🛡️ Essential 8 Guide

Web browser security settings cannot be changed by users.

Summary

Enforce browser security settings via Intune so users cannot modify them, preventing changes that could weaken browser security¹. This approach maintains consistent, enterprise-wide protections and reduces exposure to phishing, tracking and data leakage risks².

Design Decision

[!NOTE] The Intune configuration profiles will enforce the browser security settings so users cannot modify them. This will implement the guidance to prevent changes to web browser configurations via Intune.

Prerequisites

• Dependencies:
  • Devices must be enrolled in Microsoft Intune; all users must be enrolled to ensure device compliance. ²
  • Windows 10: 21H2 / 10.0.19044.100 minimum. ²
  • Browser security settings must be deployed and enforced via Intune so users cannot modify them. ¹

Implementation Steps

Enforce browser security settings via Intune

1. In Intune, create and deploy a Windows 10/11 device configuration profile that enforces Edge browser security settings. Use the following sub-settings:
   • Start Microsoft Edge with: set to Custom start pages and configure the start pages via the setting EdgeHomepageUrls. Set Allow user to change start pages to No to block changes. This ensures the chosen start pages are enforced. ²¹
2. Configure Edge startup behavior to fix the New Tab page:
   • New Tab URL: enter the URL to open on the New Tab page.
   • Allow web content on new tab page: set to No to prevent users from altering the New Tab content. ²
3. Lock down Edge home button behavior:
   • Home button: configure to the desired action (e.g., a specific URL via the Home button URL option).
   • Allow users to change home button: set to No to prevent user overrides. ²
4. Reduce user prompts during onboarding:
   • Show First Run Experience page (Mobile only): set to No to suppress the First Run page. ²
5. Enforce browser favorites protection:
   • LockdownFavorites: set to value 1 (Blocked) to prevent users from adding, importing, or editing Favorites in Edge. ³
6. Prevent changes to browser security policies:
   • DoNotAllowUsersToChangePolicies: enable to prevent users from changing security zone settings in Internet Explorer. Note: if the related policy to disable the Security page is enabled, this policy is ignored. ²

Key Edge security policies to lock

Use a Settings Catalog profile for most policies (available as MDM CSPs) and supplement with an Administrative Templates profile for Enhanced Security Mode settings not yet available in the catalog.⁴⁵

Additional related information

• Configure Microsoft Edge policies to support enterprise privacy describes how to configure diagnostic data, telemetry, and data collection in enterprise deployments Configure Microsoft Edge policies to support enterprise privacy
• Windows device settings to allow or restrict features using Intune provides how to set the Enterprise Mode Site List Location for Edge desktop deployments Windows device settings to allow or restrict features using Intune

• ASD’s Blueprint for Secure Cloud describes endpoint management design decisions for Intune, including browser configuration deployment [ASD Blueprint: Endpoint management

  ASD’s Blueprint for Secure Cloud](https://blueprint.asd.gov.au/design/platform/client/)

• Windows device settings in Intune for Education details classroom-focused controls such as blocking favorites, extensions, InPrivate browsing, and pop-ups Windows device settings in Intune for Education