Manage enhanced security mode in Microsoft Edge using Group Policy

Home Blog Manage enhanced security mode in Microsoft Edge using Group Policy

4sysops - The online community for SysAdmins and DevOps

    , ,   0
Enhanced security mode (ESM) introduced with Edge 111 is designed to protect the browser against attacks that manipulate data in the application's memory to inject executable code. ESM primarily aims to thwart attempts by malicious websites to exploit unresolved vulnerabilities in the browser.
Contents
  1. Gradual implementation of ESM
  2. Interactive configuration
  3. Change status for individual websites on an ad hoc basis
  4. Enable ESM via group policies
  5. Prevent ESM from being turned off
  6. Manage lists for websites
  7. Summary
Latest posts by Wolfgang Sommergut (see all)

Microsoft recently added some new features to the Edge browser, including enhancements to bolster security against attacks via the JavaScript engine. However, Edge's enhanced security mode can have unwanted side effects. Therefore, it can be adjusted interactively or through Group Policy to suit the environment.

These mechanisms include OS-level Hardware-enforced Stack Protection and arbitrary code guard (ACG). In addition, ESM disables the just-in-time (JIT) compiler for JavaScript.

Gradual implementation of ESM

It is evident that these security mechanisms come at the cost of performance and compatibility. Therefore, Microsoft offers two different modes with varying levels of aggressiveness: Balanced and Strict.

In Balanced mode, ESM is activated only on infrequently visited websites, while Strict mode enables enhanced security everywhere. The ESM feature is not enabled by default.

Interactive configuration

Users can activate ESM through the browser settings under Privacy, search, and services. The corresponding option can be found in the section titled Enhance your security on the web.

Options for configuring ESM via the GUI

Options for configuring ESM via the GUI

After activating the slider, you can select the desired mode. Additionally, you can set your own preference to have ESM always enabled for InPrivate windows.

Furthermore, you can maintain custom lists for websites under Manage enhanced security for sites, where ESM can be enabled or disabled for specific sites.

Change status for individual websites on an ad hoc basis

To determine whether ESM is enabled for a website, click the padlock icon next to the URL in the address bar. The menu that appears will include the entry "Enhanced security is active for this website." Click it to choose the option to disable the feature.

Disabling ESM for individual pages

Disabling ESM for individual pages

The originally announced dedicated icon for ESM in front of the URL is no longer present in newer versions of the browser.

Enable ESM via group policies

Enhanced security mode can also be managed centrally via group policies. To enable it, activate the setting Enhance the security state in Microsoft Edge and select the desired mode. It can be found for the computer and user configuration under Policies > Administrative Templates > Microsoft Edge.

Enable and configure Enhanced Security Mode via Group Policy

Enable and configure Enhanced Security Mode via Group Policy

Prevent ESM from being turned off

Since version 115, the ADMX files also include a setting that allows users to prevent ESM from being deactivated for individual websites via the dropdown menu in the address bar.

This setting is Manage opt-out user experience for Enhanced Security Mode (ESM) in Microsoft Edge.

It is irritating that the slider for this setting is not grayed out so it can still be operated. However, it no longer changes the actual setting.

The slider remains unaffected by the group policy but it no longer has any function

The slider remains unaffected by the group policy but it no longer has any function

Manage lists for websites

The lists for websites on which ESM should be enabled or disabled can be managed using three settings:

  • For sites on the intranet, the security feature takes effect by default as soon as it is active. If you don't want this, you can activate the setting Enhanced Security Mode configuration for Intranet zone sites.
  • To define exceptions for ESM, use the Configure the list of domains for which enhanced security mode will not be enforced setting.
  • To achieve the opposite effect, where ESM is always enforced for specific domains, use the Configure the list of domains for which enhanced security mode will always be enforced setting.
Settings for website blacklisting and whitelisting for ESM

Settings for website blacklisting and whitelisting for ESM

Summary

Enhanced Security Mode in Microsoft Edge provides additional protection against malicious websites, but at the cost of reduced performance and compatibility. The feature is disabled by default.

To strike a balance between security and user experience, Microsoft recommends using Balanced mode. Specific sites can be explicitly excluded or have ESM enforced on them.

Subscribe to 4sysops newsletter!

All aspects of ESM are configurable via Group Policy, which also extends the capability to customize behavior for Intranet sites—something not possible through the GUI.

avatar
Related Articles
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account