Microsoft released the new version of Edge on January 15, 2020, for Windows 10, Windows 8/8.1, and Windows 7, so you should already have it by now; if not, browse to Microsoft's website to. How to block websites on Microsoft Edge using the Command Prompt. At the bottom of your computer, in the search bar, type 'command.' Then right-click on the Command Prompt. In the menu that.
View the Microsoft Edge web browser baseline settings that are supported by Microsoft Intune. The Microsoft Edge baseline defaults represent the recommended configuration for Microsoft Edge browsers, and might not match baseline defaults for other security baselines.
Note
The Microsoft Edge baseline for October 2019 is in Public Preview.
To update a security baseline profile to the latest version of that baseline, see Change the baseline version for a profile.
Microsoft Edge baseline for April 2020 (Edge version 80)
Microsoft Edge baseline for September 2020 (Edge version 85)
This version of the security baseline replaces previous versions. Profiles that were created prior to the availability of this baseline version:
- Are now read-only. You can continue to use those profiles, but can't edit them to change their configuration.
- Can be updated to the latest version. After update the current baseline version, you can edit the profile to modify settings.
To understand what's changed with this version of the baseline from previous versions, use the Compare baselines action that's available when viewing the Versions pane for this baseline. Be sure to select the version of the baseline that you want to view.
To update a security baseline profile to the latest version of that baseline, see Change the baseline version for a profile.
Supported authentication schemes
Use this setting to change the default behavior of Edge as to the HTTP authentication schemes that Edge can use. Edge supports and can use the following schemes: basic, digest, ntlm, and negotiate.- Enabled (default) - When set to Enabled, you can then configure the following setting where you specify which of the four HTTPS authentication schemes Edge can use.
- Disabled
- Not configured - When set to Not configured, Edge will support all four schemes.
Supported authentication schemes - To access this setting, the previous instance of Supported authentication schemes must be set to Enabled.
Select one or more HTTP authentication schemes for by Edge. By default, two are already selected:
- Basic
- Digest
- NTLM(Selected by default)
- Negotiate(Selected by default)
For more information, see AuthSchemes in the Microsoft Edge policies documentation, and Understanding HTTP authentication in the .NET Framework documentation.
Default Adobe Flash setting
CSP: Browser/AllowFlash, and Browser/AllowFlashClickToRunEnable access to the following setting where you can configure behavior for running the Adobe Flash plug-in.
- Enabled (default)
- Disabled
- Not configured
When set to Enabled you can configure the following setting.
Default Adobe Flash setting
- Block the Adobe Flash plugin (default) - Block Adobe Flash on all sites
- Click to play - Adobe Flash runs, but the user must select the option to start it.
Control which extensions cannot be installed
Enable use of a list that specifies extensions that users can't install in Microsoft Edge. When the list is in use, any settings on the list that were previously installed are disabled, and the user can't enable them. If you remove an item from the list of blocked extensions, that extension is automatically re-enabled anywhere it was previously installed.- Enabled (default) - Enable use of the list to block extensions.
- Disabled
- Not configured - Users can install any extension in Microsoft Edge.
When set to Enabled, you can configure the following setting that defines the list of extensions to block.
Extension IDs the user should be prevented from installing (or * for all)
Select Add and specify additional extensions. * is selected by default.
Allow user-level native messaging hosts (installed without admin permissions)
Enables user-level installation of native messaging hosts.- Enabled
- Disabled (default) - Microsoft Edge uses only native messaging hosts installed on the system level.
- Not configured - By default, Microsoft Edge allows use of user-level native messaging hosts.
Enable saving passwords to the password manager
Microsoft Edge CSP: Browser/AllowPasswordManagerEnable Microsoft Edge to save user passwords.
- Enabled - Users can save their passwords in Microsoft Edge. The next time they visit the site, Microsoft Edge will enter the password automatically. Users can't change or override this policy in Microsoft Edge.
- Disabled (default) - Users can't save new passwords, but can continue to use previously saved passwords. Users can't change or override this policy in Microsoft Edge.
- Not configured - Users can save passwords, and turn off this feature.
Prevent bypassing Microsoft Defender SmartScreen prompts for sites
CSP: Browser/PreventSmartScreenPromptOverrideDecide whether users can override the Microsoft Defender SmartScreen warnings about potentially malicious websites.
- Enabled (default) - Users can't ignore Microsoft Defender SmartScreen warnings and they're blocked from continuing to the site.
- Disabled - Users can ignore Microsoft Defender SmartScreen warnings and continue to the site.
- Not configured Users can ignore Microsoft Defender SmartScreen warnings and continue to the site
Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads
CSP: Browser/PreventSmartScreenPromptOverrideForFilesDetermine whether users can override Microsoft Defender SmartScreen warnings about unverified downloads.
- Enabled (default) - Users can't ignore Microsoft Defender SmartScreen warnings, and they're prevented from completing the unverified downloads.
- Disabled - Users can ignore Microsoft Defender SmartScreen warnings and complete unverified downloads.
- Not configured - Users can ignore Microsoft Defender SmartScreen warnings and complete unverified downloads.
Enable site isolation for every site
Configure site isolation to prevent users from opting out of the default behavior of isolating all sites.- Enabled (default) - Users can't opt out of the default behavior where each site runs in its own process.
- Disabled - Users can opt out of site isolation. Site isolation is not turned off.
- Not configured - Users can opt out of site isolation. Site isolation is not turned off.
Microsoft Edge also supports IsolateOrigins policy that can isolate additional, finer-grained origins. Intune doesn't support configuring the IsolateOrigins policy.
Configure Microsoft Defender SmartScreen
CSP: Browser/AllowSmartScreenMicrosoft Defender SmartScreen provides warning messages to help protect users from potential phishing scams and malicious software. By default, Microsoft Defender SmartScreen is turned on.
- Enabled (default) - Microsoft Defender SmartScreen is turned on and users can't turn it off.
- Disabled - Microsoft Defender SmartScreen is turned off and users can't turn it on.
- Not configured Users can choose whether to use Microsoft Defender SmartScreen.
This policy is available only on Windows instances that are joined to a Microsoft Active Director domain, or on Windows 10 Pro or Enterprise instances that are enrolled for device management.
Configure Microsoft Defender SmartScreen to block potentially unwanted apps
Configure Microsoft Defender SmartScreen behavior for blocking potentially unwanted apps. Microsoft Defender SmartScreen can provide a warning messages to help protect users from adware, coin miners, bundleware, and other low-reputation apps that are hosted by websites. Potentially unwanted app blocking in Microsoft Defender SmartScreen is turned off by default.- Enabled (default) - Potentially unwanted apps are blocked.
- Disabled - Potentially unwanted apps are not blocked.
- Not configured - Users can choose whether to use potentially unwanted app blocking in Microsoft Defender SmartScreen.
This policy is available only on Windows instances that are joined to a Microsoft Active Director domain, or on Windows 10 Pro or Enterprise instances that are enrolled for device management.
Allow users to proceed from the SSL warning page
CSP: Browser/PreventCertErrorOverridesMicrosoft Edge shows a warning page when users visit sites that have SSL errors.
- Enabled - Users can click through the warning pages.
- Disabled (default) - Users are blocked from clicking through any warning page.
- Not configured - Users can click through these warning pages.
Minimum SSL version enabled
Enable the option to set a minimum supported version of SSL.- Enabled (default) - Enable access to the next setting where you specify the minimum version of TLS to use.
- Disabled
- Not configured - Microsoft Edge uses a default minimum version of TLS 1.0.
When set to Enabled, you can configure TLS by using the following setting.
- Minimum SSL version enabledSet the minimum version of TLS to use. Microsoft Edge won't use any version of SSL/TLS that's lower than the specified version.
- TLS 1.0
- TLS 1.1
- TLS 1.2 (default)
Prevent bypassing Microsoft Defender SmartScreen prompts for sites
Default: Enabled
Microsoft Edge CSP: Browser/PreventSmartScreenPromptOverrideThis policy setting lets you decide whether users can override the Microsoft Defender SmartScreen warnings about potentially malicious websites.
- If you enable this setting, users can't ignore Microsoft Defender SmartScreen warnings and they're blocked from continuing to the site.
- If you disable or don't configure this setting, users can ignore Microsoft Defender SmartScreen warnings and continue to the site.
Minimum SSL version enabled
Default: EnabledSet a minimum supported version of SSL. If you set this policy to Not Configured, Microsoft Edge uses a default minimum version of TLS 1.0. When set to Enabled, you can select a minimum version from the following values:
TLS 1.0
TLS 1.1
TLS 1.2
Minimum SSL version enabled
Default: TLS 1.2
Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads
Default: Enabled
Microsoft Edge CSP: Browser/PreventSmartScreenPromptOverrideForFilesThis policy lets you determine whether users can override Microsoft Defender SmartScreen warnings about unverified downloads.
- If you enable this policy, users in your organization can't ignore Microsoft Defender SmartScreen warnings, and they're prevented from completing the unverified downloads.
- If you disable or don't configure this policy, users can ignore Microsoft Defender SmartScreen warnings and complete unverified downloads.
Allow users to proceed from the SSL warning page
Default: Disabled
Microsoft Edge CSP: Browser/PreventCertErrorOverridesMicrosoft Edge shows a warning page when users visit sites that have SSL errors. If you set this policy to Enabled or Not Configured, users can click through these warning pages. When this policy is Disabled, users are blocked from clicking through any warning page.
Default Adobe Flash setting
Default: Enabled
Microsoft Edge CSP: Browser/AllowFlash, and Browser/AllowFlashClickToRunDetermines whether websites that aren't covered by 'PluginsAllowedForUrls' or 'PluginsBlockedForUrls' can automatically run the Adobe Flash plug-in.
- Select 'BlockPlugins' to block Adobe Flash on all sites
- Select 'ClickToPlay' to let Adobe Flash run but require the user to click the placeholder to start it.
In any case, the 'PluginsAllowedForUrls' and 'PluginsBlockedForUrls' policies take precedence over 'DefaultPluginsSetting'. Automatic playback is only allowed for domains explicitly listed in the 'PluginsAllowedForUrls' policy.If you want to enable automatic playback for all sites, consider adding http://* and https://* to this list.
If you set this policy to Not Configured, the user can change this setting manually. * 2 = Block the Adobe Flash plug-in * 3 = Click to play the former '1' option set allow-all, but this functionality is now only handled by the 'PluginsAllowedForUrls' policy. Existing policies using '1' will operate in Click-to-play mode.
Default Adobe Flash setting
Default: Block the Adobe Flash plugin
Enable site isolation for every site
Default: EnabledThe 'SitePerProcess' policy can be used to prevent users from opting out of the default behavior of isolating all sites. You can also use the IsolateOrigins policy to isolate additional, finer-grained origins.
- When this policy is set to Enabled, users can't opt out of the default behavior where each site runs in its own process.
- If you use Disabled or Not Configured, a user can opt out of site isolation. (For example, by using 'Disable site isolation' entry in edge://flags.) Disabling the policy or not configuring the policy doesn't turn off Site Isolation.
Supported authentication schemes
Use this setting to change the default behavior of Edge as to the HTTP authentication schemes that Edge can use. Edge supports and can use the following schemes: basic, digest, ntlm, and negotiate.- Enabled (default) - When set to Enabled, you can then configure the following setting where you specify which of the four HTTPS authentication schemes Edge can use.
- Disabled
- Not configured - When set to Not configured, Edge will support all four schemes.
Supported authentication schemes - To access this setting, the previous instance of Supported authentication schemes must be set to Enabled.
Select one or more HTTP authentication schemes for by Edge. By default, two are already selected:
- Basic
- Digest
- NTLM(Selected by default)
- Negotiate(Selected by default)
For more information, see AuthSchemes in the Microsoft Edge policies documentation, and Understanding HTTP authentication in the .NET Framework documentation.
Enable saving passwords to the password manager
Default: Disabled
Microsoft Edge CSP: Browser/AllowPasswordManagerEnable Microsoft Edge to save user passwords.
- If you enable this policy, users can save their passwords in Microsoft Edge. The next time they visit the site, Microsoft Edge will enter the password automatically.
- If you disable this policy, users can't save new passwords, but they can still use previously saved passwords.
When you set this policy to either Enabled or Disabled, users can't change or override this policy in Microsoft Edge.
If you set this to Not Configured, users can save passwords, as well as turn off this feature.
Control which extensions cannot be installed
Default: EnabledList the specific extensions that users can't install in Microsoft Edge. When you deploy this policy, any extensions on this list that were previously installed are disabled, and the user won't be able to enable them. If you remove an item from the list of blocked extensions, that extension is automatically re-enabled anywhere it was previously installed.
Use * to block all extensions that aren't explicitly listed in the allow list. If this policy is set to Not Configured, users can install any extension in Microsoft Edge.
Example value: extension_id1 extension_id2.
- Extension IDs the user should be prevented from installing (or * for all)
Select Add and specify additional extensions. * is selected by default.
- Extension IDs the user should be prevented from installing (or * for all)
Configure Microsoft Defender SmartScreen
Default: Enabled
Microsoft Edge CSP: Browser/AllowSmartScreenThis policy setting lets you configure whether to turn on Microsoft Defender SmartScreen. Microsoft Defender SmartScreen provides warning messages to help protect your users from potential phishing scams and malicious software.
- By default, Microsoft Defender SmartScreen is turned on. If you enable this setting, Microsoft Defender SmartScreen is turned on and users can't turn it off.
- If you disable this setting, Microsoft Defender SmartScreen is turned off and users can't turn it on.
- When set to Not Configured, users can choose whether to use Microsoft Defender SmartScreen.
This policy is available only on Windows instances that are joined to a Microsoft Active Director domain, or on Windows 10 Pro or Enterprise instances that are enrolled for device management.
Allow user-level native messaging hosts (installed without admin permissions)
Default: DisabledEnables user-level installation of native messaging hosts.
- If you disable this policy, Microsoft Edge will only use native messaging hosts installed on the system level. By default, if you don't configure this policy, Microsoft Edge will allow usage of user-level native messaging hosts.
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)
Default: DisabledDEPRECATED: This policy is deprecated. It is currently supported but will become obsolete in a future release.
By default, Microsoft Edge forbids certificates signed using SHA-1 as allowing SHA-1 chains is not a secure configuration.This policy depends on the operating system (OS) certificate verification stack allowing SHA-1 signatures. If an OS update changes the OS handling of SHA-1 certificates, this policy might no longer have effect. Further, this policy is intended as a temporary workaround to give Enterprises more time to move away from SHA-1.
This policy is only available on Windows instances that are joined to a Microsoft Active Directory domain or Windows 10 Pro or Enterprise instances enrolled for device management.
This policy will be removed in Microsoft Edge 92 releasing in mid-2021.
- Enabled - Microsoft Edge allows connections secured by SHA-1 signed certificates so long as the certificate chains to a locally installed root certificate and is otherwise valid.
- Disabled (default) – When set it to Disabled, or the SHA-1 certificate chains to a publicly trusted certificate root, then Microsoft Edge won't allow certificates signed by SHA-1.
- Not configured - Same as behavior as Disabled.
Next steps
-->Applies to:
Important
Web content filtering is currently in public preview
This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.For more information, see Microsoft Defender for Endpoint preview features.
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
Web content filtering is part of Web protection capabilities in Microsoft Defender for Endpoint. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.
Configure policies across your device groups to block certain categories. Blocking a category prevents users within specified device groups from accessing URLs associated with the category. For any category that's not blocked, the URLs are automatically audited. Your users can access the URLs without disruption, and you'll gather access statistics to help create a more custom policy decision. Your users will see a block notification if an element on the page they're viewing is making calls to a blocked resource.
Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome, Firefox, Brave and Opera). For more information about browser support, see the prerequisites section.
Summarizing the benefits:
- Users are prevented from accessing websites in blocked categories, whether they're browsing on-premises or away
- Conveniently deploy policies to groups of users using device groups defined in Microsoft Defender for Endpoint role-based access control settings
- Access web reports in the same central location, with visibility over actual blocks and web usage
User experience
The blocking experience for 3rd party supported browsers is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection.
For a more user-friendly in-browser experience, consider using Microsoft Edge.
Prerequisites
Before trying out this feature, make sure you have the following requirements:
- Windows 10 Enterprise E5, Microsoft 365 E5, Microsoft 365 E5 Security, Microsoft 365 E3 + Microsoft 365 E5 Security add-on or the Microsoft Defender for Endpoint standalone license.
- Access to Microsoft Defender Security Center portal
- Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update.
If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires enabling Network Protection on the device. Chrome, Firefox, Brave, and Opera are currently 3rd party browsers in which this feature is enabled.
Data handling
We will follow whichever region you have elected to use as part of your Microsoft Defender for Endpoint data handling settings. Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers.
Turn on web content filtering
From the left-hand navigation menu, select Settings > General > Advanced Features. Scroll down until you see the entry for Web content filtering. Switch the toggle to On and Save preferences.
Configure web content filtering policies
Web content filtering policies specify which site categories are blocked on which device groups. To manage the policies, go to Settings > Rules > Web content filtering.
Use the filter to locate policies that contain certain blocked categories or are applied to specific device groups.
Create a policy
To add a new policy:
- Select Add policy on the Web content filtering page in Settings.
- Specify a name.
- Select the categories to block. Use the expand icon to fully expand each parent category and select specific web content categories.
- Specify the policy scope. Select the device groups to specify where to apply the policy. Only devices in the selected device groups will be prevented from accessing websites in the selected categories.
- Review the summary and save the policy. The policy refresh may take up to 2 hours to apply to your selected devices.
Tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy.
Block Websites Windows 10 Edge
Note
If you are removing a policy or changing device groups at the same time, this might cause a delay in policy deployment.
Important
Blocking the 'Uncategorized' category may lead to unexpected and undesired results.
Allow specific websites
It's possible to override the blocked category in web content filtering to allow a single site by creating a custom indicator policy. The custom indicator policy will supersede the web content filtering policy when it's applied to the device group in question.
- Create a custom indicator in the Microsoft Defender Security Center by going to Settings > Indicators > URL/Domain > Add Item
- Enter the domain of the site
- Set the policy action to Allow.
Reporting inaccuracies
If you encounter a domain that has been incorrectly categorized, you can report inaccuracies directly to us from the Web Content Filtering reports page. This feature is available only in the new Microsoft 365 security center (security.microsoft.com).
To report an inaccuracy, navigate to Reports > Web protection > Web Content Filtering Details > Domains. On the domains tab of our Web Content Filtering reports, you will see an ellipsis beside each of the domains. Hover over this ellipsis and select Report Inaccuracy.
A panel will open where you can select the priority and add additional details such as the suggested category for re-categorization. Once you complete the form, select Submit. Our team will review the request within one business day. For immediate unblocking, create a custom allow indicator.
Web content filtering cards and details
Select Reports > Web protection to view cards with information about web content filtering and web threat protection. The following cards provide summary information about web content filtering.
Web activity by category
This card lists the parent web content categories with the largest increase or decrease in the number of access attempts. Understand drastic changes in web activity patterns in your organization from last 30 days, 3 months, or 6 months. Select a category name to view more information.
In the first 30 days of using this feature, your organization might not have enough data to display this information.
Web content filtering summary card
This card displays the distribution of blocked access attempts across the different parent web content categories. Select one of the colored bars to view more information about a specific parent web category.
Web activity summary card
This card displays the total number of requests for web content in all URLs.
View card details
You can access the Report details for each card by selecting a table row or colored bar from the chart in the card. The report details page for each card contains extensive statistical data about web content categories, website domains, and device groups.
Web categories: Lists the web content categories that have had access attempts in your organization. Select a specific category to open a summary flyout.
Domains: Lists the web domains that have been accessed or blocked in your organization. Select a specific domain to view detailed information about that domain.
Device groups: Lists all the device groups that have generated web activity in your organization
Use the time range filter at the top left of the page to select a time period. You can also filter the information or customize the columns. Select a row to open a flyout pane with even more information about the selected item.
Errors and issues
Limitations and known issues in this preview
Website Blocker For Microsoft Edge
Ms Edge Block Websites
Only Microsoft Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across supported 3rd party browsers.
Unassigned devices will have incorrect data shown within the report. In the Report details > Device groups pivot, you may see a row with a blank Device Group field. This group contains your unassigned devices before they get put into your specified group. The report for this row may not contain an accurate count of devices or access counts.
Web Content Filtering reports are currently limited to showing the top 5000 records. For example, the ‘Domains’ report will only show a maximum of the top 5000 domains for a given filter query, if applicable.