Web browsers are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.

Property	Value
ISM Control	ISM-1412
Revision	6
Updated	Dec-23
Guideline	Not provided
Section	User application hardening
Topic	Hardening user application configurations
Essential Eight	ML2, ML3
PSPF Levels	NC, OS, P, S, TS

Summary

Hardening of web browsers, particularly Microsoft Edge, follows ASD and vendor guidance to minimize attack surface when conflicts occur. Deploying the ACSC Edge Hardening Guidelines through Intune enforces consistent, policy-driven controls across devices.¹

The Microsoft Edge security baseline (available in Intune under Endpoint Security → Security Baselines) covers the majority of required settings. However, several ACSC-mandated settings are not in the baseline and must be added via a custom Settings Catalog profile or by importing the ACSC Edge JSON policy directly.[^2]

Design Decision

[!NOTE] The ACSC Microsoft Edge Hardening Guidelines policy will be deployed through Intune configuration profiles to harden Microsoft Edge in accordance with ACSC guidance. This approach deploys the ACSC Edge hardening configuration through Intune as per ACSC guidance.

Prerequisites

Licensing: Microsoft Intune Plan 1 is required for target devices when implementing through Intune.²
Dependencies:
- Devices must be managed by Microsoft Intune and enrolled in Entra ID and/or hybrid Azure AD joined.¹
- Availability of ACSC Edge Hardening Guidelines and related policy templates to deploy through Intune (e.g., Microsoft Edge Baseline policy) and deployment through Intune.¹

Implementation Steps

Import ACSC Edge Hardening Policy into Intune

Save the ACSC Microsoft Edge Hardening Guidelines policy to your local device.¹
Navigate to the Microsoft Intune console.¹
Import a policy, under Devices > Windows > Configuration profiles > Create > Import Policy.¹
Name the policy, select Browse for files under Policy file and navigate to the saved policy from step 1.¹
Select Save.¹

Deploy Edge Security Baseline via Intune

To implement the security baseline: Navigate to Endpoint Security > Security Baselines > Microsoft Edge Baseline.¹
Create a new Microsoft Edge Baseline by selecting Create Profile.¹
Review the configuration, and assign the Security Baseline to a group.¹

[!NOTE] The ACSC recommended hardening policies for Microsoft Edge are contained within these policies. The Microsoft Edge Baseline approach provides a baseline deployment pathway in Intune.¹

Policy settings: baseline vs. custom

The following table shows which ACSC-required settings are already covered by the Microsoft Edge security baseline deployed in step 2, and which must be added separately via a custom Settings Catalog profile (or by importing the ACSC Edge JSON):³⁴

Setting	Intune Edge baseline	Action required
TLS 1.2+ (`MinimumTLSVersion`)	✅ Covered	None
SmartScreen enabled (`SmartScreenEnabled`)	✅ Covered	None
SmartScreen PUA blocking (`SmartScreenPuaEnabled`)	✅ Covered	None
Prevent SmartScreen bypass for sites	✅ Covered	None
Prevent SmartScreen bypass for downloads	✅ Covered	None
Block Flash / legacy plugins	✅ Covered	None
Site isolation (`SiteIsolationEnabled`)	✅ Covered	None
Password manager disabled	✅ Covered	None
Block legacy extension points	✅ Covered	None
SharedArrayBuffer disabled	✅ Covered	None
WebSQL disabled	✅ Covered	None
Extensions: block all by default	⚠️ Not configured	Add `ExtensionInstallBlocklist` = `*`; then add approved extension IDs to `ExtensionInstallAllowlist`
Developer tools disabled for standard users	⚠️ Not configured	Set `DeveloperToolsAvailability` = Disallow
Do Not Track enabled	⚠️ Not configured	Enable `DoNotTrackEnabled`
DNS-over-HTTPS disabled	⚠️ Not configured	Set `DnsOverHttpsMode` = Disabled (force system/government-managed DNS)
Intrusive ads blocked	⚠️ Not configured	Enable `AdsSettingForIntrusiveAdsEnabled`
Network Protection (block mode)	⚠️ Not configured	Enable `NetworkProtectionEnabled`
SHA-1 certificates from local anchors disabled	⚠️ Not configured	Set `AllowSha1CertificatesFromLocalAnchors` = Disabled

[!NOTE] The ACSC Edge JSON policy (importable via Settings Catalog) includes most of the ⚠️ items above. After importing, verify the settings listed and add any missing entries manually. Validate applied settings on each device by browsing to edge://policy.

ASD Blueprint: User application hardening provides detailed guidance for hardening user applications within the ASD security blueprint ASD Blueprint: User application hardening
Browse more safely with Microsoft Edge explains Edge’s enhanced security on the web and how to configure protection levels Browse more safely with Microsoft Edge
ASD Blueprint: Device configuration describes device configuration guidance including client device hardening ASD Blueprint: Device configuration
Microsoft Edge browser policies reference lists all available browser policies for managing Edge via MDM/Group Policy, replacing the deprecated legacy Browser CSP Microsoft Edge - Policies
Microsoft Edge security baseline settings for Intune documents all settings in the Intune Edge security baseline and their default values Microsoft Edge security baseline settings for Intune
ASD Blueprint — ACSC Edge Hardening Guidelines configuration lists the specific policy settings in the ACSC Edge JSON and their recommended values for Australian government deployments ASD Blueprint: ACSC Edge Hardening Guidelines

🛡️ Essential 8 Guide