Web browsers do not process web advertisements from the internet.

Property	Value
ISM Control	ISM-1485
Revision	1
Updated	Sep-21
Guideline	Not provided
Section	User application hardening
Topic	Hardening user application configurations
Essential Eight	ML1, ML2, ML3
PSPF Levels	NC, OS, P, S, TS

Summary

Enable Edge policy to block intrusive ads using the Intune security baseline by configuring Ads setting for sites with intrusive ads to Enabled, reducing exposure to potentially malicious advertising and supporting browser hardening. ¹

The built-in Edge AdsSettingForIntrusiveAdsSites policy blocks only intrusive ad formats defined by the IAB standard (e.g., large pop-ups, auto-play video overlays, ads that obscure content). It does not block all web advertisements. For Maturity Level 3 or where a stricter interpretation of “does not process web advertisements” is required, this must be supplemented with a policy-deployed ad-blocking extension or enterprise DNS filtering at the network layer.²

Justification

Not provided in source documentation.

Design Decision

[!NOTE] The Ads setting for sites with intrusive ads policy will be enabled using the Intune security baseline to block intrusive ads in Microsoft Edge. This will be aligned with the control’s intent to prevent web advertisements from being processed by browsers.

Prerequisites

Licensing

Microsoft Intune Plan 1 is required for target devices when implementing via Intune security baseline. ¹

Permissions/Roles

Access to the Intune admin center with rights to create and deploy policies (e.g., Web Protection policy). ¹
Devices must be enrolled in Entra ID and managed by Intune for policy deployment. ¹

Dependencies

ASD Blueprint Edge hardening baseline deployment to enable Edge policy for intrusive ads blocking. ³
The Edge baseline includes blocking intrusive ads via the relevant policy, as configured in the Edge Security Baseline. ¹

Implementation Steps

Enable Edge policy to block intrusive ads using Intune security baseline

Sign in to the Intune admin center (endpoint.microsoft.com).
Go to Devices → Windows → Configuration profiles → Create profile.
Select Platform: Windows 10 and later, Profile type: Settings catalog.
Search for Microsoft Edge and locate Ads setting for sites with intrusive ads (AdsSettingForIntrusiveAdsSites).
Set the value to Enabled (Block) (1).
Also configure the following complementary settings in the same profile: ¹
- Block pop-ups and redirects (PopupsAllowed = Blocked)
- New Tab Page Set Feed Type = None (removes promotional content on the new-tab page)
- Microsoft Defender SmartScreen (SmartScreenEnabled) = Enabled
Assign the profile to the Azure AD group containing all managed devices.
Select Review + create, then Create.

[!NOTE] The AdsSettingForIntrusiveAdsSites policy blocks only intrusive ad formats as defined by the IAB Better Ads Standards. It does not prevent all web advertisements from loading. For environments requiring a stricter interpretation of this control, supplement with a policy-deployed ad-blocking extension (see below).

(Optional) Force-install a vetted ad-blocking extension

For ML3 or audit-strict environments where all advertisements must be prevented:

In the same Settings catalog profile (or a new profile), search for ExtensionSettings under Microsoft Edge → Extensions.
Configure Configure extension management settings with a JSON payload that blocks all extensions by default and force-installs a vetted ad-blocking extension (e.g., uBlock Origin via the Edge Add-ons update URL).
Test the extension on a pilot device before broad deployment.

ASD Blueprint for Edge hardening provides design guidance for Edge configuration hardening and intrusive ads blocking in WDAC and Intune deployments ASD Blueprint: Microsoft Edge hardening ³
Essential Eight user application hardening describes configuring Edge ads blocking and browser hardening policies via Intune Essential Eight user application hardening ¹

🛡️ Essential 8 Guide