilities by disabling JIT for untrusted sites[2]). Keep an eye on Edge release notes. If a new feature could benefit security, consider enabling it via Intune policy. For instance, Enhanced Security Mode can be enforced (it’s the feature that provides extra protection on unfamiliar sites by using hardware-enforced security). The same goes for upcoming features like Edge network isolation improvements, or integration with Windows Defender Smart App Control – as these come, adjust your policies.
Revisit exceptions and allowances: Over time, you might grant some exceptions (e.g., allow a specific extension or enable an old protocol for a specific system). Maintain a documented list of these and revisit them periodically. Aim to tighten exceptions if possible (maybe that legacy system got updated and you can remove the exception now). The goal should be to converge back to baseline standards after temporary needs pass.
Audit configurations: Perform an audit at least annually (if not quarterly) of your Edge Intune configuration. This means reviewing Intune profiles to ensure they align with current best practices, verifying all device groups are covered, and cleaning up any unused profiles. Microsoft’s documentation and compliance toolkit can help compare your settings with the recommended baseline.
Security incidents review: If there were any security incidents or near-misses involving browsers (e.g., a malware download was caught, or a user fell for a phishing page), analyze if additional Edge controls could prevent those in the future. Maybe enabling a stricter download policy, or integrating a threat feed. Use incidents as learning opportunities to refine policy.
User feedback and usability: Check in with user representatives or run surveys to gauge if the Edge policies impede work in any way and if so, is there a justified trade-off or a safe adjustment. Browser security is critical, but sometimes overly harsh measures (like completely blocking all downloads) might not be suitable for all roles. Adjust with caution, always weighing risk vs reward.
Documentation: Keep your own documentation of what settings are deployed and why. This helps for continuity (e.g., if another admin takes over, or if you liaise with compliance officers). Document any rationale for non-standard configurations.

By maintaining vigilance and adapting to new developments, you’ll ensure that your Edge browsers remain a strong link in your security chain rather than a weak point.

Conclusion

Microsoft Edge is a key application through which users interact with the internet and corporate resources, making it a critical component to secure. By leveraging Microsoft 365 Business Premium’s capabilities – especially Intune – you can transform Edge into a highly secure enterprise browser with minimal impact on user productivity. We covered how to apply best practice settings (like SmartScreen, site isolation, extension control, and more) uniformly via Intune, using the built-in Edge security baseline as a foundation[1]. We walked through deploying these configurations to all devices and highlighted the importance of keeping the browser updated and integrated with other security measures like Defender for Endpoint and Conditional Access.

In addition to technical enforcement, we emphasized user education and ongoing management: a secure configuration today must be maintained tomorrow through updates, policy reviews, and training. Security is an ongoing process, and using the rich toolset in M365 Business Premium, administrators can continuously monitor compliance and address new threats as they arise.

By following the guidance in this report, your organization can confidently provide users with a safe, protected browsing experience in Microsoft Edge – one that shields them from threats, protects sensitive data, and meets the highest security standards in day-to-day work. With Intune and M365 Business Premium, enterprise-grade Edge security is within reach for organizations of all sizes, delivered in a cloud-manageable and scalable way.

References

[1] List of settings for the Microsoft Edge security baseline in Intune …

[2] Microsoft Edge for Business Recommended Configuration Settings

[3] Configure security baseline policies in Microsoft Intune

[4] Edge Browser Security Latest Best Practices Released by Microsoft

[5] Best practice to enforce updates on Microsoft Edge to have the latest …

[6] Secure your corporate data using Microsoft Edge for Business

[7] Deploying a Microsoft Edge security Baseline with Intune

Copilot pages not appearing in Edge inprivate

Here’s something weird. If I use Copilot with Edge inprivate I don’t see Copilot pages likes so:

and if I try again but this time in Teams, also within an Edge inprivate session:

but if I use the Teams desktop client I see Copilot pages:

I also see Copilot pages if I’m with a private session in another browser (here Brave):

and yet Edge in normal mode is fine:

I wonder what Edge is doing differently inprivate? For some reason, it seems that when I’m using Edge with inprivate I don’t see Copilot pages?

I’ll have to try a device that maybe isn’t locked down with Intuen to see if I get the same result.

Setting Edge as the default browser using Intune

This series of posts is an approach to implementing Intune inside a business. So far, I have covered off:

1. Create compliance policies and update devices to be compliant

2. Implement LAPS to control the local device admin account that cannot be deleted

3. Remove all other accounts from local administrator group on devices

4. Setting the default search engine in Edge with Intune

5. Managing browser extensions in Edge with Intune

6. Setting an Edge Security Baseline with Intune

7. Setting an individual Attack Surface Reduction (ASR) rule in Intune

Now that Microsoft Edge has been secured in the environment, the next task will be to set Microsoft Edge as the default browser. There are number of ways of achieving this, but I’ll use the more modern Intune Settings catalog approach.

The first step in the process is to take a machine that already has Microsoft Edge configured as the default browser app and run the command:

dism /online /export-defaultappassociations:edgedefault.xml

This will produce an XML with all the application defaults for that device.

If you just want to configure Microsoft Edge as the default browser you’ll need to edit the XML file until it looks something like this:

<?xml version=”1.0″ encoding=”UTF-8″?>
<DefaultAssociations>
     <Association Identifier=”.htm” ProgId=”MSEdgeHTM” ApplicationName=”Microsoft Edge” />
     <Association Identifier=”.html” ProgId=”MSEdgeHTM” ApplicationName=”Microsoft Edge” />
     <Association Identifier=”.mht” ProgId=”MSEdgeMHT” ApplicationName=”Microsoft Edge” />
     <Association Identifier=”.mhtml” ProgId=”MSEdgeMHT” ApplicationName=”Microsoft Edge” />
     <Association Identifier=”.pdf” ProgId=”MSEdgePDF” ApplicationName=”Microsoft Edge” />
     <Association Identifier=”.svg” ProgId=”MSEdgeHTM” ApplicationName=”Microsoft Edge” />
     <Association Identifier=”.xht” ProgId=”MSEdgeHTM” ApplicationName=”Microsoft Edge” />
     <Association Identifier=”.xhtml” ProgId=”MSEdgeHTM” ApplicationName=”Microsoft Edge” />
     <Association Identifier=”ftp” ProgId=”MSEdgeHTM” ApplicationName=”Microsoft Edge” />
     <Association Identifier=”http” ProgId=”MSEdgeHTM” ApplicationName=”Microsoft Edge” />
     <Association Identifier=”https” ProgId=”MSEdgeHTM” ApplicationName=”Microsoft Edge” />
     <Association Identifier=”microsoft-edge” ProgId=”MSEdgeHTM” ApplicationName=”Microsoft Edge” />
     <Association Identifier=”microsoft-edge-holographic” ProgId=”MSEdgeHTM” ApplicationName=”Microsoft Edge” />
     <Association Identifier=”ms-xbl-3d8b930f” ProgId=”MSEdgeHTM” ApplicationName=”Microsoft Edge” />
     <Association Identifier=”read” ProgId=”MSEdgeHTM” ApplicationName=”Microsoft Edge” />
</DefaultAssociations>

Next, you’ll need to convert that XML file to a base64 file for us an Intune policy. You can do that using the following site:

https://www.base64encode.org/

The output from this conversion should look like this:

PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KCTxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtIiBQcm9nSWQ9Ik1TRWRnZUhUTSIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCgk8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bWwiIFByb2dJZD0iTVNFZGdlSFRNIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KCTxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIubWh0IiBQcm9nSWQ9Ik1TRWRnZU1IVCIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCgk8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLm1odG1sIiBQcm9nSWQ9Ik1TRWRnZU1IVCIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCgk8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLnBkZiIgUHJvZ0lkPSJNU0VkZ2VQREYiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQoJPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Ii5zdmciIFByb2dJZD0iTVNFZGdlSFRNIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KCTxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIueGh0IiBQcm9nSWQ9Ik1TRWRnZUhUTSIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCgk8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLnhodG1sIiBQcm9nSWQ9Ik1TRWRnZUhUTSIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCgk8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iZnRwIiBQcm9nSWQ9Ik1TRWRnZUhUTSIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCgk8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cCIgUHJvZ0lkPSJNU0VkZ2VIVE0iIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQoJPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHBzIiBQcm9nSWQ9Ik1TRWRnZUhUTSIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCgk8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0ibWljcm9zb2Z0LWVkZ2UiIFByb2dJZD0iTVNFZGdlSFRNIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KCTxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSJtaWNyb3NvZnQtZWRnZS1ob2xvZ3JhcGhpYyIgUHJvZ0lkPSJNU0VkZ2VIVE0iIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQoJPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Im1zLXhibC0zZDhiOTMwZiIgUHJvZ0lkPSJNU0VkZ2VIVE0iIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQoJPEFzc29jaWF0aW9uIElkZW50aWZpZXI9InJlYWQiIFByb2dJZD0iTVNFZGdlSFRNIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg==

In the Intune console, create a new Device Configuration profile using the Settings Catalog:

Give the new policy a meaningful name and continue.

In the Settings picker search for applications and then select Application defaults and then Default Associations Configuration in the results as shown above.

Into the option Default Associations Configuration paste a copy of the base64 file you created from the original XML.

Complete the policy by assigning it to a group of devices NOT users. This is because the Policy CSP – ApplicationDefaults is only scoped to devices per:

This may mean you need to create a different Edge configuration policy from the one created in previous steps, if that policy was assigned to users.

When the policy has been deployed from Intune, and the device rebooted, Microsoft Edge will be the default browser for the device.

Of course, the user can still change the default back but they will need to do that after every reboot. In the future, you’d create a policy to prevent that, but for now, if the user is that desperate for their old browser they can swap. However, the next policy I’ll cover will show you how to stop other browsers (or any other application) from running on Windows devices.

Setting an Edge Security Baseline with Intune

This series of posts is an approach to implementing Intune inside a business. So far, I have covered off:

1. Create compliance policies and update devices to be compliant

2. Implement LAPS to control the local device admin account that cannot be deleted

3. Remove all other accounts from local administrator group on devices

4. Setting the default search engine in Edge with Intune

5. Managing browser extensions in Edge with Intune

The next step in the process is to assign a security baseline to the Microsoft Edge environment. Security baseline policies differ from all other policies in Intune because they already have best practice settings enabled. This compares to other Intune policies where you need to go into each policy item and set them to the desired setting. Another benefit of using Security baselines is that they are easily upgradable when updated policies become available. These two factors save a lot of time and effort securing your environment.

In the Intune console, navigate to Endpoint security | Security baselines and select Security Baseline for Microsoft Edge as shown.

Select the option to Create profile and then give the profile a meaningful name.

You’ll then see a list of the individual settings with values already selected.

You can adjust any of the individual settings if you need to customise the policy. Generally, I find there is no need to make any changes here as I have found no conflicts.

Here we also find an example of one of the challenging things with implementing any policy, duplicate settings. If you remember back to the previous article on

Managing browser extensions in Edge with Intune

you’ll note that extension restrictions was configured there, but now it is also in this Security baseline policy. A best practice recommendation is to only have one place in your policies where a setting is made. This will avoid conflicts and aid troubleshooting. If you do choose to retain the same settings in multiple policies, ensure they are set identically or otherwise you will get conflicts. In this case I’ll leave the setting in place for both policies as they are the same and it is bit challenging to disable just this option in the original ‘Edge configuration’ policy created in the previous post.

With any changes made, continue with the Security baseline policy configuration and assign it to your environment.

When complete you should see the policy you just created, as shown above. Remember, you can create as many policies as you need to accommodate your environment targeted to different audiences, however the aim should be to get to a single Security baseline policy for Edge to keep things simple.

You’ll see that the policy created has a version number. You’ll also note a Change version button on the menu at the top (currently greyed out) as shown above. This is the beauty of a Security baseline policy, when an update is available you’ll be able to use this option to update the policy. You can read more about this here:

Update a profile to the latest version

We are now at a point in our roll out where we have policies to provide a secure Microsoft Edge configuration in our environment. Those already using Microsoft Edge will benefit immediately, users on other browsers still need to ‘encouraged’ to make the shift as soon as possible, but are still not being forced to use Microsoft Edge just yet (they will be eventually, so keep encouraging them to make the shift with your communications because they day when they have no other option but to switch is coming!).

for more information about the:

Microsoft Edge security baseline settings reference for Microsoft Intune

visit the above link and remember the benefit of Security baselines is that they have best practice settings already enabled, so typically all that is needed to apply the policy with these default settings .

It is now time to look at securing the Windows devices against ransomware. Stay tuned.

Managing browser extensions in Edge with Intune

This series of posts is an approach to implementing Intune inside a business. So far, I have covered off:

1. Create compliance policies and update devices to be compliant

2. Implement LAPS to control the local device admin account that cannot be deleted

3. Remove all other accounts from local administrator group on devices

4. Setting the default search engine in Edge with Intune

The goal we are trying to achieve is to move all users from third party browsers to using Microsoft Edge. The next step in this process will be deploying and managing a constrained set of extensions in Microsoft Edge.

The first step is to visit the Microsoft Edge store for extensions and grab the unique ID for the extensions you want to use. You find this in the URL for the extension as shown above. Here are three common extensions I will use for this example:

Lastpass – bbcinlkgjjkejfdpemiealijmmooekmp

DuckDuckGo Privacy – caoacbimdbbljakfhgikoodekdnlcgpk

Save to Pocket – jicacccodjjgmghnmekophahpmddeemd

Once we have these we need to login to the Intune management portal.

In the last article I created a generic device configuration profile called ‘Edge configuration’ policy that I’ll be extending here. Select the policy name to view its settings.

Scroll down the policy until you locate the heading Configuration settings as shown above, and then select the Edit hyperlink to the right of this.

Select the + Add Settings link as shown above.

Expand the Microsoft Edge option in the top part of the blade that appears and then select Extensions as shown above. In the options that appear in the lower part of the screen select:

– Allow specific extensions to be installed

– Control which extensions are installed silently

– Control which extensions cannot be installed

Close the blade.

You should now see the ability to customise these options in the policy as shown above.

Add the ID’s of the extensions you want silently installed and ensure that each is ticked as shown.

Add ‘*’ (i.e. all) as the option for IDs to be prevented from being installed and ensure it is ticked as shown. Basically all other extensions will not be permitted to be installed.

Add the ID’s of the extensions you want to allow in the exempt from block area and ensure each is ticked as shown.

Save the policy changes and allow it to be propagated to all groups included in the policy.

Once the policy has rolled out, you should find the extensions you entered in the policy have been added to Microsoft Edge as shown above.

You should also find that users cannot add additional extensions to their Microsoft Edge browser as shown above.

The aim of this exercise was to automatically configure a number of ‘standard’ extensions for Microsoft Edge and block everything else. We have been able to achieve this by extending the original ‘Edge configuration’ policy that was created earlier.

The next step in the process will be to lock down the Microsoft Edge browser using a baseline policy. Stay tuned.

Setting the default search engine in Edge with Intune

This series of posts is an approach to implementing Intune inside a business. So far, I have covered off:

1. Create compliance policies and update devices to be compliant

2. Implement LAPS to control the local device admin account that cannot be deleted

3. Remove all other accounts from local administrator group on devices

One of the longer term best practice goals is to move all users to exclusive use of Microsoft Edge as a browser. Doing so will improve overall security, provide greater management of the browsing experience and provide a consistent environment.

In most existing environments today, users in a business are using a variety of browsers. It is my experience that, generally, users are not wedded to the type of browser they use but many are wedded to the search experience they have become familiar with. Changing this experience abruptly is going to reduce user productivity and create resistance to change. In order then to ease the transition from other browsers to using Microsoft Edge a recommended approach is to use Intune to change the default search experience in Microsoft Edge to the one users are familiar with. It is important to remember that Edge will be pretty much 100% compatible with the browser they use today, along with any extensions. Also, the idea with this step is not to force users to use a new browser but start preparing for that change.

The first step in the browser migration project will be to set the search experience in Edge to be what a user is familiar with. To do this you will need to create a new Intune configuration profile.

In the Intune console select Devices then Configuration profiles. Then select Create profile on the right. Select Windows 10 and later for the profile and Settings catalog for the profile type. Select Next to continue.

This policy is something that will be added to overtime so it is suggested you call the policy something like ”Edge configuration” as shown above. Select Next to continue.

Select the +Add settings link

Locate the Microsoft Edge\Default search provider in the top of the blade that appears on the right as shown above. Select this and a list will appear in the lower half. FRom the list in the lower portion, select the following four settings:

– Configure the new tab page search box experience

– Default search provider name

– Default search provider url

– Enable the default search provider

Close the settings picker by selecting the cross (x) in the top right hand corner.

Enable the four new settings, as shown above, and given that Google is the most common search engine, here are the appropriate settings for setting the default search engine in Microsoft Edge to be Google:

New tab page search box experience = Address bar

Default Search provider search URL = https://www.google.com/search?q={searchTerms}

Default search provider name = Google

You can of course use any search provider you wish. My preference would be for DuckDuckGo but remember, the idea here is to provide the lowest amount of friction to migrate users away from the third party browsers they are probably using. However, if you wish to force a new search experience, now is probably the best time to do that.

Complete the policy and assign it to your users. You then need to allow the policy to roll out.

Now when users type a search term into the URL box, while using Microsoft Edge, it will use the search engine you just configured via the Intune policy as shown above.

Remember, at this stage all that has been done is to set a new default search engine for Microsoft Edge. If the users are not yet using Edge then they will be unaffected by this change. The idea is to make the Edge environment as familiar as possible before forcing users to use Edge instead of the browsers they current use.

Of course, if some users are using Edge this change will affect them and you should prepare for that but communicating the reasons for the change and how everyone will be shifting to Edge and this is the first step in the process to provide a more secure and consistent environment for everyone. You could also just target this new policy to users not currently using Edge as their default policy. The choice is yours, but the endgame is to get everyone using a secured version of Edge with consistent settings.

We’ll come back and make more changes to this Edge configuration policy over time but for now we have all versions of Edge using the same search engine.

Edge enhanced security

A new security option in Microsoft Edge.You’ll find it in Settings | Privacy, search and services as shown above. Three levels are available once you enable it (it is disabled by default).

What is does according to the documentation is:

Enhanced security in Microsoft Edge helps safeguard against memory-related vulnerabilities by disabling just-in-time (JIT) JavaScript compilation and enabling additional operating system protections for the browser.

and more information is found here:

Enhance your security on the web with Microsoft Edge

There is also the option to white list certain URLs if required.

So, if you want a bit more security when using Edge, turn it on! I have.