- The Beta channel is the most stable Microsoft Edge preview experience. With major updates every 6 weeks, each release incorporates learnings and improvements from our Dev and Canary builds. Also available for. Windows 8 / 8.1.
- Microsoft's Edge browser was released in 2015 and is their replacement for their now obsolete web browser Internet Explorer. Edge is the default browser on the Microsoft platforms (Windows 10 and Xbox One) and adds a lot of features which were lacking in Internet Explorer.
The new browser looks very similar to Google Chrome, but the company has implemented its own tweaks to make it look and feel more like the legacy version of Microsoft Edge to minimize the learning. The new Microsoft Edge is based on Chromium and was released on January 15, 2020. It is compatible with all supported versions of Windows, and macOS. With speed, performance, best in class compatibility for websites and extensions, and built-in privacy and security features, it's the only browser you'll ever need. Try the new Microsoft Edge now.
-->Use the following information to configure Microsoft Edge policy settings on your Windows devices.
Note
This article applies to Microsoft Edge version 77 or later.
Configure policy settings on Windows
You can use group policy objects (GPO) to configure policy settings for Microsoft Edge and managed Microsoft Edge updates on all versions of Windows. You can also provision policy through the registry for Windows devices that are joined to a Microsoft Active Directory domain, or Windows 10 Pro or Enterprise instances enrolled for device management in Microsoft Intune. To configure Microsoft Edge with group policy objects, you install administrative templates that add rules and settings for Microsoft Edge to the group policy Central Store in your Active Directory domain or to the Policy Definition template folder on individual computers and then configure the specific policies you want to set.
You can use Active Directory group policy to configure Microsoft Edge policy settings if you prefer to manage policy at the domain level. This enables you to manage policy settings globally, targeting different policy settings to specific OUs, or using WMI filters to apply settings only to users or computers returned by a particular query. If you want to configure policy on individual computers, you can apply policy settings that only affect the local device using the Local Group Policy Editor on the target computer.
Microsoft Edge supports both mandatory and recommended policies. Mandatory policies override user preferences and prevents the user from changing it, while recommended policy provide a default setting that may be overridden by the user. Most policies are mandatory only; a subset are mandatory and recommended. If both versions of a policy are set, the mandatory setting takes precedence. A recommended policy only takes effect when the user has not modified the setting.
Tip
You can use Microsoft Intune to configure Microsoft Edge policy settings. For more information, see Configure Microsoft Edge using Microsoft Intune.
There are two administrative templates for Microsoft Edge, both of which can be applied either at the computer or Active Directory domain level:
- msedge.admx to configure Microsoft Edge settings
- msedgeupdate.admx to manage Microsoft Edge updates.
To get started, download and install the Microsoft Edge administrative template.
1. Download and install the Microsoft Edge administrative template
If you want to configure Microsoft Edge policy settings in Active Directory, download the files to a network location you can access from a domain controller or a workstation with the Remote Server Administration Tools (RSAT) installed. To configure on an individual computer, simply download the files to that computer.
When you add the administrative template files to the appropriate location, Microsoft Edge policy settings are immediately available in the Group Policy Editor.
Go to the Microsoft Edge Enterprise landing page to download the Microsoft Edge policy templates file (MicrosoftEdgePolicyTemplates.cab) and extract the contents.
Add the administrative template to Active Directory
On a domain controller or workstation with RSAT, browse to the PolicyDefinition folder (also known as the Central Store) on any domain controller for your domain. For older versions of Windows Server, you may need to create the PolicyDefinition folder. For more information, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows.
Open MicrosoftEdgePolicyTemplates and go to windows > admx.
Copy the msedge.admx file to the PolicyDefinition folder. (Example: %systemroot%sysvoldomainpoliciesPolicyDefinitions)
In the admx folder, open the appropriate language folder. For example, if you're in the U.S., open the en-US folder.
Copy the msedge.adml file to the matching language folder in the PolicyDefinition folder. Create the folder if it does not already exist. (Example: %systemroot%sysvoldomainpoliciesPolicyDefinitionsEN-US)
If your domain has more than one domain controller, the new ADMX files will be replicated to them at the next domain replication interval.
To confirm the files loaded correctly, open the Group Policy Management Editor from Windows Administrative Tools and expand Computer Configuration > Policies > Administrative Templates > Microsoft Edge. You should see one or more Microsoft Edge nodes as shown below.
Add the administrative template to an individual computer
- On the target computer, open MicrosoftEdgePolicyTemplates and go to windows > admx.
- Copy the msedge.admx file to your Policy Definition template folder. (Example: C:WindowsPolicyDefinitions)
- In the admx folder, open the appropriate language folder. For example, if you're in the U.S., open the en-US folder.
- Copy the msedge.adml file to the matching language folder in your Policy Definition folder. (Example: C:WindowsPolicyDefinitionsen-US)
- To confirm the files loaded correctly either open Local Group Policy Editor directly (Windows key + R and enter gpedit.msc) or open MMC and load the Local Group Policy Editor snap-in. If an error occurs, it's usually because the files are in an incorrect location.
2. Set mandatory or recommended policies
You can set mandatory or recommended policies to configure Microsoft Edge with the Group Policy Editor for both Active Directory and individual computers. You can scope policy settings to either the Computer Configuration or User Configuration by selecting the appropriate node as described below.
To configure a mandatory policy, open the Group Policy Editor and go to (Computer Configuration or User Configuration) > Policies > Administrative Templates > Microsoft Edge.
To configure a recommended policy, open the Group Policy Editor and go to (Computer Configuration or User Configuration) > Policies > Administrative Templates > Microsoft Edge – Default Settings (users can override).
3. Test your policies
On a target client device, open Microsoft Edge and navigate to edge://policy to see all policies that are applied. If you applied policy settings on the local computer, policies should appear immediately. You may need to close and reopen Microsoft Edge if it was open while you were configuring policy settings.
For Active Directory group policy settings, policy settings are propagated to domain computers at a regular interval defined by your domain administrator, and target computers may not receive policy updates right away. To manually refresh Active Directory group policy settings on a target computer, execute the following command from a command prompt or PowerShell session on the target computer:
You may need to close and reopen Microsoft Edge before the new policies appear.
You can also use REGEDIT.exe on a target computer to view the registry settings that store group policy settings. These settings are located at the registry path HKLMSOFTWAREPoliciesMicrosoftEdge.
See also
-->Note
You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the Microsoft Edge documentation landing page.
Microsoft Edge is designed with improved security in mind, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. Because Microsoft Edge is designed like a Universal Windows app, changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the different content processes all live within app container sandboxes.
Microsoft Edge runs in 64-bit not just by default, but anytime it's running on a 64-bit operating system. Because Microsoft Edge doesn't support legacy ActiveX controls or 3rd-party binary extensions, there's no longer a reason to run 32-bit processes on a 64-bit system.
The value of running 64-bit all the time is that it strengthens Windows Address Space Layout Randomization (ASLR), randomizing the memory layout of the browser processes, making it much harder for attackers to hit precise memory locations. In turn, 64-bit processes make ASLR much more effective by making the address space exponentially larger and, therefore, more difficult for attackers to find sensitive memory components.
For more details on the security features in Microsoft Edge, see Help protect against web-based security threats below.
You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
Computer ConfigurationAdministrative TemplatesWindows ComponentsMicrosoft Edge
Configure cookies
Supported versions: Microsoft Edge on Windows 10
Default setting: Disabled or not configured (Allow all cookies from all sites)
Microsoft Edge allows all cookies from all websites by default. With this policy, you can configure Microsoft to block only 3rd-party cookies or block all cookies.
Supported values
Group Policy | MDM | Registry | Description | Most restricted |
---|---|---|---|---|
Enabled | 0 | 0 | Block all cookies from all sites. | |
Enabled | 1 | 1 | Block only cookies from third party websites. | |
Disabled or not configured (default) | 2 | 2 | Allow all cookies from all sites. |
ADMX info and settings
ADMX info
- GP English name: Configure cookies
- GP name: Cookies
- GP element: CookiesListBox
- GP path: Windows Components/Microsoft Edge
- GP ADMX file name: MicrosoftEdge.admx
MDM settings
- MDM name: Browser/AllowCookies
- Supported devices: Desktop and Mobile
- URI full path: ./Vendor/MSFT/Policy/Config/Browser/AllowCookies
- Data type: Integer
Registry settings
- Path: HKLMSoftwarePoliciesMicrosoftMicrosoftEdgeMain
- Value name: Cookies
- Value type: REG_DWORD
Configure Password Manager
Supported versions: Microsoft Edge on Windows 10
Default setting: Enabled (Allowed/users can change the setting)
By default, Microsoft Edge uses Password Manager automatically, allowing users to manager passwords locally. Disabling this policy restricts Microsoft Edge from using Password Manager. Don't configure this policy if you want to let users choose to save and manage passwords locally using Password Manager.
Supported values
Group Policy | MDM | Registry | Description | Most restricted |
---|---|---|---|---|
Not configured | Blank | Blank | Users can choose to save and manage passwords locally. | |
Disabled | 0 | no | Not allowed. | |
Enabled (default) | 1 | yes | Allowed. |
Verify not allowed/disabled settings:
- Click or tap More (…) and select Settings > View Advanced settings.
- Verify the settings Save Password is toggled off or on and is greyed out.
ADMX info and settings
ADMX info
- GP English name: Configure Password Manager
- GP name: AllowPasswordManager
- GP path: Windows Components/Microsoft Edge
- GP ADMX file name: MicrosoftEdge.admx
MDM settings
- MDM name: Browser/AllowPasswordManager
- Supported devices: Desktop and Mobile
- URI full path: ./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager
- Data type: Integer
Registry settings
- Path: HKLMSoftwarePoliciesMicrosoftMicrosoftEdgeMain
- Value name: FormSuggest Passwords
- Value type: REG_SZ
Configure Windows Defender SmartScreen
Supported versions: Microsoft Edge on Windows 10
Default setting: Enabled (Turned on)
Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns on Windows Defender SmartScreen and prevent users from turning it off. Don't configure this policy to let users choose to turn Windows defender SmartScreen on or off.
Supported values
Group Policy | MDM | Registry | Description | Most restricted |
---|---|---|---|---|
Not configured | Blank | Blank | Users can choose to use Windows Defender SmartScreen. | |
Disabled | 0 | 0 | Turned off. Do not protect users from potential threats and prevent users from turning it on. | |
Enabled | 1 | 1 | Turned on. Protect users from potential threats and prevent users from turning it off. |
To verify Windows Defender SmartScreen is turned off (disabled):
- Click or tap More (…) and select Settings > View Advanced settings.
- Verify the setting Help protect me from malicious sites and download with Windows Defender SmartScreen is disabled.
ADMX info and settings
ADMX info
- GP English name: Configure Windows Defender SmartScreen
- GP name: AllowSmartScreen
- GP path: Windows Components/Microsoft Edge
- GP ADMX file name: MicrosoftEdge.admx
MDM settings
- MDM name: Browser/AllowSmartScreen
- Supported devices: Desktop and Mobile
- URI full path: ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
- Data type: Integer
Registry settings
- Path: HKLMSOFTWAREPoliciesMicrosoftMicrosoftEdgePhishingFilter
- Value name: EnabledV9
- Value type: REG_DWORD
Prevent bypassing Windows Defender SmartScreen prompts for files
Supported versions: Microsoft Edge on Windows 10, version 1511 or later
Default setting: Disabled or not configured (Allowed/turned off)
By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious files, allowing them to continue downloading the unverified file(s). Enabling this policy prevents users from bypassing the warnings, blocking them from downloading of the unverified file(s).
Supported values
Group Policy | MDM | Registry | Description | Most restricted |
---|---|---|---|---|
Disabled or not configured (default) | 0 | 0 | Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s). | |
Enabled | 1 | 1 | Prevented/turned on. |
ADMX info and settings
ADMX info
- GP English name: Prevent bypassing Windows Defender SmartScreen prompts for files
- GP name: PreventSmartScreenPromptOverrideForFiles
- GP path: Windows Components/Microsoft Edge
- GP ADMX file name: MicrosoftEdge.admx
MDM settings
- MDM name: Browser/PreventSmartScreenPromptOverrideForFiles
- Supported devices: Desktop and Mobile
- URI full path: ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
- Data type: Integer
Registry settings
- Path: HKLMSOFTWAREPoliciesMicrosoftMicrosoftEdgePhishingFilter
- Value name: PreventOverrideAppRepUnknown
- Value type: REG_DWORD
Prevent bypassing Windows Defender SmartScreen prompts for sites
Supported versions: Microsoft Edge on Windows 10, version 1511 or later
Default setting: Disabled or not configured (Allowed/turned off)
By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious sites, allowing them to continue to the site. With this policy though, you can configure Microsoft Edge to prevent users from bypassing the warnings, blocking them from continuing to the site.
Supported values
Group Policy | MDM | Registry | Description | Most restricted |
---|---|---|---|---|
Disabled or not configured (default) | 0 | 0 | Allowed/turned off. Users can ignore the warning and continue to the site. | |
Enabled | 1 | 1 | Prevented/turned on. |
ADMX info and settings
ADMX info
- GP English name: Prevent bypassing Windows Defender SmartScreen prompts for sites
- GP name: PreventSmartscreenPromptOverride
- GP path: Windows Components/Microsoft Edge
- GP ADMX file name: MicrosoftEdge.admx
MDM settings
- MDM name: Browser/PreventSmartscreenPromptOverride
- Supported devices: Desktop and Mobile
- URI full path: ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
- Data type: Integer
Registry settings
- Path: HKLMSOFTWAREPoliciesMicrosoftMicrosoftEdgePhishingFilter
- Value name: PreventOverride
- Value type: REG_DWORD
Prevent certificate error overrides
Supported versions: Microsoft Edge on Windows 10, version 1809
Default setting: Disabled or not configured (Allowed/turned off)
Microsoft Edge, by default, allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings.
Group Policy | MDM | Registry | Description | Most restricted |
---|---|---|---|---|
Disabled or not configured (default) | 0 | 0 | Allowed/turned on. Override the security warning to sites that have SSL errors. | |
Enabled | 1 | 1 | Prevented/turned on. |
ADMX info and settings
ADMX info
Is The Edge Browser Good
- GP English name: Prevent certificate error overrides
- GP name: PreventCertErrorOverrides
- GP path: Windows Components/Microsoft Edge
- GP ADMX file name: MicrosoftEdge.admx
MDM settings
- MDM name: Browser/PreventCertErrorOverrides
- Supported devices: Desktop and Mobile
- URI full path: ./Vendor/MSFT/Policy/Config/Browser/PreventCertErrorOverrides
- Data type: Integer
Registry settings
Is The Edge Browser Safe
- Path: HKLMSoftwarePoliciesMicrosoftMicrosoftEdgeInternet Setting
- Value name: PreventCertErrorOverrides
- Value type: REG_DWORD
Prevent using Localhost IP address for WebRTC
Supported versions: Microsoft Edge on Windows 10, version 1511 or later
Default setting: Disabled or not configured (Allowed/show localhost IP addresses)
By default, Microsoft Edge shows localhost IP address while making calls using the WebRTC protocol. Enabling this policy hides the localhost IP addresses.
Supported values
Group Policy | MDM | Registry | Description | Most restricted |
---|---|---|---|---|
Disabled or not configured (default) | 0 | 0 | Allowed. Show localhost IP addresses. | |
Enabled | 1 | 1 | Prevented. |
ADMX info and settings
ADMX info
- GP English name: Prevent using Localhost IP address for WebRTC
- GP name: HideLocalHostIPAddress
- GP path: Windows Components/Microsoft Edge
- GP ADMX file name: MicrosoftEdge.admx
MDM settings
- MDM name: Browser/PreventUsingLocalHostIPAddressForWebRTC
- Supported devices: Desktop
- URI full path: ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC
- Data type: Integer
Registry settings
- Path: HKLMSOFTWAREPoliciesMicrosoftMicrosoftEdgeMain
- Value name: HideLocalHostIPAddress
- Value type: REG_DWORD
Help protect against web-based security threats
While most websites are safe, some sites have been intentionally designed to steal sensitive and private information or gain access to your system's resources. You can help protect against threats by using strong security protocols to ensure against such threats.
Thieves use things like phishing attacks to convince someone to enter personal information, such as a banking password, into a website that looks like a legitimate bank but isn't. Attempts to identify legitimate websites through the HTTPS lock symbol and the EV Cert green bar have met with only limited success since attackers are too good at faking legitimate experiences for many people to notice the difference.
Another method thieves often use hacking to attack a system through malformed content that exploits subtle flaws in the browser or various browser extensions. This exploit lets an attacker run code on a device, taking over a browsing session, and perhaps the entire device.
Microsoft Edge addresses these threats to help make browsing the web a safer experience.
Feature | Description |
---|---|
Windows Hello | Microsoft Edge is the first browser to natively support Windows Hello to authenticate the user and the website with asymmetric cryptography technology, powered by early implementation of the Web Authentication (formerly FIDO 2.0 Web API) specification. |
Microsoft SmartScreen | Defends against phishing by performing reputation checks on sites visited and blocking any sites that are thought to be a phishing site. SmartScreen also helps to defend against installing malicious software, drive-by attacks, or file downloads, even from trusted sites. Drive-by attacks are malicious web-based attacks that compromise your system by targeting security vulnerabilities in commonly used software and may be hosted on trusted sites. |
Certificate Reputation system | Collects data about certificates in use, detecting new certificates and flagging fraudulent certificates automatically, and sends the data to Microsoft. The systems and tools in place include
|
Microsoft EdgeHTML and modern web standards | Microsoft Edge uses Microsoft EdgeHTML as the rendering engine. This engine focuses on modern standards letting web developers build and maintain a consistent site across all modern browsers. It also helps to defend against hacking through these security standards features:
NOTE: Both Microsoft Edge and Internet Explorer 11 support HSTS. |
Code integrity and image loading restrictions | Microsoft Edge content processes support code integrity and image load restrictions, helping to prevent malicious DLLs from loading or injecting into the content processes. Only properly signed images are allowed to load into Microsoft Edge. Binaries on remote devices (such as UNC or WebDAV) can't load. |
Memory corruption mitigations | Memory corruption attacks frequently happen to apps written in C or C++ don't provide safety or buffer overflow protection. When an attacker provides malformed input to a program, the program's memory becomes corrupt allowing the attacker to take control of the program. Although attackers have adapted and invented new ways to attack, we've responded with memory safety defenses, mitigating the most common forms of attack, including and especially use-after-free (UAF) vulnerabilities. |
Memory Garbage Collector (MemGC) mitigation | MemGC replaces Memory Protector and helps to protect the browser from UAF vulnerabilities. MemGC frees up memory from the programmer and automating it. Only freeing memory when the automation detects no references left pointing to a given block of memory. |
Control Flow Guard | Attackers use memory corruption attacks to gain control of the CPU program counter to jump to any code location they want. Control Flow Guard, a Microsoft Visual Studio technology, compiles checks around code that performs indirect jumps based on a pointer. Those jumps get restricted to function entry points with known addresses only making attacker take-overs must more difficult constraining where an attack jumps. |
All web content runs in an app container sandbox | Microsoft Edge takes the sandbox even farther, running its content processes in containers not just by default, but all of the time. Microsoft Edge doesn't support 3rd party binary extensions, so there is no reason for it to run outside of the container, making Microsoft Edge more secure. |
Extension model and HTML5 support | Microsoft Edge does not support binary extensions because they can bring code and data into the browser's processes without any protection. So if anything goes wrong, the entire browser itself can be compromised or go down. We encourage everyone to use our scripted HTML5-based extension model. For more info about the new extensions, see the Microsoft Edge Developer Center. |
Reduced attack surfaces | Microsoft Edge does not support VBScript, JScript, VML, Browser Helper Objects, Toolbars, ActiveX controls, and document modes. Many IE browser vulnerabilities only appear in legacy document modes, so removing support reduced attack surface making the browser more secure. It also means that it's not as backward compatible. With this reduced backward compatibility, Microsoft Edge automatically falls back to Internet Explorer 11 for any apps that need backward compatibility. This fall back happens when you use the Enterprise Mode Site List. |