Tightening browser security with Enhanced Security Mode in Microsoft Edge

This week is all about tightening security in Microsoft Edge and making sure that it’s one step closer to a secure enterprise browser. Especially nowadays when users spends most of their time in a web browser, it’s important to make sure that the right controls are in place to protect the users and the corporate data. That can be achieved by having a closer look at the different security features that Microsoft Edge brings to the table. And that are many different features. When specifically looking at protecting the user, think about features like Microsoft Defender SmartScreen, typosquatting protection, and Enhanced Security Mode. Three different security features, all with their own focus. Microsoft Defender SmartScreen to protect against phishing and malware, typosquatting protection to warn users when mistyping a commonly used website name, and Enhanced Security Mode to protect against memory-related vulnerabilities. Especially the latter security feature is often overlooked and deserves some extra attention. This post will start with a brief introduction, followed with the configuration and the user experience.

Introducing Enhanced Security Mode in Microsoft Edge

When looking at Enhanced Security Mode in Microsoft Edge, it’s all about reducing the risk of an attack. Enhanced Security Mode can help with reducing that risk by automatically applying more conservative security settings on unfamiliar sites. Besides that, it adapts over time as the user continues to browse. Enhanced Security Mode mitigates memory-related vulnerabilities by disabling just-in-time (JIT) JavaScript compilation and enabling additional platform protections, such as Arbitrary Code Guard (part of Exploit Protection) and Hardware-enforced Stack Protection. Together that makes it more difficult for malicious sites to use unpatched vulnerabilities to write to executable memory and attack the user.

For configuring Enhanced Security Mode in Microsoft Edge, there are actually different modes available. Besides that, the IT administrator can also opt to manage a bypass list that contains the sites that bypass the additional security. Alternatively the user can add sites to the bypass list themselves. Within the configuration options for the different modes there is Standard mode, Balanced mode and Strict mode. Those modes can be used as followed:

• Standard mode: Standard mode will make sure that Enhanced Security Mode will be turned off and that Microsoft Edge will fallback to its standard security mode.
• Balanced mode: Balanced mode will make sure that Microsoft Edge will apply added security protections when users visit unfamiliar sites. It’s and adaptive mode that builds on the user’s behavior on a specific device.
• Strict mode: Strict mode will make sure that Microsoft Edge will apply added security protections for all the sites the user visits. It’s still possible to manually add sites to the exceptions list.

Note: In the early days there was also a Basic mode available for Enhanced Security Mode in Microsoft Edge. That mode was deprecated in Microsoft Edge version 113 and doesn’t work anymore since Microsoft Edge version 116.

Configuring Enhanced Security Mode in Microsoft Edge

After being familiar with Enhanced Security Mode in Microsoft Edge, and the different configuration options, it’s time to look at actually configuring it by using Microsoft Intune. The good news is that the configuration can be managed via the Settings Catalog. The Settings Catalog contains ADMX-backed settings for Microsoft Edge. Those settings are backed by the MSEdge.admx. The main setting itself is EnhanceSecurityMode with Enhance the security state in Microsoft Edge as friendly name. As an IT administrator this setting is only a few clicks away nowadays and doesn’t require any really challenging configurations anymore. The following 8 steps can be used to enable Enhanced Security Mode, by using Settings Catalog.

1. Open the Microsoft Intune admin center portal and navigate to Devices > Windows > Configuration profiles
2. On the Windows | Configuration profiles blade, click Create > New Policy
3. On the Create a profile blade, select Windows 10 and later > Settings catalog and click Create
4. On the Basics page, provide at least a unique name to distinguish it from similar profiles and click Next
5. On the Configuration settings page, as shown below in Figure 1, perform the following actions and click Next

• Click Add settings, navigate to Microsoft Edge and select Enhance the security state in Microsoft Edge (EnhanceSecurityMode) in Settings picker
• Switch the slider with Enhance the security state in Microsoft Edge to Enabled (1) and select Strict mode with Enhance the security state in Microsoft Edge (Device) to apply added security protections for all the sites

6. On the Scope tags page, configure the required scope tags and click Next
7. On the Assignments page, configure the assignment for the required user or devices and click Next
8. On the Review + create page, verify the configuration and click Create

Note: For even more control use Allow users to bypass Enhanced Security Mode (EnhanceSecurityModeAllowUserBypass) to prevent users from bypassing Enhanced Security Mode and Configure the list of domains for which enhance security mode will not be enforced (EnhanceSecurityModeBypassListDomains) for managing bypass exemptions.

Experiencing Enhanced Security Mode in Microsoft Edge

When the configuration for Enhanced Security Mode is in place, it’s time to look at the user experience. And that experience is pretty straight forward to verify, by simply trying to navigate to any site, by using Microsoft Edge. Below in Figure 2 is an overview of what happens when Enhanced Security Mode is configured and when the user cannot bypass the configuration. The configuration for Microsoft Edge is shown on the left and that indicates that the Strict mode is configured (policy value 2), that the user is not allowed to bypass that configuration, and that only microsoft.com will bypass the additional security. That configuration results in the behavior shown on the right. The user can safely browse the Internet, but Enhanced Security Mode is enabled for every site except for microsoft.com, and the user cannot bypass that configuration.

Note: When browsing to microsoft.com that domain would bypass Enhanced Security Mode with this configuration.

More information

For more information about tightening Microsoft Edge browser security, refer to the following docs.

• Microsoft Edge Browser Policy Documentation | Microsoft Learn
• Microsoft Edge for Business Recommended Configuration Settings | Microsoft Learn
• Browse more safely with Microsoft Edge | Microsoft Learn
• Enhanced Security Mode | Microsoft Edge