This chapter covers the administration of Microsoft Edge for Enterprise, focusing on how to deploy, configure, and manage the browser in a Microsoft 365 environment. For the MS-102 exam, this topic falls under Domain 2.4 (Manage Microsoft Edge for Enterprise) and typically appears in 5-10% of exam questions. Understanding Edge's enterprise features, including group policies, security baselines, and integration with Microsoft Intune and Azure AD, is critical for the exam and for real-world administration.
Jump to a section
Imagine a large corporation with thousands of delivery vehicles (browsers) used by employees. The fleet manager (IT admin) needs every vehicle to follow specific routes (security policies), carry only approved cargo (enterprise data protection), and avoid dangerous areas (malicious sites). The manager installs a central telematics system (Microsoft Intune/Mobile Device Management) that can remotely configure each vehicle's GPS (Group Policy settings), enforce speed limits (password policies), block certain roads (URL filtering), and even lock the vehicle if it enters a restricted zone (conditional access). Each vehicle also has a standard toolkit (built-in security features like SmartScreen and Windows Defender Application Guard) that the manager can enable or disable. If a vehicle is stolen (device compromised), the manager can remotely wipe its cargo (enterprise data wipe). The fleet manager's job is to ensure all vehicles operate consistently and safely, regardless of who drives them, without requiring the driver to manually adjust settings. This mirrors how Microsoft Edge for Enterprise allows administrators to centrally manage browser configurations, security, and compliance across the organization from the cloud or on-premises tools, ensuring a secure and uniform browsing experience.
What is Microsoft Edge for Enterprise Administration?
Microsoft Edge for Enterprise is the Chromium-based browser that provides organizations with a secure, manageable, and productivity-focused browsing experience. Administration involves deploying the browser, configuring policies via Group Policy Objects (GPOs), Microsoft Intune, or the Microsoft Edge management service, and leveraging built-in security features such as Microsoft Defender SmartScreen, Windows Defender Application Guard (WDAG), and Azure AD Conditional Access. The goal is to ensure consistent security and compliance across all managed devices.
Why It Exists
Before Edge, many enterprises struggled with managing multiple browsers (Internet Explorer, legacy Edge, Chrome, Firefox) with different policy engines and security profiles. Microsoft Edge for Enterprise unifies management through a single policy engine that supports cloud-based and on-premises tools. It also integrates deeply with Microsoft 365 security features, reducing the attack surface and enabling modern authentication.
How It Works Internally
Microsoft Edge uses a policy engine that reads configuration settings from multiple sources in a specific priority order. The order is: - Highest priority: Cloud-based policies from Microsoft Edge management service (via Azure AD) - Next: Group Policy settings from Active Directory (on-premises or hybrid) - Next: Local machine policies (registry) - Lowest: User-level policies (registry)
Edge checks for policy updates at browser startup and periodically every 90 minutes while running. Policies are stored in the registry under:
- HKLM\Software\Policies\Microsoft\Edge (machine-wide)
- HKCU\Software\Policies\Microsoft\Edge (user-specific)
Each policy has a unique name (e.g., SmartScreenEnabled) and supports values like 0 (disabled), 1 (enabled), or more complex JSON for lists. The browser uses a built-in policy template (msedge.admx) that can be imported into Group Policy Management Console.
Key Components, Values, Defaults, and Timers
Microsoft Edge Update: Uses a separate service (Microsoft Edge Update) for automatic updates. By default, updates are installed automatically. Admins can control update behavior via policies like UpdateDefault (values: 0 = manual, 1 = automatic, 2 = automatic only over metered networks, etc.).
SmartScreen: Enabled by default. Policy: SmartScreenEnabled (0/1). SmartScreen checks URLs and downloads against a dynamic list of malicious sites.
Windows Defender Application Guard (WDAG): Requires Windows 10/11 Enterprise or Education. Policy: ApplicationGuardEnabled (0/1). When enabled, untrusted sites open in an isolated Hyper-V container.
Password Manager: Enabled by default. Policy: PasswordManagerEnabled (0/1). Controls whether Edge offers to save passwords.
Extensions: Policy: ExtensionInstallForcelist (list of extension IDs). Allows admins to force-install extensions silently.
Startup pages: Policy: RestoreOnStartup (values: 0 = open new tab, 1 = restore last session, etc.) and RestoreOnStartupURLs (list of URLs).
Sync: Policy: SyncDisabled (0/1). Disables sync of browsing data with Microsoft account.
InPrivate mode: Policy: InPrivateModeAvailability (values: 0 = available, 1 = disabled, 2 = forced).
Certificate management: Policies like CertificateTransparencyEnforcementDisabledForUrls and AutoSelectCertificateForUrls.
Proxy settings: Policies like ProxySettings (JSON) or individual policies like ProxyMode.
Default values for many security policies are conservative; for example, SmartScreenEnabled defaults to 1 (enabled), but ApplicationGuardEnabled defaults to 0 (disabled) because it requires specific Windows features.
Configuration and Verification Commands
Admins can verify policies using:
- Edge Policy List: Navigate to edge://policy in the browser. This page shows all applied policies, their source, and status.
- Command line: edge.exe --policy-list (not commonly used).
- Registry: Check the policy registry keys directly.
- Intune: Use the Microsoft Endpoint Manager admin center to view device configuration profiles and their assignment status.
To deploy Edge via Intune, you create a configuration profile using the Settings Catalog or a custom OMA-URI profile. For example, to enable SmartScreen:
Settings Catalog: Search for 'SmartScreen', set SmartScreenEnabled to true.
Custom OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Edge~Policy~microsoft_edge/SmartScreenEnabled with integer value 1.
How It Interacts with Related Technologies
Azure AD Conditional Access: Edge supports device-based conditional access policies. When a user signs into Edge with an Azure AD account, the browser can enforce compliance checks (e.g., device must be compliant) before allowing access to corporate resources.
Microsoft Intune: Intune can deploy Edge policies, manage Edge updates, and enforce security baselines. The Edge security baseline in Intune includes recommended settings for password manager, SmartScreen, WDAG, and more.
Microsoft Defender for Endpoint: Edge can integrate with Defender for Endpoint to detect and respond to browser-based threats. For example, SmartScreen logs can be ingested into Defender for Cloud Apps.
Active Directory Group Policy: For on-premises devices, GPOs can be used. The msedge.admx file must be added to the Central Store.
Microsoft Edge management service: A cloud-based console at https://edge.microsoft.com/ that allows policy management without on-premises infrastructure. This service uses Azure AD for authentication and applies policies to devices enrolled in Azure AD or hybrid joined.
Step-by-Step Deployment Process
Plan your policy configuration: Determine which policies you need based on security requirements (e.g., block InPrivate, force SmartScreen, disable password manager).
Choose management tool: For cloud-managed devices, use Intune or Edge management service. For on-premises, use GPO.
Import policy templates: If using GPO, download msedge.admx from Microsoft and add to Central Store.
Configure policies: Set values in GPMC, Intune, or Edge management service.
Test on a pilot group: Use a test group of users to verify policies apply correctly.
Deploy broadly: Roll out to production devices.
Monitor and update: Use edge://policy and Intune reports to monitor compliance. Update policies as needed.
Plan Policy Configuration
Begin by identifying the security and compliance requirements for your organization. For the MS-102 exam, common policies include disabling password manager (to enforce use of Azure AD Password Protection), enabling SmartScreen, blocking InPrivate mode, and forcing a specific set of startup pages (e.g., company intranet). Document which policies are mandatory and which are optional. Consider the management tool you will use: Intune for cloud-managed devices, Group Policy for on-premises, or Edge management service for hybrid. Each tool has a different policy priority order, so plan accordingly to avoid conflicts.
Deploy Edge to Devices
Microsoft Edge can be deployed via Intune, Microsoft Configuration Manager, or direct download. For Intune, create a deployment profile for Windows 10/11 apps and assign it to target groups. Ensure the device meets prerequisites: Windows 10 version 1803 or later, or macOS 10.12 or later. The deployment can be set as required or available. For bulk deployment, use the Microsoft Edge Business installer (available at https://www.microsoftedgeinsider.com/en-us/business). The installer can be customized with a configuration file that sets initial policies during installation.
Configure Policies via GPO
If using on-premises Group Policy, download the Microsoft Edge administrative templates (msedge.admx and msedge.adml) from the Microsoft Download Center. Copy these files to the Central Store (\\domain\SYSVOL\domain\Policies\PolicyDefinitions). Then, in Group Policy Management Console (GPMC), create a new GPO and navigate to Computer Configuration > Administrative Templates > Microsoft Edge. Configure desired policies such as 'Enable SmartScreen' (Enabled) and 'Disable password manager' (Enabled). Link the GPO to the appropriate OU. Run 'gpupdate /force' on test devices to apply.
Configure Policies via Intune
In the Microsoft Endpoint Manager admin center, go to Devices > Configuration profiles > Create profile. Select platform Windows 10 and later, and profile type Settings Catalog. Add settings by searching for 'Microsoft Edge'. Common settings include: 'SmartScreenEnabled' (true), 'PasswordManagerEnabled' (false), 'InPrivateModeAvailability' (1 = disabled). Alternatively, use a custom OMA-URI profile. For example, to set SmartScreen: OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Edge~Policy~microsoft_edge/SmartScreenEnabled, Data type: Integer, Value: 1. Assign the profile to a test group first.
Verify Policy Application
On a test device, launch Microsoft Edge and navigate to edge://policy. This page lists all applied policies, their source (e.g., GPO, MDM, local machine), and status. Verify that the expected policies appear with the correct values. For example, 'SmartScreenEnabled' should show as '1' (enabled). Also check that no conflicting policies exist. If a policy is not applied, check the registry keys (HKLM\Software\Policies\Microsoft\Edge) to see if they are present. Use Event Viewer under Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin to troubleshoot MDM policy issues.
Scenario 1: Financial Institution Enforcing Security Baselines
A bank with 10,000 Windows devices uses Microsoft Edge for all employee browsing. They must comply with PCI DSS and internal security policies. They deploy Edge via Intune and apply the Microsoft Edge security baseline (a set of recommended policies). They enforce: SmartScreen enabled, password manager disabled (to force use of a corporate password manager), InPrivate mode blocked, and WDAG enabled for all devices running Windows 10 Enterprise. They also configure a custom startup page (company intranet) and force-install an extension for secure document viewing. The baseline is assigned to a dynamic Azure AD group containing all managed devices. They monitor compliance using Intune's device compliance reports and the Edge management service dashboard. A common issue they face is that some users have local admin rights and can override policies; they mitigate by deploying a device compliance policy that requires the device to be non-compliant if local admin rights are detected.
Scenario 2: Healthcare Organization Managing Hybrid Devices
A hospital chain uses a hybrid Azure AD join configuration. Some devices are on-premises domain-joined, others are cloud-only. They use a combination of GPO for on-premises devices and Intune for cloud-only devices. They configure Edge to automatically sign in users with their Azure AD accounts (via policy ConfigureDoNotTrack and SyncDisabled to prevent sync). They also use conditional access policies to require Edge as a managed browser for accessing patient records. They set up the Edge management service to provide a unified view of all devices. Performance considerations: With 5,000 devices, the Edge management service handles policy updates efficiently, but they noticed that on-premises GPO updates can take up to 90 minutes due to the default refresh interval. They adjust the Group Policy refresh interval to 30 minutes for Edge policies only. Misconfiguration example: They initially set InPrivateModeAvailability to 2 (forced), which prevented users from using private browsing even for legitimate purposes like testing; they changed it to 1 (disabled) to block but not force.
Scenario 3: Education Sector with Chromebooks and Windows
A school district uses both Windows devices and Chromebooks. They manage Edge on Windows via Intune, but they also have students using Edge on Chromebooks (Android-based). For Chromebooks, they use Google Admin Console to manage Chrome policies, but they also want consistency. They decide to use the Microsoft Edge management service to push policies to Windows devices only. They configure policies to block access to social media sites using URL blocking policies (URLBlocklist) and allow only educational sites. They also disable the password manager to prevent students from saving passwords on shared devices. They encounter a trap: The URLBlocklist policy applies to all URLs, but they need to allow exceptions using URLAllowlist. They misconfigured the allowlist order, causing all sites to be blocked; they corrected by ensuring the allowlist is applied after the blocklist. Scale: 3,000 devices, no performance issues.
MS-102 Exam Focus on Microsoft Edge for Enterprise Administration
The MS-102 exam tests Domain 2.4: Manage Microsoft Edge for Enterprise. The objective codes include: - 2.4.1: Deploy and configure Microsoft Edge - 2.4.2: Manage Microsoft Edge security features - 2.4.3: Manage Microsoft Edge updates - 2.4.4: Manage Microsoft Edge enterprise features (e.g., IE mode, kiosk mode)
Common Wrong Answers and Why
Wrong answer: 'Edge policies are applied only via Group Policy.' Many candidates think GPO is the only method because they have on-premises experience. Reality: Edge supports GPO, Intune, and the cloud-based Edge management service. The exam often presents a scenario with cloud-only devices, and the correct answer is Intune or Edge management service.
Wrong answer: 'SmartScreen is disabled by default for performance.' Candidates assume Microsoft disables security features by default to avoid slowdowns. Reality: SmartScreen is enabled by default. The exam may ask which security feature is enabled by default; SmartScreen is the correct answer.
Wrong answer: 'Windows Defender Application Guard (WDAG) works on all Windows 10 editions.' Candidates confuse WDAG with other features. Reality: WDAG requires Windows 10/11 Enterprise or Education. The exam tests this by asking which edition supports WDAG.
Wrong answer: 'Edge updates are managed via Windows Update.' While Windows Update can deliver Edge updates, the primary update mechanism is the Microsoft Edge Update service, which is separate. The exam asks about controlling update channels (Stable, Beta, Dev) via policies like UpdateDefault. Admins can use Intune to manage Edge updates.
Specific Numbers and Terms
Policy refresh interval: 90 minutes (default) for cloud and Group Policy.
SmartScreen: Enabled by default, policy name SmartScreenEnabled.
WDAG: Requires Windows 10/11 Enterprise or Education.
IE mode: Allows backward compatibility with Internet Explorer-based sites. Policy: InternetExplorerIntegrationLevel (values: 0 = none, 1 = IE mode, 2 = IE mode with site list).
Kiosk mode: Policy: KioskMode (values: 0 = disabled, 1 = public browsing, 2 = digital signage, etc.).
Edge management service URL: https://edge.microsoft.com/.
Policy template file: msedge.admx.
Edge Cases and Exceptions
Policy conflicts: If both GPO and Intune set the same policy, the one with higher priority (Intune for cloud-managed devices) wins. The exam may present a scenario where a policy is not applying due to conflict.
User vs. machine policies: Some policies are user-specific (e.g., PasswordManagerEnabled) and some are machine-wide (e.g., SmartScreenEnabled). The exam tests the distinction; for example, disabling password manager for all users requires a machine policy.
Edge for Android/iOS: The exam may ask about managing Edge on mobile devices. Mobile policies are limited compared to desktop; they are managed via Intune App Protection Policies (MAM).
How to Eliminate Wrong Answers
Identify the management tool: Read the scenario to determine if devices are cloud-only, on-premises, or hybrid. If cloud-only, eliminate GPO. If hybrid, consider both.
Check edition requirements: If a feature requires Windows 10 Enterprise, eliminate answers that mention Pro or Home.
Know default values: If asked 'which feature is enabled by default', eliminate any feature that is disabled by default (e.g., WDAG).
Understand policy hierarchy: If a policy is not applying, check if a higher-priority source is overriding it.
Microsoft Edge for Enterprise supports management via Group Policy, Intune, and the cloud-based Edge management service.
SmartScreen is enabled by default; WDAG requires Windows 10/11 Enterprise or Education.
The default policy refresh interval is 90 minutes for both GPO and Intune.
Policy priority (highest to lowest): Cloud-based (Edge management service) > GPO > Local machine > User.
Use edge://policy to verify applied policies on a client device.
IE mode allows backward compatibility; policy: InternetExplorerIntegrationLevel.
The Edge management service is available at https://edge.microsoft.com/.
These come up on the exam all the time. Here's how to tell them apart.
Group Policy (GPO)
Requires on-premises Active Directory and domain-joined devices.
Uses ADMX templates imported into Central Store.
Policy refresh occurs every 90 minutes by default (configurable).
Best for on-premises or hybrid environments with traditional management.
Cannot manage cloud-only devices (Azure AD joined without hybrid).
Microsoft Intune
Works with cloud-only, hybrid, and on-premises devices enrolled in Intune.
Uses Settings Catalog or custom OMA-URI profiles.
Policy sync can be initiated manually from Intune or device.
Best for cloud-first or modern management scenarios.
Can manage Edge policies on Windows, macOS, iOS, and Android.
Mistake
Microsoft Edge policies can only be managed via Group Policy.
Correct
Edge policies can be managed via Group Policy, Microsoft Intune, and the Microsoft Edge management service. The cloud-based management service does not require on-premises Active Directory.
Mistake
SmartScreen is disabled by default to avoid performance impact.
Correct
SmartScreen is enabled by default in Microsoft Edge. It checks URLs and downloads against a dynamic list of malicious sites and is a key security feature.
Mistake
Windows Defender Application Guard (WDAG) works on all Windows 10 editions.
Correct
WDAG requires Windows 10/11 Enterprise or Education editions. It does not work on Pro or Home editions.
Mistake
Edge updates are managed exclusively through Windows Update.
Correct
Edge uses its own update service (Microsoft Edge Update) by default. Admins can control update behavior via policies, and Intune can also manage Edge updates.
Mistake
Edge policies apply immediately after configuration in Intune.
Correct
Edge policies have a default refresh interval of 90 minutes. While Intune can force a sync, the browser reads policies at startup and periodically, not instantly.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
You can deploy Microsoft Edge using Intune (as a line-of-business app), Microsoft Configuration Manager, or by using the Microsoft Edge Business installer. In Intune, go to Apps > All apps > Add > Windows app (Win32) and upload the Edge installer. Assign the app to a group of devices. Alternatively, use the Microsoft Edge Business page to download a customized installer that can be deployed via script or SCCM.
The Edge management service (edge.microsoft.com) is a dedicated cloud console for managing Edge policies only. It is simpler and focuses solely on Edge. Intune is a broader MDM solution that can manage many aspects of devices, including Edge policies via configuration profiles. Both apply policies to devices enrolled in Azure AD. The Edge management service may be easier for pure Edge management, but Intune is better if you already use it for other device management.
Yes, use the policy 'InPrivateModeAvailability'. Set it to 1 (disabled) to block InPrivate mode. Set to 2 (forced) to always use InPrivate. This policy can be configured via GPO, Intune, or Edge management service.
Use the policy 'ConfigureDoNotTrack' is not for sign-in; instead, use 'AutoImportFromInternetExplorer'? Actually, to enforce automatic sign-in, use the policy 'BrowserSignin' set to 1 (enable sign-in) and 'SyncDisabled' to control sync. You can also set 'ForceSignin' to 1 to require sign-in. These policies ensure users are signed in with their work or school account.
IE mode allows Microsoft Edge to render websites that require Internet Explorer compatibility. Enable it via policy 'InternetExplorerIntegrationLevel' set to 1 (IE mode) or 2 (IE mode with site list). You also need to configure a site list XML file using the 'InternetExplorerIntegrationSiteList' policy pointing to the file location.
Use the policy 'ExtensionInstallForcelist' to silently install extensions. Provide a list of extension IDs separated by semicolons. You can also block extensions using 'ExtensionInstallBlocklist'. Extensions can be managed via GPO, Intune, or Edge management service.
Yes, Microsoft Edge is available for macOS. Intune supports managing Edge on macOS via configuration profiles (Settings Catalog for macOS). Policies are similar to Windows but may have some differences. The Edge management service also supports macOS devices enrolled in Azure AD.
You've just covered Microsoft Edge for Enterprise Administration — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?