The latest version of Microsoft Edge includes the following policies. You can use these policies to configure how Microsoft Edge runs in your organization.
For information about an additional set of policies used to control how and when Microsoft Edge is updated, check out Microsoft Edge update policy reference.
You can download the Microsoft Security Compliance Toolkit for the recommended security configuration baseline settings for Microsoft Edge. For more information see the Microsoft Security Baselines Blog.
Starting in Microsoft Edge version 116, certain policies will not be applied to a profile that is signed in with a Microsoft account. For more information, please check an individual policy for details on whether it applies to a profile that is signed in with a Microsoft account.
NOTE
This article applies to Microsoft Edge version 77 or later.
Available policies
These tables list all of the browser-related group policies available in this release of Microsoft Edge. Use the links in the table to get more details about specific policies.
Determines whether the built-in certificate verifier will enforce constraints encoded into trust anchors loaded from the platform trust store (obsolete)
Configure whether Microsoft Edge should automatically select a certificate when there are multiple certificate matches for a site configured with "AutoSelectCertificateForUrls" (deprecated)
Allow personalization of ads, Microsoft Edge, search, news and other Microsoft services by sending browsing history, favorites and collections, usage and other browsing data to Microsoft
Configures the proxy settings for Microsoft Edge Application Guard.
If you enable this policy, Microsoft Edge Application Guard ignores other sources of proxy configurations.
If you don't configure this policy, Microsoft Edge Application Guard uses the proxy configuration of the host.
This policy doesn't affect the proxy configuration of Microsoft Edge outside of Application Guard (on the host).
The ProxyMode field lets you specify the proxy server used by Microsoft Edge Application Guard.
The ProxyPacUrl field is a URL to a proxy.pac file. This policy doesn't affect the proxy configuration of Microsoft Edge outside of Application Guard (on the host).
The ProxyMode field lets you specify the proxy server that's used by Microsoft Edge Application Guard.
The ProxyPacUrl field is a URL for a proxy .pac file.
The ProxyServer field is a URL for the proxy server.
If you choose the 'direct' value as 'ProxyMode', all the other fields are ignored.
If you choose the 'auto_detect' value as 'ProxyMode', all the other fields are ignored.
If you choose the 'fixed_servers' value as 'ProxyMode', the 'ProxyServer' field is used.
If you choose the 'pac_script' value as 'ProxyMode', the 'ProxyPacUrl' field is used.
This policy allows Microsoft Edge computers/devices that have application guard enabled to sync favorites from the host to the container so the favorites match.
If ManagedFavorites are configured, those favorites are also synced to the container.
If you enable this policy, editing favorites in the container is disabled. So, the add favorites and add favorites folder buttons are blurred out in the UI of the container browser.
If you disable or don't configure this policy, favorites on the host won't be shared to the container.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ApplicationGuardFavoritesSyncEnabled
GP name: Application Guard Favorites Sync Enabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Application Guard settings
Ignore Application Guard site list configuration and browse Microsoft Edge normally
Supported versions:
On Windows since 94 or later
Description
Set whether Microsoft Edge should ignore the Application Guard site list configuration for trusted and untrusted sites.
If you enable this policy, all navigations from Microsoft Edge are accessed normally within Microsoft Edge without redirecting to the Application Guard container, including navigations to untrusted sites. Note: This policy ONLY impacts Microsoft Edge; so, navigations from other browsers are redirected to the Application Guard Container if you have the corresponding extensions enabled.
If you disable or don't configure this policy, Microsoft Edge doesn't ignore the Application Guard site list. If users try to navigate to an untrusted site in the host, the site opens in the container.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ApplicationGuardPassiveModeEnabled
GP name: Ignore Application Guard site list configuration and browse Microsoft Edge normally
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Application Guard settings
If you enable or don't configure this policy, Application Guard adds an extra HTTP header (X-MS-ApplicationGuard-Initiated) to all outbound HTTP requests made from the Application Guard container.
If you disable this policy, the extra header isn't added to the traffic.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ApplicationGuardTrafficIdentificationEnabled
GP name: Application Guard Traffic Identification
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Application Guard settings
Enable this policy to disable the DIAL (Discovery And Launch) protocol for cast device discovery. (If EnableMediaRouter is disabled, this policy has no effect).
Enable this policy to disable DIAL protocol.
By default, Cast device discovery uses DIAL protocol.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EdgeDisableDialProtocolForCastDiscovery
GP name: Disable DIAL protocol for cast device discovery
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Cast
Enable this policy to enable Google Cast. Users can launch it from the app menu, page context menus, media controls on Cast-enabled websites, and (if shown) the Cast toolbar icon.
Disable this policy to disable Google Cast.
By default, Google Cast is enabled.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EnableMediaRouter
GP name: Enable Google Cast
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Cast
TLS server certificates that should be trusted by Microsoft Edge
Supported versions:
On Windows and macOS since 133 or later
Description
This policy enables a list of Transport Layer Security (TLS) certificates that Microsoft Edge trusts for server authentication. Certificates should be base64 encoded.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: CACertificates
GP name: TLS server certificates that should be trusted by Microsoft Edge
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Certificate management settings
TLS certificates that should be trusted by Microsoft Edge for server authentication with constraints
Supported versions:
On Windows and macOS since 133 or later
Description
This policy enables a list of TLS certificates that should be trusted by Microsoft Edge for server authentication, with constraints added outside the certificate. If no constraint of a certain type is present, then any name of that type is allowed. Certificates should be base64-encoded. At least one constraint must be specified for each certificate.
The permitted_dns_names field is a list of DNS names that are allowed for the certificate. If the DNS name in the certificate request doesn't match one of the specified DNS names, the certificate isn't trusted.
The permitted_cidrs field is a list of CIDR (Classless Inter-Domain Routing) ranges that will be allowed for the certificate. If the IP address in the certificate request doesn't fall within one of the permitted CIDR ranges, the certificate isn't trusted.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Dictionary
Windows information and settings
Group Policy (ADMX) info
GP unique name: CACertificatesWithConstraints
GP name: TLS certificates that should be trusted by Microsoft Edge for server authentication with constraints
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Certificate management settings
TLS certificates that are not trusted or distrusted but can be used in path-building for server authentication
Supported versions:
On Windows and macOS since 133 or later
Description
This policy defines certificates that Microsoft Edge doesn't explicitly trust or distrust but may be used as hints during certificate path-building.
The specified certificates are considered as intermediates during path validation; the server's certificate still chain to a trusted root to be considered valid.
Certificates must be base64-encoded.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: CAHintCertificates
GP name: TLS certificates that are not trusted or distrusted but can be used in path-building for server authentication
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Certificate management settings
Automatically select client certificates for these sites
Supported versions:
On Windows and macOS since 77 or later
Description
Setting the policy lets you make a list of URL patterns that specify sites for which Microsoft Edge can automatically select a client certificate. The value is an array of stringified JSON dictionaries, each with the form { "pattern": "$URL_PATTERN", "filter" : $FILTER }, where $URL_PATTERN is a content setting pattern. $FILTER restricts the client certificates the browser automatically selects from. Independent of the filter, only certificates that match the server's certificate request are selected.
Examples for the usage of the $FILTER section:
* When $FILTER is set to { "ISSUER": { "CN": "$ISSUER_CN" } }, only client certificates issued by a certificate with the CommonName $ISSUER_CN are selected.
* When $FILTER contains both the "ISSUER" and the "SUBJECT" sections, only client certificates that satisfy both conditions are selected.
* When $FILTER contains a "SUBJECT" section with the "O" value, a certificate needs at least one organization matching the specified value to be selected.
* When $FILTER contains a "SUBJECT" section with a "OU" value, a certificate needs at least one organizational unit matching the specified value to be selected.
* When $FILTER is set to {}, the selection of client certificates isn't additionally restricted. Filters provided by the web server still apply.
If you leave the policy unset, there's no autoselection for any site.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: AutoSelectCertificateForUrls
GP name: Automatically select client certificates for these sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Allow multiple automatic downloads in quick succession on specific sites
Supported versions:
On Windows and macOS since 110 or later
Description
Define a list of sites, based on URL patterns, that are allowed to perform multiple successive automatic downloads. If you don't configure this policy, DefaultAutomaticDownloadsSetting applies for all sites, if it's set. If it isn't set, then the user's personal setting applies. For more detailed information about valid URL patterns, see https://go.microsoft.com/fwlink/?linkid=2095322.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: AutomaticDownloadsAllowedForUrls
GP name: Allow multiple automatic downloads in quick succession on specific sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Block multiple automatic downloads in quick succession on specific sites
Supported versions:
On Windows and macOS since 110 or later
Description
Define a list of sites, based on URL patterns, where multiple successive automatic downloads aren't allowed. If you don't configure this policy, DefaultAutomaticDownloadsSetting applies for all sites, if it's set. If it isn't set, then the user's personal setting applies. For more detailed information about valid URL patterns, see https://go.microsoft.com/fwlink/?linkid=2095322.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: AutomaticDownloadsBlockedForUrls
GP name: Block multiple automatic downloads in quick succession on specific sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
For security reasons, the requestFullscreen() web API requires a prior user gesture ("transient activation") to be called or it fails. Users' personal settings can allow certain origins to call this API without a prior user gesture.
This policy supersedes users' personal settings and allows matching origins to call the API without a prior user gesture.
Origins matching both blocked and allowed policy patterns are blocked. Origins not specified by policy or user settings require a prior user gesture to call this API.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: AutomaticFullscreenAllowedForUrls
GP name: Allow automatic full screen on specified sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
For security reasons, the requestFullscreen() web API requires a prior user gesture ("transient activation") to be called or it fails. Users' personal settings can allow certain origins to call this API without a prior user gesture.
This policy supersedes users' personal settings and blocks matching origins from calling the API without a prior user gesture.
Origins matching both blocked and allowed policy patterns are blocked. Origins not specified by policy or user settings require a prior user gesture to call this API.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: AutomaticFullscreenBlockedForUrls
GP name: Block automatic full screen on specified sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Define a list of sites, based on URL patterns, that are allowed to set cookies. URL patterns can be a single URL indicating that the site can use cookies on all top-level sites. Patterns can also be two URLs delimited by a comma. The first specifies the site that should be allowed to use cookies. The second specifies the top-level site that the first value should be applied on. If you use a pair of URLs, the first value in the pair supports *, but the second value doesn't. Using * for the first value indicates that all sites can use cookies when the second URL is the top-level site.
If you don't configure this policy, the global default value from the DefaultCookiesSetting policy (if set) or the user's personal configuration is used for all sites.
To allow third-party cookies to be set, specify a pair of URL patterns delimited by a comma. The first value in the pair specifies the third-party site that should be allowed to use cookies. The second value in the pair specifies the top-level site that the first value should be applied on. The first value in the pair supports * but the second value doesn't.
To exclude cookies from being deleted on exit, configure the SaveCookiesOnExit policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: CookiesAllowedForUrls
GP name: Allow cookies on specific sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Define a list of sites, based on URL patterns, that can't set cookies.
If you don't configure this policy, the global default value from the DefaultCookiesSetting policy (if set) or the user's personal configuration is used for all sites.
Limit cookies from specific websites to the current session
Supported versions:
On Windows and macOS since 77 or later
Description
Cookies created by websites that match a URL pattern you define are deleted when the session ends (when the window closes).
Cookies created by websites that don't match the pattern are controlled by the DefaultCookiesSetting policy (if set) or by the user's personal configuration. This is also the default behavior if you don't configure this policy.
If you set the RestoreOnStartup policy to restore URLs from previous sessions, this policy is ignored, and cookies are stored permanently for those sites.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: CookiesSessionOnlyForUrls
GP name: Limit cookies from specific websites to the current session
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
This policy enables Data URL support for SVGUseElement, which is disabled by default starting in Microsoft Edge version 119. If this policy is enabled, Data URLs keep working in SVGUseElement. If this policy is disabled or not configured, Data URLs can't work in SVGUseElement.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: DataUrlInSvgUseEnabled
GP name: Data URL support for SVGUseElement
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Administrators can use this policy to control whether websites can perform multiple downloads successively. Individual site behavior can be managed using the AutomaticDownloadsAllowedForUrls and AutomaticDownloadsBlockedForUrls policies.
Default behavior:
- A user gesture is required for each additional download.
- Users can modify their browser settings to disable successive downloads.
Policy options mapping:
* AllowAutomaticDownloads (1) = Allow all websites to perform multiple downloads without requiring a user gesture between each download.
* BlockAutomaticDownloads (2) = Prevent all websites from performing multiple downloads, even after a user gesture.
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultAutomaticDownloadsSetting
GP name: Default automatic downloads setting
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Control whether websites can create cookies on the user's device. This policy is all or nothing - you can let all websites create cookies, or no websites create cookies. You can't use this policy to enable cookies from specific websites.
Set the policy to 'SessionOnly' to clear cookies when the session closes.
If you don't configure this policy, the default 'AllowCookies' is used, and users can change this setting in Microsoft Edge Settings. (If you don't want users to be able to change this setting, set the policy.)
Policy options mapping:
* AllowCookies (1) = Let all sites create cookies
* BlockCookies (2) = Don't let any site create cookies
* SessionOnly (4) = Keep cookies for the duration of the session, except ones listed in SaveCookiesOnExit
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultCookiesSetting
GP name: Configure cookies
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
If you set this policy to 3, websites can ask for read access to the host operating system's filesystem using the File System API. If you set this policy to 2, access is denied.
If you don't set this policy, websites can ask for access. Users can change this setting.
Policy options mapping:
* BlockFileSystemRead (2) = Don't allow any site to request read access to files and directories via the File System API
* AskFileSystemRead (3) = Allow sites to ask the user to grant read access to files and directories via the File System API
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultFileSystemReadGuardSetting
GP name: Control use of the File System API for reading
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
If you set this policy to 3, websites can ask for write access to the host operating system's filesystem using the File System API. If you set this policy to 2, access is denied.
If you don't set this policy, websites can ask for access. Users can change this setting.
Policy options mapping:
* BlockFileSystemWrite (2) = Don't allow any site to request write access to files and directories
* AskFileSystemWrite (3) = Allow sites to ask the user to grant write access to files and directories
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultFileSystemWriteGuardSetting
GP name: Control use of the File System API for writing
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Set whether websites can track users' physical locations. You can allow tracking by default ('AllowGeolocation'), deny it by default ('BlockGeolocation'), or ask the user each time a website requests their location ('AskGeolocation').
If you don't configure this policy, 'AskGeolocation' is used and the user can change it.
If this policy isn't set, users are allowed to add exceptions to allow blockable mixed content and disable autoupgrades for optionally blockable mixed content.
Policy options mapping:
* BlockInsecureContent (2) = Don't allow any site to load mixed content
* AllowExceptionsInsecureContent (3) = Allow users to add exceptions to allow mixed content
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultInsecureContentSetting
GP name: Control use of insecure content exceptions
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Allows you to set whether Microsoft Edge runs the v8 JavaScript engine with JIT (Just In Time) compiler enabled or not.
Disabling the JavaScript JIT means that Microsoft Edge can render web content more slowly, and can also disable parts of JavaScript including WebAssembly. Disabling the JavaScript JIT can allow Microsoft Edge to render web content in a more secure configuration.
Set whether websites can display desktop notifications. You can allow them by default ('AllowNotifications'), deny them by default ('BlockNotifications'), or have the user be asked each time a website wants to show a notification ('AskNotifications').
If you don't configure this policy, notifications are allowed by default, and the user can change this setting.
Policy options mapping:
* AllowNotifications (1) = Allow sites to show desktop notifications
* BlockNotifications (2) = Don't allow any site to show desktop notifications
* AskNotifications (3) = Ask every time a site wants to show desktop notifications
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultNotificationsSetting
GP name: Default notification setting
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 87.
Supported versions:
On Windows and macOS since 77, until 87
Description
This policy doesn't work because Flash is no longer supported by Microsoft Edge.
PluginsAllowedForUrls and PluginsBlockedForUrls are checked first, then this policy. The options are 'ClickToPlay' and 'BlockPlugins'. If you set this policy to 'BlockPlugins', this plugin is denied for all websites. 'ClickToPlay' lets the Flash plugin run, but users click the placeholder to start it.
If you don't configure this policy, the user can change this setting manually.
Note: Automatic playback is only for domains explicitly listed in the PluginsAllowedForUrls policy. To turn automatic playback on for all sites, add http://* and https://* to the allowed list of URLs.
Policy options mapping:
* BlockPlugins (2) = Block the Adobe Flash plugin
* ClickToPlay (3) = Click to play
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultPluginsSetting
GP name: Default Adobe Flash setting (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Default setting for third-party storage partitioning (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 145.
Supported versions:
On Windows and macOS since 115, until 145
Description
This policy controls whether third-party storage partitioning is allowed by default.
If this policy is set to 1 - AllowPartitioning, or unset, third-party storage partitioning will be allowed by default. This default may be overridden for specific top-level origins by other means.
If this policy is set to 2 - BlockPartitioning, third-party storage partitioning will be disabled for all contexts.
Use ThirdPartyStoragePartitioningBlockedForOrigins to disable third-party storage partitioning for specific top-level origins.
This feature has been removed starting in Microsoft Edge version 146. To ensure compatibility, use the requestStorageAccess method instead. For more information, see https://developer.mozilla.org/en-US/docs/Web/API/Document/requestStorageAccess.
Policy options mapping:
* AllowPartitioning (1) = Allow third-party storage partitioning by default.
Control whether websites can access nearby Bluetooth devices. You can completely block access or require the site to ask the user each time it wants to access a Bluetooth device.
If you don't configure this policy, the default value ('AskWebBluetooth', meaning users are asked each time) is used and users can change it.
Policy options mapping:
* BlockWebBluetooth (2) = Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API
* AskWebBluetooth (3) = Allow sites to ask the user to grant access to a nearby Bluetooth device
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultWebBluetoothGuardSetting
GP name: Control use of the Web Bluetooth API
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Set whether websites can access connected USB devices. You can completely block access or ask the user each time a website wants to get access to connected USB devices.
If you don't configure this policy, sites can ask users whether they can access the connected USB devices ('AskWebUsb') by default, and users can change this setting.
Policy options mapping:
* BlockWebUsb (2) = Do not allow any site to request access to USB devices via the WebUSB API
* AskWebUsb (3) = Allow sites to ask the user to grant access to a connected USB device
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultWebUsbGuardSetting
GP name: Control use of the WebUSB API
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Setting the policy to "BlockWindowManagement" (value 2) automatically denies the window management permission to sites by default. This setting limits the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.
Setting the policy to "AskWindowManagement" (value 3) by default prompts the user when the window management permission is requested. If users allow the permission, it extends the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.
Not configuring the policy means the "AskWindowManagement" policy applies, but users can change this setting.
Policy options mapping:
* BlockWindowManagement (2) = Denies the Window Management permission on all sites by default
* AskWindowManagement (3) = Ask every time a site wants obtain the Window Management permission
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultWindowManagementSetting
GP name: Default Window Management permission setting
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Allow read access via the File System API on these sites
Supported versions:
On Windows and macOS since 86 or later
Description
Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them read access to files or directories in the host operating system's file system via the File System API.
Leaving the policy unset means DefaultFileSystemReadGuardSetting applies for all sites, if set. If not, users' personal settings apply.
URL patterns can't conflict with FileSystemReadBlockedForUrls. Neither policy takes precedence if a URL matches with both.
Block read access via the File System API on these sites
Supported versions:
On Windows and macOS since 86 or later
Description
If you set this policy, you can list the URL patterns that specify which sites can't ask users to grant them read access to files or directories in the host operating system's file system via the File System API.
If you don't set this policy, DefaultFileSystemReadGuardSetting applies for all sites, if set. If not, users' personal settings apply.
URL patterns can't conflict with FileSystemReadAskForUrls. Neither policy takes precedence if a URL matches with both.
Allow write access to files and directories on these sites
Supported versions:
On Windows and macOS since 86 or later
Description
If you set this policy, you can list the URL patterns that specify which sites can ask users to grant them write access to files or directories in the host operating system's file system.
If you don't set this policy, DefaultFileSystemWriteGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.
URL patterns can't conflict with FileSystemWriteBlockedForUrls. Neither policy takes precedence if a URL matches with both.
Block write access to files and directories on these sites
Supported versions:
On Windows and macOS since 86 or later
Description
If you set this policy, you can list the URL patterns that specify which sites can't ask users to grant them write access to files or directories in the host operating system's file system.
If you don't set this policy, DefaultFileSystemWriteGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.
URL patterns can't conflict with FileSystemWriteAskForUrls. Neither policy takes precedence if a URL matches with both.
Use this policy to define a list of URL patterns for sites that are blocked from accessing the user's geolocation. These sites also can't prompt the user for location permissions.
If you enable this policy, the list you provide determines which sites are blocked from requesting or accessing geolocation.
If you disable or don't configure this policy, DefaultGeolocationSetting applies to all sites, if configured. If it's not configured, the user’s personal browser setting is used.
For detailed information on valid url patterns, see the documentation on pattern formats: https://learn.microsoft.com/deployedge/edge-learnmmore-url-list-filter%20format.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: GeolocationBlockedForUrls
GP name: Block geolocation on these sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Allows you to specify a list of URL patterns for sites that are allowed to use the Idle Detection API.
If you don't configure this policy, the default behavior applies to all sites. The default behavior is determined by the DefaultIdleDetectionSetting policy, if configured, or by the user’s personal settings otherwise.
Only the origin of the URL is evaluated. Any path specified in a URL pattern is ignored. Wildcards, *, are supported. For detailed information about valid URL pattern formats, see https://go.microsoft.com/fwlink/?linkid=209532.
URL patterns specified in the blocklist take precedence over this allowlist. This allowlist takes precedence over the DefaultIdleDetectionSetting policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: IdleDetectionAllowedForUrls
GP name: Allow idle detection on these sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
If you do not configure this policy, the default behavior applies to all sites. The default behavior is determined by the DefaultIdleDetectionSetting policy, if configured, or by the user’s personal settings otherwise.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: IdleDetectionBlockedForUrls
GP name: Block idle detection on these sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Define a list of sites, based on URL patterns, that can display images.
If you don't configure this policy, the global default value is used for all sites either from the DefaultImagesSetting policy (if set) or the user's personal configuration.
Define a list of sites, based on URL patterns, that aren't allowed to display images.
If you don't configure this policy, the global default value from the DefaultImagesSetting policy (if set) or the user's personal configuration is used for all sites.
Create a list of URL patterns to specify sites that can display or, as of version 94, download insecure mixed content (that is, HTTP content on HTTPS sites).
If you don't configure this policy, blockable mixed content is blocked and optionally blockable mixed content is upgraded. However, users are allowed to set exceptions to allow insecure mixed content for specific sites.
Creates a list of URL patterns to specify sites that aren't allowed to display blockable (that is, active) mixed content (that is, HTTP content on HTTPS sites) and for which optionally blockable mixed content upgrades are disabled.
If you don't configure this policy, blockable mixed content is blocked, and optionally blockable mixed content is upgraded. However, users are allowed to set exceptions to allow insecure mixed content for specific sites.
Allow intranet zone file URL links from Microsoft Edge to open in Windows File Explorer
Supported versions:
On Windows since 95 or later
Description
This setting allows file URL links to intranet zone files from intranet zone HTTPS websites to open Windows File Explorer for that file or directory.
If you enable this policy, intranet zone file URL links originating from intranet zone HTTPS pages open Windows File Explorer to the parent directory of the file and select the file. Intranet zone directory URL links originating from intranet zone HTTPS pages open Windows File Explorer to the directory with no items in the directory selected.
If you disable or don't configure this policy, file URL links don't open.
Microsoft Edge uses the definition of intranet zone as configured for Internet Explorer. https://localhost/ is blocked as an exception of allowed intranet zone host, while loopback addresses (127.0.0.*, [::1]) are considered internet zone by default.
This policy blocks JavaScript based on whether the origin of the top-level document (usually the page URL that's also displayed in the address bar) matches any of the patterns. Therefore, this policy isn't appropriate for mitigating web supply-chain attacks. For example, supplying the pattern `https://[*.]foo.com/` doesn't prevent a page hosted on, say, `https://contoso.com`, from running a script loaded from `https://www.foo.com/example.js`. Furthermore, supplying the pattern `https://contoso.com/` doesn't prevent a document from `https://contoso.com` from running scripts if it isn't the top-level document, but embedded as a subframe into a page hosted on another origin, say, `https://www.fabrikam.com`.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: JavaScriptBlockedForUrls
GP name: Block JavaScript on specific sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
JavaScript JIT policy exceptions will only be enforced at a site granularity (eTLD+1). A policy set for only subdomain.contoso.com won't correctly apply to contoso.com or subdomain.contoso.com since they both resolve to the same eTLD+1 (contoso.com) for which there's no policy. In this case, policy must be set on contoso.com to apply correctly for both contoso.com and subdomain.contoso.com.
This policy applies on a frame-by-frame basis and not based on top-level origin URL alone; so, for example, if contoso.com is listed in the JavaScriptJitAllowedForSites policy but contoso.com loads a frame containing fabrikam.com then contoso.com will have JavaScript JIT enabled, but fabrikam.com will use the policy from DefaultJavaScriptJitSetting, if set, or default to JavaScript JIT enabled.
If you don't configure this policy for a site then the policy from DefaultJavaScriptJitSetting applies to the site, if set, otherwise Javascript JIT is enabled for the site.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: JavaScriptJitAllowedForSites
GP name: Allow JavaScript to use JIT on these sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Allows you to set a list of site URL patterns that specify sites that aren't allowed to run JavaScript JIT (Just In Time) compiler enabled.
Disabling the JavaScript JIT means that Microsoft Edge may render web content more slowly, and may also disable parts of JavaScript including WebAssembly. Disabling the JavaScript JIT may allow Microsoft Edge to render web content in a more secure configuration.
JavaScript JIT policy exceptions will only be enforced at a site granularity (eTLD+1). A policy set for only subdomain.contoso.com will not correctly apply to contoso.com or subdomain.contoso.com since they both resolve to the same eTLD+1 (contoso.com) for which there is no policy. In this case, policy must be set on contoso.com to apply correctly for both contoso.com and subdomain.contoso.com.
This policy applies on a frame-by-frame basis and not based on top-level origin URL alone; so, for example, if contoso.com is listed in the JavaScriptJitBlockedForSites policy but contoso.com loads a frame containing fabrikam.com, then contoso.com has JavaScript JIT disabled, but fabrikam.com uses the policy from DefaultJavaScriptJitSetting, if set, or default to JavaScript JIT enabled.
If you don't configure this policy for a site, then the policy from DefaultJavaScriptJitSetting applies to the site, if set; otherwise, JavaScript JIT is enabled for the site.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: JavaScriptJitBlockedForSites
GP name: Block JavaScript from using JIT on these sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
JavaScript optimization policy exceptions will only be enforced at a site granularity (eTLD+1). A policy set for only subdomain.contoso.com doesn't correctly apply to contoso.com or subdomain.contoso.com since they both resolve to the same eTLD+1 (contoso.com) for which there's no policy. In this case, policy must be set on contoso.com to apply correctly for both contoso.com and subdomain.contoso.com.
This policy applies on a frame-by-frame basis and not based on top-level origin URL alone; so, for example, if contoso.com is listed in the JavaScriptOptimizerAllowedForSites policy but contoso.com loads a frame containing fabrikam.com, then contoso.com has JavaScript optimizations enabled, but fabrikam.com uses the policy from DefaultJavaScriptOptimizerSetting, if set, or default to JavaScript optimizations enabled. Blocklist entries have higher priority than allowlist entries, which in turn have higher priority than the configured default value.
If you don't configure this policy for a site, then the policy from DefaultJavaScriptOptimizerSetting applies to the site, if set, otherwise Javascript optimization is enabled for the site.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: JavaScriptOptimizerAllowedForSites
GP name: Allow JavaScript optimization on these sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
JavaScript optimization policy exceptions will only be enforced at a site granularity (eTLD+1). A policy set for only subdomain.contoso.com won't correctly apply to contoso.com or subdomain.contoso.com since they both resolve to the same eTLD+1 (contoso.com) for which there's no policy. In this case, policy must be set on contoso.com to apply correctly for both contoso.com and subdomain.contoso.com.
This policy applies on a frame-by-frame basis and isn't based on top-level origin url alone; so, for example, if contoso.com is listed in the JavaScriptOptimizerBlockedForSites policy but contoso.com loads a frame containing fabrikam.com, then contoso.com has JavaScript optimizations disabled, but fabrikam.com will use the policy from DefaultJavaScriptOptimizerSetting, if set, or default to JavaScript optimizations enabled. Blocklist entries have higher priority than allowlist entries, which in turn have higher priority than the configured default value.
If you don't configure this policy for a site, then the policy from DefaultJavaScriptOptimizerSetting applies to the site, if set; otherwise, JavaScript optimization is enabled for the site.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: JavaScriptOptimizerBlockedForSites
GP name: Block JavaScript optimizations on these sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 94.
Supported versions:
On Windows and macOS since 80, until 94
Description
This policy doesn't work because it was only intended to serve only as a short-term mechanism to give enterprises more time to update their environments if they were found to be incompatible with the SameSite behavior change.
Lets you revert all cookies to legacy SameSite behavior. Reverting to legacy behavior causes cookies that don't specify a SameSite attribute to be treated as if they were "SameSite=None", removes the requirement for "SameSite=None" cookies to carry the "Secure" attribute, and skips the scheme comparison when evaluating if two sites are same-site.
If you don't set this policy, the default SameSite behavior for cookies will depend on other configuration sources for the SameSite-by-default feature, the Cookies-without-SameSite-must-be-secure feature, and the Schemeful Same-Site feature. These features can also be configured by a field trial or the same-site-by-default-cookies flag, the cookies-without-same-site-must-be-secure flag, or the schemeful-same-site flag in edge://flags.
Policy options mapping:
* DefaultToLegacySameSiteCookieBehavior (1) = Revert to legacy SameSite behavior for cookies on all sites
* DefaultToSameSiteByDefaultCookieBehavior (2) = Use SameSite-by-default behavior for cookies on all sites
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: LegacySameSiteCookieBehaviorEnabled
GP name: Enable default legacy SameSite cookie behavior setting (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Revert to legacy SameSite behavior for cookies on specified sites (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 132.
Supported versions:
On Windows and macOS since 80, until 132
Description
Cookies set for domains match specified patterns revert to legacy SameSite behavior.
Reverting to legacy behavior causes cookies that don't specify a SameSite attribute to be treated as if they were "SameSite=None", removes the requirement for "SameSite=None" cookies to carry the "Secure" attribute, and skips the scheme comparison when evaluating if two sites are same-site.
If you don't set this policy, the global default value is used. The global default is also used for cookies on domains not covered by the patterns you specify.
Allows you to create a list of url patterns to specify sites that aren't allowed to display notifications.
If you don't set this policy, the global default value is used for all sites. This default value is from the DefaultNotificationsSetting policy if it's set, or from the user's personal configuration. For detailed information on valid url patterns, see https://go.microsoft.com/fwlink/?linkid=2095322.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: NotificationsBlockedForUrls
GP name: Block notifications on specific sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Manage Blob URL Partitioning During Fetching and Navigation
Supported versions:
On Windows and macOS since 135 or later
Description
The PartitionedBlobUrlUsage policy controls whether Blob URLs are partitioned during fetching and navigation. If this policy is set to Enabled or not set, Blob URLs are partitioned. If this policy is set to Disabled, Blob URLs won't be partitioned. This represents the Blob URL behavior before Microsoft Edge version 135.
The policy is scheduled to be available through Microsoft Edge version 146. After this version, the policy will be removed, and Microsoft Edge will no longer support unpartitioned blob storage.
For detailed information on third-party storage partitioning, see https://github.com/privacycg/storage-partitioning.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PartitionedBlobUrlUsage
GP name: Manage Blob URL Partitioning During Fetching and Navigation
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Allow the Adobe Flash plug-in on specific sites (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 87.
Supported versions:
On Windows and macOS since 77, until 87
Description
This policy doesn't work because Flash is no longer supported by Microsoft Edge.
Define a list of sites, based on URL patterns, that can run the Adobe Flash plug-in.
If you don't configure this policy, the global default value from the DefaultPluginsSetting policy (if set) or the user's personal configuration is used for all sites.
For detailed information on valid url patterns, see https://go.microsoft.com/fwlink/?linkid=2095322. However, starting in M85, patterns with '*' and '[*.]' wildcards in the host are no longer supported for this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: PluginsAllowedForUrls
GP name: Allow the Adobe Flash plug-in on specific sites (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Block the Adobe Flash plug-in on specific sites (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 87.
Supported versions:
On Windows and macOS since 77, until 87
Description
This policy doesn't work because Flash is no longer supported by Microsoft Edge.
Define a list of sites, based on URL patterns, that are blocked from running Adobe Flash.
If you don't configure this policy, the global default value from the DefaultPluginsSetting policy (if set) or the user's personal configuration is used for all sites.
For detailed information on valid url patterns, see https://go.microsoft.com/fwlink/?linkid=2095322. However, starting in M85, patterns with '*' and '[*.]' wildcards in the host are no longer supported for this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: PluginsBlockedForUrls
GP name: Block the Adobe Flash plug-in on specific sites (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Define a list of sites, based on URL patterns, that can open pop-up windows. Wildcards (*) are allowed.
If you don't configure this policy, the global default value from the DefaultPopupsSetting policy (if set) or the user's personal configuration is used for all sites.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: PopupsAllowedForUrls
GP name: Allow pop-up windows on specific sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Define a list of sites, based on URL patterns, that are blocked from opening pop-up windows. Wildcards (*) are allowed.
If you don't configure this policy, the global default value from the DefaultPopupsSetting policy (if set) or the user's personal configuration is used for all sites.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: PopupsBlockedForUrls
GP name: Block pop-up windows on specific sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
This policy lets you specify a list of URL patterns for sites that are allowed to access the user's high-accuracy geolocation without prompting for permission.
If you leave this policy unset, DefaultGeolocationSetting applies to all sites (if configured). Otherwise, the user's personal setting is used.
For information about valid url patterns, see https://learn.microsoft.com/deployedge/edge-learnmmore-url-list-filter%20format. Wildcards (*) are supported.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: PreciseGeolocationAllowedForUrls
GP name: Allow precise geolocation on these sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Set this policy (recommended only) to register a list of protocol handlers. This list is merged with ones registered by the user and both are available to use.
To register a protocol handler:
- Set the protocol property to the scheme (for example, "mailto") - Set the URL property to the URL property of the application that handlers the scheme specified in the "protocol" field. The pattern can include a "%s" placeholder, which the handled URL replaces.
Users can't remove a protocol handler registered by this policy. However, they can install a new default protocol handler to override the existing protocol handlers.
In the examples in this section, the URL points to the Outlook on the Web (OWA) endpoint used in Exchange Online. If you're targeting Exchange Server (on-premises), use the following URL and replace mail.contoso.com with your organization's OWA endpoint:
Automatically grant sites permission to connect to USB serial devices
Supported versions:
On Windows and macOS since 97 or later
Description
Setting the policy lets you list sites that are automatically granted permission to access USB serial devices with vendor and product IDs that match the vendor_id and product_id fields.
Optionally you can omit the product_id field. This enables site access to all the vendor's devices. When you provide a product ID, then you give the site access to a specific device from the vendor but not all devices.
The URLs must be valid, or the policy is ignored. Only the origin (scheme, host, and port) of the URL is considered.
This policy only affects access to USB devices through the Web Serial API. To grant access to USB devices through the WebUSB API see the WebUsbAllowDevicesForUrls policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Dictionary
Windows information and settings
Group Policy (ADMX) info
GP unique name: SerialAllowUsbDevicesForUrls
GP name: Automatically grant sites permission to connect to USB serial devices
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Disable third-party storage partitioning for specific top-level origins (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 145.
Supported versions:
On Windows and macOS since 115, until 145
Description
This policy lets you set a list of URL patterns that specify top-level origins for which third-party storage partitioning (partitioning of cross-origin iframe storage) should be disabled.
Note that the patterns you list are treated as origins, not URLs, so you shouldn't specify a path. For detailed information about valid origin patterns, see https://go.microsoft.com/fwlink/?linkid=2095322.
This feature has been removed starting in Microsoft Edge version 146. To ensure compatibility, use the requestStorageAccess method instead. For more information, see https://developer.mozilla.org/en-US/docs/Web/API/Document/requestStorageAccess.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: ThirdPartyStoragePartitioningBlockedForOrigins
GP name: Disable third-party storage partitioning for specific top-level origins (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Allow listed sites connect to specific HID devices
Supported versions:
On Windows and macOS since 109 or later
Description
This setting lets you list the URLs that specify which sites are automatically granted permission to access a HID device with the given vendor and product IDs.
If you set this policy, each item in the list requires both devices and urls fields for the item to be valid; otherwise, the item is ignored.
* Each item in the devices field must have a vendor_id and may have a product_id field.
* Omitting the product_id field will create a policy matching any device with the specified vendor ID.
* An item which has a product_id field without a vendor_id field is invalid and is ignored.
If you don't set this policy, then DefaultWebHidGuardSetting applies, if it's set. If not, the user's personal setting applies.
Automatically grant permission to these sites to connect to HID devices containing top-level collections with the given HID usage
Supported versions:
On Windows and macOS since 109 or later
Description
This setting allows you to list the URLs that specify which sites are automatically granted permission to access an HID device containing a top-level collection with the given HID usage.
Each item in the list requires both usages and urls fields for the policy to be valid.
* Each item in the usages field must have a usage_page and may have a usage field.
* Omitting the usage field creates a policy matching any device containing a top-level collection with a usage from the specified usage page.
* An item which has a usage field without a usage_page field is invalid and is ignored.
If you don't set this policy, then DefaultWebHidGuardSetting applies, if it's set. If not, the user's personal setting applies.
Grant access to specific sites to connect to specific USB devices
Supported versions:
On Windows and macOS since 77 or later
Description
Allows you to set a list of URLs that specify which sites will automatically be granted permission to access a USB device with the given vendor and product IDs. Each item in the list must contain both devices and URLs for the policy to be valid. Each item in devices can contain a vendor ID and product ID field. Any ID that is omitted is treated as a wildcard with one exception, and that exception is that a product ID can't be specified without a vendor ID also being specified. Otherwise, the policy isn't valid and is ignored.
The USB permission model uses the URL of the requesting site ("requesting URL") and the URL of the top-level frame site ("embedding URL") to grant permission to the requesting URL to access the USB device. The requesting URL may be different than the embedding URL when the requesting site is loaded in an iframe. Therefore, the "urls" field can contain up to two URL strings delimited by a comma to specify the requesting and embedding URL respectively. If only one URL is specified, then access to the corresponding USB devices is granted when the requesting site's URL matches this URL regardless of embedding status. The URLs in "urls" must be valid URLs; otherwise, the policy is ignored.
This is deprecated and only supported for backwards compatibility in the following manner. If both a requesting and embedding URL are specified, then the embedding URL is granted the permission as top-level origin, and the requesting URL is ignored entirely.
If you don't configure this policy, the global default value is used for all sites either from the DefaultWebUsbGuardSetting policy if it is set, or the user's personal configuration otherwise.
Define a list of sites, based on URL patterns, that can ask the user for access to a USB device.
If you don't configure this policy, the global default value from the DefaultWebUsbGuardSetting policy (if set) or the user's personal configuration is used for all sites.
Define a list of sites, based on URL patterns, that can't ask the user to grant them access to a USB device.
If you don't configure this policy, the global default value from the DefaultWebUsbGuardSetting policy (if set) or the user's personal configuration is used for all sites.
Allow Window Management permission on specified sites
Supported versions:
On Windows and macOS since 123 or later
Description
Lets you configure a list of site URL patterns that specify sites, which automatically grant the window management permission. This extends the ability of sites to see information about the device's screens. This information can be used to open and place windows or request fullscreen on specific screens.
For detailed information on valid site url patterns, see https://go.microsoft.com/fwlink/?linkid=2095322. Wildcards, *, are allowed. This policy only matches based on site origin, so any path in the URL pattern is ignored.
If this policy isn't configured for a site, then the policy from DefaultWindowManagementSetting applies to the site, if configured. Otherwise the permission follows the browser's defaults and lets users choose this permission per site.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: WindowManagementAllowedForUrls
GP name: Allow Window Management permission on specified sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Block Window Management permission on specified sites
Supported versions:
On Windows and macOS since 123 or later
Description
Lets you configure a list of site URL patterns that specify sites which can automatically deny the window management permission. This limits the ability of sites to see information about the device's screens. This information can be used to open and place windows or request fullscreen on specific screens.
For detailed information on valid site URL patterns, see https://go.microsoft.com/fwlink/?linkid=2095322. Wildcards, *, are allowed. This policy only matches based on site origin, so any path in the URL pattern is ignored.
If this policy isn't configured for a site, then the policy from DefaultWindowManagementSetting applies to the site, if configured. Otherwise the permission follows the browser's defaults and lets users choose this permission per site.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: WindowManagementBlockedForUrls
GP name: Block Window Management permission on specified sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Content settings
Prefer specific encryption cipher algorithms for TLS
Supported versions:
On Windows and macOS since 146 or later
Description
This policy configures Microsoft Edge to order its preferred encryption ciphers in TLS 1.3 based on algorithms approved by a specific compliance regime.
Setting this policy does not guarantee that any specific algorithms will be negotiated.
This policy allows server operators who support both compliant and non-compliant clients to differentiate between them, and use certain non-default algorithms with increased cryptographic strength only for clients explicitly configured to prefer them.
Setting the policy to 'cnsa' configures Microsoft Edge to prefer ciphers required for compliance with the Commercial National Security Algorithm Suite versions 1.0 and 2.0 (CNSA 1.0 and 2.0).
Not setting the policy, or setting it to 'default', configures Microsoft Edge to use its default ciphers.
Setting this policy isn't required for security. The default cryptography used by Microsoft Edge is strong enough to withstand a brute-force attack using the entire power of the Sun.
Setting this policy will cause Microsoft Edge to be slower when accessing websites.
This policy only affects TLS 1.3 and QUIC. It doesn't affect earlier versions of TLS.
Policy options mapping:
* CNSA (cnsa) = Prefer ciphers satisfying the requirements of CNSA 1.0 and 2.0
* Default (default) = Use Microsoft Edge's default cipher order
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: PreferSlowCiphers
GP name: Prefer specific encryption cipher algorithms for TLS
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Cryptography compliance policies
This policy configures Microsoft Edge to prioritize certain key agreement algorithms (supported groups) in TLS 1.3 based on compliance requirements.
If you set this policy to 'cnsa2', Microsoft Edge prefers the algorithms required for the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0). If you leave this policy unset or set it to 'default', the browser uses its standard key exchange order.
This policy does not guarantee negotiation of a specific algorithm. It is designed to help server operators distinguish clients with compliance requirements and apply higher-strength, non-default algorithms only when appropriate.
This policy applies only to TLS 1.3 and QUIC. The default cryptography used by Microsoft Edge already provides strong security, but enabling this policy may reduce performance when accessing websites.
Policy options mapping:
* CNSA2.0 (cnsa2) = Prefer key exchange methods satisfying the requirements of CNSA 2.0
* Default (default) = Use Microsoft Edge's default supported groups
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: PreferSlowKexAlgorithms
GP name: Prefer specific key exchange algorithms for TLS
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Cryptography compliance policies
Enables the ability to use a default search provider.
If you enable this policy, a user can search for a term by typing in the address bar (as long as what they type isn't a URL).
You can specify the default search provider to use by enabling the rest of the default search policies. If these are left empty (not configured) or configured incorrectly, the user can choose the default provider.
If you disable this policy, the user can't search from the address bar.
If you enable or disable this policy, users can't change or override it.
If you don't configure this policy, the default search provider is enabled, and the user can choose the default search provider and set the search provider list.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, joined to Microsoft Azure Active Directory, or instances that enrolled for device management. On macOS, this policy is available only on instances that are managed via MDM or joined to a domain via MCX.
Starting in Microsoft Edge 84, you can set this policy as a recommended policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultSearchProviderEnabled
GP name: Enable the default search provider
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Default search provider
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Default search provider
Specify the character encodings supported by the search provider. Encodings are code page names like UTF-8, GB2312, and ISO-8859-1. They're tried in the order provided.
This policy is optional. If not configured, the default, UTF-8, is used.
Starting in Microsoft Edge 84, you can set this policy as a recommended policy. If the user has already set a default search provider, the default search provider configured by this recommended policy won't be added to the list of search providers the user can choose from. If this is the desired behavior, use the ManagedSearchEngines policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultSearchProviderEncodings
GP name: Default search provider encodings
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Default search provider
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Default search provider
Starting in Microsoft Edge version 84, you can set this policy as a recommended policy. If the user set a default search provider, the default search provider configured by this recommended policy can't be added to the list of search providers the user can choose from. If this is the desired behavior, use the ManagedSearchEngines policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultSearchProviderImageURL
GP name: Specifies the search-by-image feature for the default search provider
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Default search provider
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Default search provider
If you enable this policy, it specifies the parameters used when an image search that uses POST is performed. The policy consists of comma-separated name/value pairs. If a value is a template parameter, like {imageThumbnail} in the preceding example, it's replaced with real image thumbnail data. This policy is applied only if you enable the DefaultSearchProviderEnabled and DefaultSearchProviderSearchURL policies.
Specify Bing's Image Search URL Post Params as: 'imageBin={google:imageThumbnailBase64}'.
Specify Google's Image Search URL Post Params as: 'encoded_image={google:imageThumbnail},image_url={google:imageURL},sbisrc={google:imageSearchSource},original_width={google:imageOriginalWidth},original_height={google:imageOriginalHeight}'.
If you don't set this policy, image search requests are sent using the GET method.
Starting in Microsoft Edge 84, you can set this policy as a recommended policy. If the user set a default search provider, the default search provider configured by this recommended policy can't be added to the list of search providers the user can choose from. If this is the desired behavior, use the ManagedSearchEngines policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultSearchProviderImageURLPostParams
GP name: Parameters for an image URL that uses POST
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Default search provider
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Default search provider
Starting in Microsoft Edge version 84, you can set this policy as a recommended policy. If the user set a default search provider, the default search provider configured by this recommended policy can't be added to the list of search providers the user can choose from. If this is the desired behavior, use the ManagedSearchEngines policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultSearchProviderKeyword
GP name: Default search provider keyword
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Default search provider
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Default search provider
Specifies the name of the default search provider.
If you enable this policy, you set the name of the default search provider.
If you don't enable this policy or if you leave it empty, the host name specified by the search URL is used.
'DefaultSearchProviderName' should be set to an organization-approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008. This policy is applied only if you enable the DefaultSearchProviderEnabled and DefaultSearchProviderSearchURL policies.
Starting in Microsoft Edge version 84, you can set this policy as a recommended policy. If the user set a default search provider, the default search provider configured by this recommended policy isn't be added to the list of search providers the user can choose from. If this is the desired behavior, use the ManagedSearchEngines policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultSearchProviderName
GP name: Default search provider name
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Default search provider
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Default search provider
Specifies the URL of the search engine used for a default search. The URL contains the string '{searchTerms}', which is replaced at query time by the terms the user is searching for.
This policy is required when you enable the DefaultSearchProviderEnabled policy; if you don't enable the latter policy, this policy is ignored.
Starting in Microsoft Edge 84, you can set this policy as a recommended policy. If the user has already set a default search provider, the default search provider configured by this recommended policy won't be added to the list of search providers the user can choose from. If this is the desired behavior, use the ManagedSearchEngines policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultSearchProviderSearchURL
GP name: Default search provider search URL
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Default search provider
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Default search provider
Specifies the URL for the search engine used to provide search suggestions. The URL contains the string '{searchTerms}', which is replaced at query time by the text the user entered so far.
This policy is optional. If you don't configure it, users can't see search suggestions; they see suggestions from their browsing history and favorites.
Starting in Microsoft Edge version 84, you can set this policy as a recommended policy. If the user has already set a default search provider, the default search provider configured by this recommended policy isn't added to the list of search providers the user can choose from. If this is the desired behavior, use the ManagedSearchEngines policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultSearchProviderSuggestURL
GP name: Default search provider URL for suggestions
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Default search provider
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Default search provider
You can configure the new tab page search box to use "Search box (Recommended)" or "Address bar" to search on new tabs. This policy only works if you set the search engine to a value other than Bing by setting the following two policies: DefaultSearchProviderEnabled and DefaultSearchProviderSearchURL.
If you disable or don't configure this policy and:
- If the address bar default search engine is Bing, the new tab page uses the search box to search on new tabs. - If the address bar default search engine isn't Bing, users are offered an additional choice (use "Address bar") when searching on new tabs.
If you enable this policy and set it to:
- "Search box (Recommended)" ('bing'), the new tab page uses the search box to search on new tabs. - "Address bar" ('redirect'), the new tab page search box uses the address bar to search on new tabs.
Policy options mapping:
* bing (bing) = Search box (Recommended)
* redirect (redirect) = Address bar
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: NewTabPageSearchBox
GP name: Configure the new tab page search box experience
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Default search provider
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Default search provider
Enables warnings when potentially dangerous content is downloaded over HTTP.
If you enable or don't configure this policy, when a user tries to download potentially dangerous content from an HTTP site, the user receives a UI warning, such as "Insecure download blocked". The user can still download the item.
If you disable this policy, the warnings for insecure downloads are suppressed.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ShowDownloadsInsecureWarningsEnabled
GP name: Enable insecure download warnings
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Downloads
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Downloads
Prevent bypassing Edge Website Typo Protection prompts for sites
Supported versions:
On Windows and macOS since 121 or later
Description
This policy setting lets you decide whether users can override the Edge Website Typo Protection warnings about potential typosquatting websites.
If you enable this setting, users can't ignore Edge Website Typo Protection warnings, and they're blocked from continuing to the site.
If you disable or don't configure this setting, users can ignore Edge Website Typo Protection warnings and continue to the site.
This only takes effect when TyposquattingCheckerEnabled policy isn't set or is set to enabled.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, Windows 10 Pro or Enterprise instances that enrolled for device management, or macOS instances that are managed via MDM or joined to a domain via MCX.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PreventTyposquattingPromptOverride
GP name: Prevent bypassing Edge Website Typo Protection prompts for sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Edge Website Typo Protection settings
Configure the list of domains for which Microsoft Edge Website Typo Protection won't trigger warnings
Supported versions:
On Windows and macOS since 121 or later
Description
Configures the list of Microsoft Edge Website Typo Protection trusted domains. This means: Microsoft Edge Website Typo Protection won't check for potentially malicious typosquatting websites.
If you enable this policy, Microsoft Edge Website Typo Protection trusts these domains. If you disable or don't set this policy, default Microsoft Edge Website Typo Protection protection is applied to all resources.
This only takes effect when TyposquattingCheckerEnabled policy isn't set or is set to enabled.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, Windows 10/11 Pro; or Enterprise instances that enrolled for device management; or macOS instances that are that are managed via MDM or joined to a domain via MCX. This policy doesn't apply if your organization has enabled Microsoft Defender for Endpoint. You must configure your allowlists and blocklists in Microsoft 365 Defender portal using Indicators (Settings > Endpoints > Indicators).
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: TyposquattingAllowListDomains
GP name: Configure the list of domains for which Microsoft Edge Website Typo Protection won't trigger warnings
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Edge Website Typo Protection settings
This policy setting lets you configure whether to turn on Edge Website Typo Protection. Edge Website Typo Protection provides warning messages to help protect your users from potential typosquatting sites. By default, Edge Website Typo Protection is turned on.
If you enable this policy, Edge Website Typo Protection is turned on.
If you disable this policy, Edge Website Typo Protection is turned off.
If you don't configure this policy, Edge Website Typo Protection is turned on but users can choose whether to use Edge Website Typo Protection.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: TyposquattingCheckerEnabled
GP name: Configure Edge Website Typo Protection
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Edge Website Typo Protection settings
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Edge Website Typo Protection settings
Microsoft Edge Workspaces helps improve productivity for users in your organization.
If you enable or don't configure this policy, users can access the Microsoft Edge Workspaces feature. If you disable this policy, users won't be able to access the Microsoft Edge Workspaces feature.
Configure navigation settings per groups of URLs in Microsoft Edge Workspaces
Supported versions:
On Windows and macOS since 110 or later
Description
This setting lets you define groups of URLs, and apply specific Microsoft Edge Workspaces navigation settings to each group.
If you configure this policy, Microsoft Edge Workspaces use the configured settings when deciding whether and how to share navigations among collaborators in a Microsoft Edge Workspace.
If you don't configure this policy, Microsoft Edge Workspaces use only default and internally configured navigation settings.
Note, format url_patterns according to https://go.microsoft.com/fwlink/?linkid=2095322. You can configure the url_regex_patterns in this policy to match multiple URLs using a Perl style regular expression for the pattern. Note that pattern matches are case sensitive. For more information about the regular expression rules that are used, refer to https://go.microsoft.com/fwlink/p/?linkid=2133903.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Dictionary
Windows information and settings
Group Policy (ADMX) info
GP unique name: WorkspacesNavigationSettings
GP name: Configure navigation settings per groups of URLs in Microsoft Edge Workspaces
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Edge Workspaces settings
Configures users ability to override state of feature flags. If you set this policy to 'CommandLineOverridesEnabled', users can override state of feature flags using command line arguments but not edge://flags page.
If you set this policy to 'OverridesEnabled', users can override state of feature flags using command line arguments or edge://flags page.
If you set this policy to 'OverridesDisabled', users can't override state of feature flags using command line arguments or edge://flags page.
If you don't configure this policy, the behavior is the same as the 'OverridesEnabled'.
Policy options mapping:
* CommandLineOverridesEnabled (2) = Allow users to override feature flags using command line arguments only
* OverridesEnabled (1) = Allow users to override feature flags
* OverridesDisabled (0) = Prevent users from overriding feature flags
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: FeatureFlagOverridesControl
GP name: Configure users ability to override feature flags
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Experimentation
If you enable this setting, external extensions are blocked from being installed.
If you disable this setting or leave it unset, external extensions are allowed to be installed.
External extensions and their installation are documented at [Alternate extension distribution methods](/microsoft-edge/extensions-chromium/developer-guide/alternate-distribution-options).
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: BlockExternalExtensions
GP name: Blocks external extensions from being installed
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Extensions
Configure default state of Allow extensions from other stores setting
Supported versions:
On Windows and macOS since 101 or later
Description
This policy allows you to control the default state of the Allow extensions from other stores setting. This policy can't be used to stop installation of extensions from other stores such as Chrome Web Store. To stop installation of extensions from other stores, use the Extension Settings policy: https://go.microsoft.com/fwlink/?linkid=2187098.
When enabled, Allow extensions from other stores are turned on. So, users don't have to turn on the flag manually while installing extensions from other supported stores such as Chrome Web Store. However a user can override this setting. If the user turned on the setting and then turned it off, this setting may not work. If the Admin first sets the policy as Enabled, but then changes it to not configured or disabled, it has no impact on user settings and the setting remains as it is.
When disabled or not configured, the user can manage the Allow extensions from other store setting.
Supported features:
Can be mandatory:
No
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ControlDefaultStateOfAllowExtensionFromOtherStoresSettingEnabled
GP name: Configure default state of Allow extensions from other stores setting
GP path (Mandatory):
N/A
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Extensions
This policy controls whether the Microsoft Edge Safe Hosting component extension is installed automatically when users visit supported Microsoft services, such as Microsoft 365 Copilot app.
The Microsoft Edge Safe Hosting extension provides additional security capabilities for these services. When a user accesses a supported service, the extension installs automatically to enable those protections.
If you enable or don't configure this policy, the extension installs automatically and remains installed for 90 days after the user's last visit, then is removed if no further activity occurs.
If you disable this policy, the extension won't install automatically. If it’s already installed, it will be removed.
Note: This policy controls only automatic installation. It doesn’t prevent users from manually installing other extensions from the Microsoft Edge Add-ons website.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EdgeSafeHostingExtensionEnabled
GP name: Control Microsoft Edge Safe Hosting Extension
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Extensions
Setting the policy controls which apps and extensions may be installed in Microsoft Edge, which hosts they can interact with, and limits runtime access.
If you don't set this policy, there aren't any restrictions on acceptable extension and app types.
Extensions and apps which have a type that's not on the list won't be installed. Each value should be one of these strings:
* "extension"
* "theme"
* "user_script"
* "hosted_app"
See the Microsoft Edge extensions documentation for more information about these types.
Note: This policy also affects extensions and apps to be force-installed using ExtensionInstallForcelist.
Control the availability of developer mode on extensions page
Supported versions:
On Windows and macOS since 128 or later
Description
Control if users can turn on Developer Mode on edge://extensions.
If the policy isn't set, users can turn on developer mode on the extension page unless DeveloperToolsAvailability policy is set to DeveloperToolsDisallowed (2). If the policy is set to Allow (0), users can turn on developer mode on the extensions page. If the policy is set to Disallow (1), users cannot turn on developer mode on the extensions page.
If this policy is set, DeveloperToolsAvailability can no longer control extensions developer mode.
Policy options mapping:
* Allow (0) = Allow the usage of developer mode on extensions page
* Disallow (1) = Do not allow the usage of developer mode on extensions page
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: ExtensionDeveloperModeSettings
GP name: Control the availability of developer mode on extensions page
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Extensions
Configure a list of origins that grant an extended background lifetime to connecting extensions.
Supported versions:
On Windows and macOS since 128 or later
Description
Extensions that connect to one of these origins keep running as long as the port is connected. If unset, the policy's default values are used. These are the app origins that offer software development kits (SDKs) that are known to not offer the possibility of restarting a closed connection to a previous state: - Smart Card Connector - Citrix Receiver (stable, beta, back-up) - VMware Horizon (stable, beta)
If set, the default value list is extended with the newly configured values. The defaults and policy-provided entries grant the exception to the connecting extensions as long as the port is connected.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: ExtensionExtendedBackgroundLifetimeForPortConnectionsToUrls
GP name: Configure a list of origins that grant an extended background lifetime to connecting extensions.
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Extensions
Setting this policy specifies which extensions aren't subject to the blocklist.
A blocklist value of * means all extensions are blocked and users can only install extensions listed in the allow list.
By default, all extensions are allowed. However, if you prohibited extensions by policy, you can use the list of allowed extensions to change that policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: ExtensionInstallAllowlist
GP name: Allow specific extensions to be installed
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Extensions
Lets you specify which extensions the users CANNOT install. Extensions already installed will be disabled if blocked, without a way for the user to enable them. After a disabled extension is removed from the blocklist it will automatically get re-enabled.
A blocklist value of '*' means all extensions are blocked unless they are explicitly listed in the allowlist.
If this policy isn't set, the user can install any extension in Microsoft Edge.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: ExtensionInstallBlocklist
GP name: Control which extensions cannot be installed
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Extensions
Set this policy to specify a list of apps and extensions that install silently, without user interaction. Users can't uninstall or turn off this setting. Permissions are granted implicitly, including the enterprise.deviceAttributes and enterprise.platformKeys extension APIs. Note: These two APIs aren't available to apps and extensions that aren't force-installed.
If you don't set this policy, no apps or extensions are autoinstalled and users can uninstall any app in Microsoft Edge.
This policy supersedes ExtensionInstallBlocklist policy. If a previously force-installed app or extension is removed from this list, Microsoft Edge automatically uninstalls it.
For Windows instances not joined to a Microsoft Active Directory domain, forced installation is limited to apps and extensions listed in the Microsoft Edge Add-ons website.
On macOS instances, apps and extensions from outside the Microsoft Edge Add-ons website can only be force installed if the instance is managed via MDM, or joined to a domain via MCX.
The source code of any extension can be altered by users with developer tools, potentially rendering the extension unfunctional. If there's a concern, configure the DeveloperToolsAvailability policy.
Each list item of the policy is a string that contains an extension ID and, optionally, and an optional "update" URL separated by a semicolon (;). The extension ID is the 32-letter string found, for example, on edge://extensions when in Developer mode. If specified, the "update" URL should point to an Update Manifest XML document ( https://go.microsoft.com/fwlink/?linkid=2095043 ). The update URL should use one of the following schemes: http, https, or file. By default, the Microsoft Edge Add-ons website's update URL is used. The "update" URL set in this policy is only used for the initial installation; subsequent updates of the extension use the update URL in the extension's manifest. The update url for subsequent updates can be overridden using the ExtensionSettings policy. See https://learn.microsoft.com/deployedge/microsoft-edge-manage-extensions-ref-guide.
Note: This policy doesn't apply to InPrivate mode. Read about hosting extensions at [Publish and update extensions in the Microsoft Edge Add-ons website](/microsoft-edge/extensions-chromium/enterprise/hosting-and-updating).
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: ExtensionInstallForcelist
GP name: Control which extensions are installed silently
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Extensions
Configure extension and user script install sources
Supported versions:
On Windows and macOS since 77 or later
Description
Define URLs that can install extensions and themes.
Define URLs that can install extensions and themes directly without having to drag and drop the packages to the edge://extensions page.
Each item in this list is an extension-style match pattern (see https://go.microsoft.com/fwlink/?linkid=2095039). Users can easily install items from any URL that matches an item in this list. Both the location of the *.crx file and the page where the download is started from (in other words, the referrer) must be allowed by these patterns. Don't host the files at a location that requires authentication.
The ExtensionInstallBlocklist policy takes precedence over this policy. Any extensions that's on the blocklist won't be installed, even if it comes from a site on this list.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: ExtensionInstallSources
GP name: Configure extension and user script install sources
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Extensions
Control if Manifest v2 extensions can be used by browser.
Manifest v2 extensions support will be deprecated and all extensions need to be migrated to v3 in the future. More information about and the timeline of the migration hasn't been established.
If the policy is set to Default or not set, v2 extension loading is decided by browser. This follows the preceding timeline when it's established.
If the policy is set to Disable, v2 extensions installation are blocked, and existing ones are disabled. This option is going to be treated the same as if the policy is unset after v2 support is turned off by default.
If the policy is set to Enable, v2 extensions are allowed. The option is going to be treated the same as if the policy isn't set before v2 support is turned off by default.
If the policy is set to EnableForForcedExtensions, force installed v2 extensions are allowed. This includes extensions that are listed by ExtensionInstallForcelist or ExtensionSettings with installation_mode "force_installed" or "normal_installed". All other v2 extensions are disabled. The option is always available regardless of the manifest migration state.
Extensions availabilities are still controlled by other policies.
Policy options mapping:
* Default (0) = Default browser behavior
* Disable (1) = Manifest v2 is disabled
* Enable (2) = Manifest v2 is enabled
* EnableForForcedExtensions (3) = Manifest v2 is enabled for forced extensions only
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: ExtensionManifestV2Availability
GP name: Control Manifest v2 extension availability
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Extensions
Setting this policy controls extension management settings for Microsoft Edge, including those configured by other extension-related policies. This policy supersedes any legacy policies.
This policy maps an extension ID or update URL to a specific configuration. You can define a default configuration using the special ID "*", which applies to extensions without a custom configuration.
Note that any per-ID extension setting from either ExtensionInstallForcelist, ExtensionInstallAllowlist, ExtensionInstallBlocklist, or ExtensionSettings will only inherit 'installation_mode' and 'update_url' from the "*" defaults. It will not inherit any other properties. With an update URL, configuration applies to extensions with the exact update URL stated in the extension manifest. If the 'override_update_url' flag is set to true, the extension is installed and updated using the update URL specified in the ExtensionInstallForcelist policy or in 'update_url' field in this policy. The flag 'override_update_url' is ignored if the 'update_url' is the Edge Add-ons website update URL. For more details, check out the detailed guide to ExtensionSettings policy available at https://go.microsoft.com/fwlink/?linkid=2161555.
To block extensions from a particular third party store, you only need to block the update_url for that store. For example, if you want to block extensions from Chrome Web Store, you can use the following JSON.
If the 'sidebar_auto_open_blocked' flag is set to true in an extension's configuration, the hub-app (sidebar app) corresponding to the specified extension will be prevented from automatically opening.
On Windows instances, apps and extensions from outside the Microsoft Edge Add-ons website can only be forced installed if the instance is joined to a Microsoft Active Directory domain or joined to Microsoft Azure Active Directory®.
On macOS instances, apps and extensions from outside the Microsoft Edge Add-ons website can only be force installed if the instance is managed via MDM, joined to a domain via MCX.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Dictionary
Windows information and settings
Group Policy (ADMX) info
GP unique name: ExtensionSettings
GP name: Configure extension management settings
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Extensions
Specify extensions users must allow in order to navigate using InPrivate mode
Supported versions:
On Windows and macOS since 139 or later
Description
This policy lets you specify a list of extension IDs that the user must explicitly allow to run in InPrivate mode in order to enable InPrivate browsing.
If users don't allow all listed extensions to run in InPrivate mode, they're unable to navigate using InPrivate.
If any extension in the list isn't installed, InPrivate navigation is blocked.
This policy only applies when InPrivate mode is enabled. If InPrivate mode is disabled using the InPrivateModeAvailability policy, this policy has no effect.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: MandatoryExtensionsForInPrivateNavigation
GP name: Specify extensions users must allow in order to navigate using InPrivate mode
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Extensions
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 140.
Supported versions:
On Windows since 117, until 140
Description
Microsoft Edge Gamer Mode allows gamers to personalize their browser with gaming themes and gives them the option of enabling Efficiency Mode for PC gaming, the Gaming feed on new tabs, sidebar apps for gamers, and more.
If you enable or don't configure this policy, users can opt into Gamer Mode. If you disable this policy, Gamer Mode is disabled. Note: With Microsoft Edge version 141, this policy is obsolete because the Gamer Mode feature is removed.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: GamerModeEnabled
GP name: Enable Gamer Mode (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Games settings
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Games settings
List of origins that allow all HTTP authentication
Supported versions:
On Windows and macOS since 102 or later
Description
Set this policy to specify which origins allow all the HTTP authentication schemes Microsoft Edge supports regardless of the AuthSchemes policy.
Format the origin pattern according to this format (https://support.google.com/chrome/a?p=url_blocklist_filter_format). Up to 1,000 exceptions can be defined in AllHttpAuthSchemesAllowedForOrigins. Wildcards are allowed for the whole origin or parts of the origin. Parts include the scheme, host, or port.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: AllHttpAuthSchemesAllowedForOrigins
GP name: List of origins that allow all HTTP authentication
GP path (Mandatory):
Administrative Templates/Microsoft Edge/HTTP authentication
Controls whether third-party images on a page can show an authentication prompt.
Typically, this is disabled as a phishing defense. If you don't configure this policy, it's disabled and third-party images can't show an authentication prompt.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AllowCrossOriginAuthPrompt
GP name: Allow cross-origin HTTP Authentication prompts
GP path (Mandatory):
Administrative Templates/Microsoft Edge/HTTP authentication
If you enable this policy, HTTP authentication honors approval from the Key Distribution Center (KDC). Microsoft Edge delegates user credentials to the requested service only when the KDC sets the OK-AS-DELEGATE flag on the service ticket, as defined in RFC 5896 (https://tools.ietf.org/html/rfc5896.html). The service must also be included in the AuthNegotiateDelegateAllowlist policy.
If you disable or don't configure this policy, Microsoft Edge ignores approval from the Key Distribution Center (KDC) on supported platforms and delegates credentials only to services specified in AuthNegotiateDelegateAllowlist.
Specifies which servers to enable for integrated authentication. Integrated authentication is only enabled when Microsoft Edge receives an authentication challenge from a proxy or from a server in this list.
Separate multiple server names with commas. Wildcards (*) are allowed.
If you don't configure this policy, Microsoft Edge tries to detect if a server is on the intranet - only then will it respond to IWA requests. If the server is on the internet, IWA requests from it are ignored by Microsoft Edge.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: AuthServerAllowlist
GP name: Configure list of allowed authentication servers
GP path (Mandatory):
Administrative Templates/Microsoft Edge/HTTP authentication
Specifies whether the generated Kerberos service principal name (SPN) should include a nonstandard port.
If you enable this policy, and if a user includes a nonstandard port (a port other than 80 or 443) in a URL, that port is included in the generated Kerberos SPN.
If you don't configure or disable this policy, the generated Kerberos SPN won't include a port in any case.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EnableAuthNegotiatePort
GP name: Include non-standard port in Kerberos SPN
GP path (Mandatory):
Administrative Templates/Microsoft Edge/HTTP authentication
All recent versions of Samba and Windows servers support NTLMv2. You should only disable NTLMv2 to address issues with backwards compatibility as it reduces the security of authentication.
If you don't configure this policy, NTLMv2 is enabled by default.
Indicates if Windows Credential UI should be used to respond to NTLM and Negotiate authentication challenges.
If you disable this policy, a basic username and password prompt is used to respond to NTLM and Negotiate challenges. If you enable or don't configure this policy, Windows Credential UI is used.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: WindowsHelloForHTTPAuthEnabled
GP name: Windows Hello For HTTP Auth Enabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/HTTP authentication
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/HTTP authentication
Configure the automatic profile switching site list
Supported versions:
On Windows and macOS since 120 or later
Description
Sets this policy to control which profiles Microsoft Edge uses to open sites in. Switching configurations for sites listed in this policy takes precedence over other heuristics Microsoft Edge uses for switching sites; however, sites not listed on this policy are still subject to switching by those heuristics. If you don't configure this policy, Microsoft Edge continues using its heuristics to automatically switch sites.
This policy maps a URL hostname to a profile that's used to open the site.
The 'site' field takes the form of a URL hostname.
The 'profile' field can take one of the following values:
- 'Work': The most recently used Microsoft Entra signed-in profile is used to open a 'site'. - 'Personal': The most recently used Microsoft Account (MSA) signed-in profile is used to open a 'site'. - 'No preference': The currently used profile is used to open a 'site'. - 'Wildcard email address': This takes the form of '*@contoso.com'. A profile whose username ends with the contents following the '*' is used to open a 'site'.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Dictionary
Windows information and settings
Group Policy (ADMX) info
GP unique name: AutomaticProfileSwitchingSiteList
GP name: Configure the automatic profile switching site list
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Identity and sign-in
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Identity and sign-in
Configuring this policy lets you set a default profile in Microsoft Edge to be used when opening the browser rather than the last profile used. This policy doesn't affect when "--profile-directory" parameter is specified. Set the value to "Default" to refer to the default profile. The value is case sensitive. The value of the policy is the name of the profile (case sensitive) and can be configured with string that is the name of a specific profile. The value "Edge Kids Mode" and "Guest Profile" are considered not useful values because they not supposed to be a default profile. This policy doesn't impact the following scenarios: 1) Settings specified in "Profile preferences for sites" in "Profile preferences" 2) Links opening from Outlook and Teams.
The following statements are under the condition of not specify the "--profile-directory" and configured value isn't "Edge Kids Mode" or "Guest Profile": If you enable this policy and configure it with a specific profile name and the specified profile can be found, Microsoft Edge will use the specified profile when launching and the setting of "Default profile for external link" is changed to the specified profile name and greyed out. If you enable this policy and configure it with a specific profile name but it can't be found, the policy will behave like it's never been set before. If you enable this policy, but don't configure or disable it, the policy will behave like it's never been set before.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: EdgeDefaultProfileEnabled
GP name: Default Profile Setting Enabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Identity and sign-in
Prioritize App specified profile to open external links
Supported versions:
On Windows and macOS since 139 or later
Description
This policy controls whether the profile specified by an app (such as Microsoft Teams or Outlook) is given priority when opening external links, instead of the profile selected in the Default profile for external links setting.
Policy behavior: 1. Enabled or not configured: The app-specified profile is prioritized for opening external links. This behavior overrides the profile selected in settings, and the behavior defined by the EdgeDefaultProfileEnabled and EdgeOpenExternalLinksWithPrimaryWorkProfileEnabled policies. If the app doesn't specify a profile, this policy has no effect. 2. Disabled: The profile selected in settings—along with the EdgeDefaultProfileEnabled and EdgeOpenExternalLinksWithPrimaryWorkProfileEnabled policies—is used to determine which profile opens external links.
NOTE: This policy doesn't override user-defined preferences set through Automatic profile switching, including the Custom site switch setting located within it. If a user configured specific sites to open in designated profiles, those preferences take precedence.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EdgeOpenExternalLinksWithAppSpecifiedProfile
GP name: Prioritize App specified profile to open external links
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Identity and sign-in
Use Primary Work Profile as default to open external links
Supported versions:
On Windows and macOS since 138 or later
Description
This policy controls whether Microsoft Edge uses the Primary Work Profile as the default profile when opening external links. 1. On Windows, the Primary Work Profile refers to the profile signed in with the Entra ID account used to enroll the device. 2. On macOS and Linux, the Primary Work Profile is the only profile signed in with an Entra ID account. If multiple profiles are signed in with Entra ID accounts, the Primary Work Profile setting doesn't apply.
Policy behavior: 1. If enabled or not configured, Microsoft Edge uses the Primary Work Profile as the default for opening external links. 2. If disabled, the last used profile becomes the default for opening external links.
Note: This policy doesn't override the following scenarios: 1. If the EdgeDefaultProfileEnabled policy is set, it takes precedence over this policy. 2. External links opened from Outlook or Microsoft Teams may be configured to launch in a specific profile, which can override the Primary Work Profile setting. 3. If the user sets a preference for "Default profile for external links" in Profile preferences, that setting takes effect.
Supported features:
Can be mandatory:
No
Can be recommended:
Yes
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EdgeOpenExternalLinksWithPrimaryWorkProfileEnabled
GP name: Use Primary Work Profile as default to open external links
GP path (Mandatory):
N/A
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Identity and sign-in
Configure this policy to allow/disallow implicit sign-in.
If you have configured the BrowserSignin policy to 'Disable browser sign-in', this policy doesn't take any effect.
If you enable or don't configure this setting, implicit sign-in is enabled, Microsoft Edge attempts to sign in the user into their profile based on what and how they sign in to their OS.
If you disable this setting, implicit sign-in is disabled.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ImplicitSignInEnabled
GP name: Enable implicit sign-in
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Identity and sign-in
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 133.
Supported versions:
On Windows and macOS since 107, until 133
Description
This policy is obsolete because Microsoft Edge no longer supports the linked account feature.
Microsoft Edge guides a user to the account management page where they can link a Microsoft Account (MSA) to an Azure Active Directory (Azure AD) account.
If you enable or don't configure this policy, linked account information is shown on a flyout. When the Azure AD profile doesn't have a linked account, it shows "Add account".
If you disable this policy, linked accounts are turned off and no extra information is shown.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: LinkedAccountEnabled
GP name: Enable the linked account feature (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Identity and sign-in
This policy controls whether Microsoft Edge allows Microsoft 365 authentication pop-ups to bypass the pop-up blocker in work profiles.
When users are signed in with a work account, some Microsoft 365 sites (for example, microsoft.com, cloud.microsoft, and visualstudio.com) may open authentication pop-ups to login.microsoftonline.com, login.live.com, or login.microsoft.com. These pop-ups are required to complete sign-in.
If you enable this policy or don't configure it, Microsoft 365 authentication pop-ups are allowed in work profiles.
If you disable this policy, Microsoft 365 authentication pop-ups follow the default settings like other pop-ups.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: M365AuthPopupsInWorkEnabled
GP name: Allow M365 authentication popups in work profiles
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Identity and sign-in
This policy allows users to decide whether to use the OneAuth library for sign-in and token fetch in Microsoft Edge on Windows 10 RS3 and later.
If you disable or don't configure this policy, sign-in process uses Windows Account Manager. Microsoft Edge would be able to use accounts you signed in to Windows, Microsoft Office, or other Microsoft applications for sign in, without the need for a password. Or, you can provide valid account and password to sign in, which are stored in Windows Account Manager for future usage. You can investigate all accounts stored in Windows Account Manager through Windows Settings -> Accounts -> Email and accounts page.
If you enable this policy, OneAuth authentication flow is used for account sign in. The OneAuth authentication flow has fewer dependencies and works without Windows shell. The account you use isn't stored in the Email and accounts page.
This policy only takes effect on Windows 10 RS3 and later. On Windows 10 earlier to RS3, OneAuth is used for authentication in Microsoft Edge by default.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: OneAuthAuthenticationEnforced
GP name: OneAuth Authentication Flow Enforced for signin
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Identity and sign-in
Only on-premises account enabled for implicit sign-in
Supported versions:
On Windows since 94 or later
Description
Configures this policy to decide whether only on-premises accounts are enabled for implicit sign in.
If you enable this policy, only on-premises accounts are enabled for implicit sign in. Microsoft Edge doesn't attempt to implicitly sign in to Microsoft Services account (MSA) or Azure Active Directory (AAD) accounts. Upgrade from on-premises accounts to AAD accounts are also stopped.
If you disable or don't configure this policy, all accounts are enabled for implicit sign in.
This policy only takes effect when policy ConfigureOnPremisesAccountAutoSignIn is enabled and is set to 'SignInAndMakeDomainAccountNonRemovable'.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: OnlyOnPremisesImplicitSigninEnabled
GP name: Only on-premises account enabled for implicit sign-in
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Identity and sign-in
This policy controls the proactive authentication in Microsoft Edge, that connects the signed-in user identity with Microsoft Bing, MSN and Copilot services for a smooth and consistent sign-in experience.
If you enable or don't configure this policy, Microsoft Edge authentication requests are automatically sent to the services using the account that is signed-in to the browser.
If you disable this policy, Microsoft Edge doesn't send authentications requests to these services, and users need to manually sign-in.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ProactiveAuthWorkflowEnabled
GP name: Enable proactive authentication
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Identity and sign-in
This policy only takes effect when the WebToBrowserSignInEnabled is enabled. If this policy is enabled, users can't turn off Seamless Web to Browser Sign-in feature from "Automatic sign in on Microsoft Edge" setting on Microsoft Edge profile settings page and that toggle will be greyed out. If this policy is disabled, users can't turn on Seamless Web to Browser Sign-in feature from "Automatic sign in on Microsoft Edge" setting on Microsoft Edge profile settings page and that toggle will be greyed out. If this policy isn't configured, users can turn on/off Seamless Web to Browser Sign-in feature from settings by themselves.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: SeamlessWebToBrowserSignInEnabled
GP name: Seamless Web To Browser Sign-in Enabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Identity and sign-in
Switch sites on the IE mode site list to a work or school profile
Supported versions:
On Windows since 119 or later
Description
Allows Microsoft Edge to switch to the appropriate profile when navigating to a site that matches an entry on the IE mode site list. Only sites that specify IE mode or Edge mode are switched to the work or school profile.
If you enable or don't configure this policy, navigations to URLs matching a site on the IE mode site list switch to the most recently used work or school profile if one exists.
If you disable this policy, navigations to URLs matching a site on the IE mode site list remain in the current browser profile.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: SwitchSitesOnIEModeSiteListToWorkProfile
GP name: Switch sites on the IE mode site list to a work or school profile
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Identity and sign-in
Allow user to sign in to the same account in Microsoft Edge when a user signs in to a Microsoft website. If this policy is enabled or not configured, users can get sign in CTA or seamless sign in experience(if SeamlessWebToBrowserSignInEnabled is enabled) when user sign in on Microsoft website. If this policy is disabled, user won't get sign in CTA or seamless sign in experience when user sign in on Microsoft website.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: WebToBrowserSignInEnabled
GP name: Web To Browser Sign-in Enabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Identity and sign-in
If you set this policy, it specifies the length of time without user input (in minutes) before the browser runs actions configured via the IdleTimeoutActions policy.
If you don't set this policy, the browser doesn't run any action.
The minimum threshold is 1 minute.
"User input" is defined by Operating System APIs, and includes things like moving the mouse or typing on the keyboard.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: IdleTimeout
GP name: Delay before running idle actions
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Idle Browser Actions
When the timeout from the IdleTimeout policy is reached, the browser runs the actions configured in this policy.
If you don't configure the IdleTimeout policy, this policy has no effect.
If you don't configure this policy or no actions are selected, the IdleTimeout policy has no effect.
Supported actions are:
'close_browsers': close all browser windows and Progressive Web Apps (PWAs) for this profile.
'reload_pages': reload all webpages. For some pages, the user might be prompted for confirmation first.
'sign_out': sign out of browser. (This action only applies to iOS.)
'close_tabs': close all open tabs and create an NTP (New Tab Page). Supported in Android and iOS.
'clear_browsing_history', 'clear_download_history', 'clear_cookies_and_other_site_data', 'clear_cached_images_and_files', 'clear_password_signing', 'clear_autofill', 'clear_site_settings': clear the corresponding browsing data. Deleting cookies using this policy doesn't sign the user out of their profile, the user stays signed in.
Setting 'clear_browsing_history', 'clear_password_signing', 'clear_autofill', and 'clear_site_settings' disables sync for the respective data types if sync isn't already disabled by setting either the SyncDisabled policy or BrowserSignin to disabled.
Policy options mapping:
* close_browsers (close_browsers) = Close Browsers
* clear_browsing_history (clear_browsing_history) = Clear Browsing History
* clear_download_history (clear_download_history) = Clear Download History
* clear_cookies_and_other_site_data (clear_cookies_and_other_site_data) = Clear Cookies and Other Site Data
* clear_cached_images_and_files (clear_cached_images_and_files) = Clear Cached Images and Files
* clear_password_signin (clear_password_signin) = Clear Password sign in
Enable Grammar Tools feature within Immersive Reader in Microsoft Edge (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 125.
Supported versions:
On Windows and macOS since 110, until 125
Description
This policy is obsoleted because Grammar Tools is deprecated from Microsoft Edge. This policy can't work in Microsoft Edge version 126. Enables the Grammar Tools feature within Immersive Reader in Microsoft Edge. This helps improve reading comprehension by splitting words into syllables and highlighting nouns, verbs, adverbs, and adjectives.
If you enable this policy or don't configure it, the Grammar Tools option shows up within Immersive Reader. If you disable this policy, users can't access the Grammar Tools feature within Immersive Reader.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ImmersiveReaderGrammarToolsEnabled
GP name: Enable Grammar Tools feature within Immersive Reader in Microsoft Edge (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Immersive Reader settings
Enable Picture Dictionary feature within Immersive Reader in Microsoft Edge (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 126.
Supported versions:
On Windows and macOS since 110, until 126
Description
This Policy is obsoleted because Picture Dictionary is deprecated from Edge as of Sept, 2023. This policy won't work in Microsoft Edge Version 127. Enables the Picture Dictionary feature within Immersive Reader in Microsoft Edge. This feature helps in reading comprehension by letting a user to click on any single word and see an illustration related to the meaning.
If you enable this policy or don't configure it, the Picture Dictionary option shows up within Immersive Reader. If you disable this policy, users can't access the Picture Dictionary feature within Immersive Reader.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ImmersiveReaderPictureDictionaryEnabled
GP name: Enable Picture Dictionary feature within Immersive Reader in Microsoft Edge (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Immersive Reader settings
Microsoft Edge management service in Microsoft 365 Admin Center lets you set policy and manage users through a Microsoft Edge focused cloud-based management experience. This policy lets you control whether Microsoft Edge management is enabled.
If you enable or don't configure this policy, Microsoft Edge attempts to connect to the Microsoft Edge management service to download and apply policy assigned to the Azure AD account of the user.
If you disable this policy, Microsoft Edge won't attempt to connect to the Microsoft Edge management service.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EdgeManagementEnabled
GP name: Microsoft Edge management enabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Manageability
Microsoft Edge management service in Microsoft 365 Admin Center lets you set policy and manage users through a Microsoft Edge focused cloud-based management experience. This policy lets you specify an enrollment token that's used to register with Microsoft Edge management service and deploy the associated policies. The user must be signed in to Microsoft Edge with a valid work or school account; otherwise, Microsoft Edge doesn't download the policy.
If you enable this policy, Microsoft Edge attempts to use the specified enrollment token to register with the Microsoft Edge management service and download the published policy.
If you disable or don't configure this policy, Microsoft Edge doesn't attempt to connect to the Microsoft Edge management service.
This policy can only be set as a platform policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: EdgeManagementEnrollmentToken
GP name: Microsoft Edge management enrollment token
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Manageability
Microsoft Edge management service policy overrides platform policy.
Supported versions:
On Windows and macOS since 119 or later
Description
If you enable this policy, the cloud-based Microsoft Edge management service policy takes precedence if it conflicts with platform policy.
If you disable or don't configure this policy, platform policy takes precedence if it conflicts with the cloud-based Microsoft Edge management service policy.
This mandatory policy affects machine scope cloud-based Microsoft Edge management policies.
Machine policies apply to all edge browser instances regardless of the user who is logged in.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EdgeManagementPolicyOverridesPlatformPolicy
GP name: Microsoft Edge management service policy overrides platform policy.
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Manageability
Allow cloud-based Microsoft Edge management service user policies to override local user policies.
Supported versions:
On Windows and macOS since 119 or later
Description
If you enable this policy, cloud-based Microsoft Edge management service user policies take precedence if it conflicts with local user policy.
If you disable or don't configure this policy, Microsoft Edge management service user policies take precedence.
The policy can be combined with EdgeManagementPolicyOverridesPlatformPolicy. If both policies are enabled, all cloud-based Microsoft Edge management service policies take precedence over conflicting local service policies.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EdgeManagementUserPolicyOverridesCloudMachinePolicy
GP name: Allow cloud-based Microsoft Edge management service user policies to override local user policies.
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Manageability
Allow MAM enrollment when managed device has Purview DLP policy configured
Supported versions:
On Windows since 147 or later
Description
Controls whether Microsoft Edge allows Mobile Application Management (MAM) enrollment on managed devices when Microsoft Purview Data Loss Prevention (DLP) is configured.
If you enable this policy, MAM enrollment is allowed even when Purview DLP is detected on the device.
If you disable or don't configure this policy, MAM enrollment is blocked when Purview DLP is detected on the device.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: MAMWithDeviceDLPEnabled
GP name: Allow MAM enrollment when managed device has Purview DLP policy configured
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Manageability
Control which native messaging hosts users can use
Supported versions:
On Windows and macOS since 77 or later
Description
Setting the policy specifies which native messaging hosts aren't subject to the deny list. A deny list value of * means all native messaging hosts are denied unless they're explicitly allowed.
All native messaging hosts are allowed by default. However, if a native messaging host is denied by policy, the admin can use the allow list to change that policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: NativeMessagingAllowlist
GP name: Control which native messaging hosts users can use
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Native Messaging
Setting this policy specifies which native messaging hosts shouldn't be loaded. A deny list value of * means all native messaging hosts are denied unless they're explicitly allowed.
If you leave this policy unset, Microsoft Edge loads all installed native messaging hosts.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: NativeMessagingBlocklist
GP name: Configure native messaging block list
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Native Messaging
Make Access-Control-Allow-Methods matching in CORS preflight spec conformant
Supported versions:
On Windows and macOS since 123 or later
Description
This policy controls whether request methods are uppercased when matching with Access-Control-Allow-Methods response headers in CORS preflight.
If you disable this policy, request methods are uppercased. This is the behavior on or before Microsoft Edge 108.
If you enable or don't configure this policy, request methods aren't uppercased, unless matching case-insensitively with DELETE, GET, HEAD, OPTIONS, POST, or PUT.
This would reject fetch(url, {method: 'Foo'}) + "Access-Control-Allow-Methods: FOO" response header, and would accept fetch(url, {method: 'Foo'}) + "Access-Control-Allow-Methods: Foo" response header.
Note: request methods "post" and "put" aren't affected, while "patch" is affected.
This policy is intended to be temporary and will be removed in the future.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AccessControlAllowMethodsInCORSPreflightSpecConformant
GP name: Make Access-Control-Allow-Methods matching in CORS preflight spec conformant
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Network settings
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 131.
Supported versions:
On Windows and macOS since 123, until 131
Description
This policy provides a temporary opt-out for changes to how Microsoft Edge handles cookies set via JavaScript that contain certain control characters (NULL, carriage return, and line feed). Previously, the presence of any of these characters in a cookie string would cause it to be truncated but still set. Now, the presence of these characters will cause the whole cookie string to be ignored.
If you enable or don't configure this policy, the new behavior is enabled.
If you disable this policy, the old behavior is enabled.
This policy is obsolete because this policy was originally implemented as a safety measure if there was a breakage, but none have been reported.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: BlockTruncatedCookies
GP name: Block truncated cookies (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Network settings
This feature enables the use of dictionary-specific content encodings in the Accept-Encoding request header ("sbr" and "zst-d") when dictionaries are available for use.
If you enable this policy or don't configure it, Microsoft Edge accepts web contents using the compression dictionary transport feature.
If you disable this policy, Microsoft Edge turns off the compression dictionary transport feature.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: CompressionDictionaryTransportEnabled
GP name: Enable compression dictionary transport support
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Network settings
DataURL Whitespace Preservation for all media types
Supported versions:
On Windows and macOS since 133 or later
Description
This policy provides a temporary opt-out for changes to how Edge handles whitepsace in data URLS. Previously, whitespace would be kept only if the top level media type was text or contained the media type string xml. Now, whitespace is preserved in all data URLs, regardless of media type.
If this policy is left unset or is set to True, the new behavior is enabled.
When this policy is set to False, the old behavior is enabled.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: DataURLWhitespacePreservationEnabled
GP name: DataURL Whitespace Preservation for all media types
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Network settings
Use the Happy Eyeballs V3 algorithm for connection attempts
Supported versions:
On Windows and macOS since 137 or later
Description
Controls whether Microsoft Edge uses the Happy Eyeballs V3 algorithm to optimize connection attempts. This algorithm improves reliability and performance in dual-stack (IPv4/IPv6) networks by racing connection attempts across IP versions and HTTP protocols (e.g., HTTP/3 vs. others). For more details, see https://datatracker.ietf.org/doc/draft-pauly-happy-happyeyeballs-v3.
Enabled: Uses the algorithm for connection attempts.
Disabled or not configured: Disables the algorithm.
Note: This policy supports dynamic refresh.
Important: This policy is temporary and will be removed in a future version.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: HappyEyeballsV3Enabled
GP name: Use the Happy Eyeballs V3 algorithm for connection attempts
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Network settings
This policy enables an override of the IPv6 reachability check. When overridden, the system will always query AAAA records when resolving host names. It applies to all users and interfaces on the device.
If you enable this policy, the IPv6 reachability check is overridden.
If you disable or don't configure this policy, the IPv6 reachability check won't be overridden. The system only queries AAAA records when it's reachable to a global IPv6 host.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: IPv6ReachabilityOverrideEnabled
GP name: Enable IPv6 reachability check override
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Network settings
Allow sites to make network requests to local devices and local network endpoints.
Supported versions:
On Windows and macOS since 140 or later
Description
Specifies a list of URL patterns for which requests initiated from matching origins are exempt from Local Network Access restrictions.
Network requests initiated from websites served by matching origins are not subject to Local Network Access checks.
For origins not covered by the patterns specified here, the user's personal configuration and applicable local network access restrictions apply.
There are multiple policies that control origins impacting requests to local device and local network endpoints. If an origin matches more than one of the following policies, the policies take precedence in the following order:
For detailed information about valid URL pattern syntax, see: https://learn.microsoft.com/deployedge/edge-learnmore-ent-policy-url-patterns
For more information about Local Network Access, see: https://wicg.github.io/local-network-access/
Note: This policy enables controlled exceptions to local network access restrictions. It allows specified public websites to access private IP addresses when required for trusted local communication scenarios.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: LocalNetworkAccessAllowedForUrls
GP name: Allow sites to make network requests to local devices and local network endpoints.
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Network settings
Block sites from making network requests to local devices and local network endpoints.
Supported versions:
On Windows and macOS since 140 or later
Description
Specifies a list of URL patterns for which requests initiated from matching origins are blocked from issuing Local Network Access requests.
Network requests initiated from websites served by matching origins are prevented from accessing local device and local network endpoints.
For origins not covered by the patterns specified here, the user's personal configuration applies.
There are multiple policies that control origins impacting requests to local device and local network endpoints. If an origin matches more than one of the following policies, the policies take precedence in the following order:
For detailed information about valid URL pattern syntax, see: https://learn.microsoft.com/deployedge/edge-learnmore-ent-policy-url-patterns
For more information about Local Network Access, see: https://wicg.github.io/local-network-access/
Note: This policy blocks specified public websites from accessing private IP addresses. It helps reduce exposure of internal network resources unless access is explicitly permitted by policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: LocalNetworkAccessBlockedForUrls
GP name: Block sites from making network requests to local devices and local network endpoints.
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Network settings
Specifies IP address space overrides for Local Network Access restrictions. This policy allows administrators to treat specific IP address ranges as public (exempt from Local Network Access restrictions) or as local (subject to Local Network Access restrictions).
IP address space overrides can be specified using one of the following formats:
• [cidr]=[public|local|loopback] where [cidr] is an IP address range in CIDR notation. CIDR overrides apply to all ports.
• [ip-address]:[port]=[public|local|loopback]
IPv6 addresses must be specified in URL-safe (bracketed) format.
For more information about Local Network Access, see https://wicg.github.io/local-network-access/.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: LocalNetworkAccessIpAddressSpaceOverrides
GP name: Override IP address space mappings
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Network settings
Allow Local Network Access (LNA) requests in subframes without explicit delegation
Supported versions:
On Windows and macOS since 146 or later
Description
Controls whether Local Network Access (LNA) permissions are inherited by cross-origin subframes.
By default, Local Network Access permissions can be requested in cross-origin subframes only if they are explicitly delegated.
If you enable this policy, subframes inherit all LNA Permissions Policy features by default and can make local network requests, which trigger the permission prompt.
If you disable or don't configure this policy, subframes must be explicitly delegated the Permissions Policy feature to make local network requests and trigger the permission prompt.
This policy applies to the Permissions Policy features "local-network-access", "loopback-network", and "local-network".
For more information about Local Network Access, see https://learn.microsoft.com/deployedge/ms-edge-local-network-access.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: LocalNetworkAccessPermissionsPolicyDefaultEnabled
GP name: Allow Local Network Access (LNA) requests in subframes without explicit delegation
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Network settings
Specifies whether to block requests from public websites to devices on a user's local network. (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 144.
Supported versions:
On Windows and macOS since 138, until 144
Description
Local Network Access restrictions prevent public websites from making requests to devices on a user's local network without explicit user permission.
If you enable this policy, Microsoft Edge blocks any request that would otherwise trigger a DevTools warning due to Local Network Access checks. These requests are denied without prompting the user.
If you disable or don't configure this policy, Microsoft Edge handles these requests using the default behavior, which may include showing warnings in DevTools and allowing the request to proceed depending on the context.
Note: This feature improves local network security by deprecating direct access to private IP addresses from public websites unless explicitly granted by the user. For more information about Local Network Access, see https://wicg.github.io/local-network-access/.
Starting in version 140, Microsoft Edge introduces support for policies that manage Local Network Access behavior on a per-URL basis.
You can configure exceptions to allow specific URLs to bypass Local Network Access restrictions.
You can also block specific URLs from making Local Network Access requests.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: LocalNetworkAccessRestrictionsEnabled
GP name: Specifies whether to block requests from public websites to devices on a user's local network. (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Network settings
Allow sites to make network requests to local network endpoints.
Supported versions:
On Windows and macOS since 146 or later
Description
Controls which website origins are exempt from Local Network Access checks when accessing local network endpoints.
Network requests initiated from websites that match the specified URL patterns are not subject to Local Network Access checks.
For origins not covered by the patterns specified in this policy, the user's personal configuration applies.
For detailed information about valid URL patterns, see https://learn.microsoft.com/deployedge/edge-learnmore-ent-policy-url-patterns.
For more information about Local Network Access restrictions, see https://wicg.github.io/local-network-access/.
Multiple policies can list origins that affect requests to local network endpoints. If an origin matches more than one of the following policies, they take precedence in the following order: - LocalNetworkBlockedForUrls - LocalNetworkAllowedForUrls - LoopbackNetworkBlockedForUrls - LoopbackNetworkAllowedForUrls - LocalNetworkAccessBlockedForUrls - LocalNetworkAccessAllowedForUrls
This policy controls access to local network endpoints (private IP addresses) and can be used to allow specific websites to access local network resources.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: LocalNetworkAllowedForUrls
GP name: Allow sites to make network requests to local network endpoints.
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Network settings
Block sites from making network requests to local network endpoints.
Supported versions:
On Windows and macOS since 146 or later
Description
Controls which website origins are blocked from making Local Network Access requests to local network endpoints.
Network requests initiated from websites that match the specified URL patterns are blocked from issuing Local Network Access requests.
For origins not covered by the patterns specified in this policy, the user's personal configuration applies.
For detailed information about valid URL patterns, see https://learn.microsoft.com/deployedge/edge-learnmore-ent-policy-url-patterns.
For more information about Local Network Access restrictions, see https://wicg.github.io/local-network-access/.
Multiple policies can list origins that affect requests to local network endpoints. If an origin matches more than one of the following policies, they take precedence in the following order: - LocalNetworkBlockedForUrls - LocalNetworkAllowedForUrls - LoopbackNetworkBlockedForUrls - LoopbackNetworkAllowedForUrls - LocalNetworkAccessBlockedForUrls - LocalNetworkAccessAllowedForUrls
This policy controls access to local network endpoints (private IP addresses) and can be used to block specific websites from accessing local network resources.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: LocalNetworkBlockedForUrls
GP name: Block sites from making network requests to local network endpoints.
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Network settings
Allow sites to make network requests to the local device.
Supported versions:
On Windows and macOS since 146 or later
Description
Specifies a list of URL patterns for which requests initiated from matching origins are exempt from Local Network Access restrictions when accessing loopback addresses (127.0.0.1, ::1, localhost).
If a requesting origin matches a URL pattern specified in this policy, requests to loopback addresses are allowed and are not subject to Local Network Access restrictions.
For origins not covered by this policy, the user's personal settings and local network access restrictions apply.
If this policy is disabled or not configured, no additional exemptions are granted beyond the user's existing configuration.
Multiple policies can specify origins that affect requests to the local device. If an origin matches more than one of the following policies, they are applied in the following order of precedence: - LoopbackNetworkBlockedForUrls - LoopbackNetworkAllowedForUrls - LocalNetworkAccessBlockedForUrls - LocalNetworkAccessAllowedForUrls
For guidance on valid URL pattern syntax, see https://learn.microsoft.com/deployedge/edge-learnmore-ent-policy-url-patterns .
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: LoopbackNetworkAllowedForUrls
GP name: Allow sites to make network requests to the local device.
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Network settings
Block sites from making network requests to the local device.
Supported versions:
On Windows and macOS since 146 or later
Description
Specifies a list of URL patterns for which requests initiated from matching origins to loopback addresses (127.0.0.1, ::1, localhost) are blocked from issuing Local Network Access requests.
If a requesting origin matches a URL pattern specified in this policy, requests to loopback addresses are blocked.
For origins not covered by this policy, the user's personal settings and local network access restrictions apply.
Multiple policies can specify origins that affect requests to the local device. If an origin matches more than one of the following policies, they are applied in the following order of precedence: - LoopbackNetworkBlockedForUrls - LoopbackNetworkAllowedForUrls - LocalNetworkAccessBlockedForUrls - LocalNetworkAccessAllowedForUrls
Note: This policy improves local network security by blocking specified public websites from accessing loopback addresses. It helps prevent unauthorized external sites from reaching local services running on the device unless explicitly permitted.
For more information about Local Network Access, see https://wicg.github.io/local-network-access/
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: LoopbackNetworkBlockedForUrls
GP name: Block sites from making network requests to the local device.
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Network settings
View XFA-based PDF files using IE Mode for allowed file hash.
Supported versions:
On Windows since 132 or later
Description
XFA is a legacy technology that's deprecated by its original creators. It's not an ISO standard and as such, it doesn't align with the modern web architecture. Continued use poses potential risks and vulnerabilities. For more information, see ViewXFAPDFInIEModeAllowedOrigins.
If you enable this policy, you can configure the list of base64 encoded SHA256 file hashes for which XFA PDF files automatically open in Microsoft Edge using IE Mode.
If you disable or don't configure this policy, XFA PDFs won't be considered for opening via IE mode except the files from file origin mentioned in Policy ViewXFAPDFInIEModeAllowedOrigins
View XFA-based PDF files using IE Mode for allowed file origin.
Supported versions:
On Windows since 132 or later
Description
Internet Explorer (IE) mode uses the Adobe Acrobat Active-X PDF Plugin to open XFA-based PDF files. This policy works only if the Active-X plugin is already on the user's device, it's not installed as part of this policy.
It's important to note that XFA is a legacy technology that's deprecated by its original creators. It's not an ISO standard and as such doesn't align with the modern web architecture. Continued use poses potential risks and vulnerabilities.
Given the deprecated status of XFA technology and the lack of any investment by its creators, we strongly recommend that you start planning your transition to more advanced HTML\PDF form-based solutions.
In the interim, this policy provides a workaround for users to view XFA PDF in Microsoft Edge.
If you enable this policy, you can configure the list of origins from which XFA PDF files will be automatically opened in Microsoft Edge using IE Mode.
If you disable or don't configure the policy, XFA PDFs won't be considered for opening via Internet Explorer mode.
Alternatively, ViewXFAPDFInIEModeAllowedFileHash can also be used to configure list of file hashes instead of URL origins, which enables those files to be automatically opened in Microsoft Edge using IE Mode.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: ViewXFAPDFInIEModeAllowedOrigins
GP name: View XFA-based PDF files using IE Mode for allowed file origin.
GP path (Mandatory):
Administrative Templates/Microsoft Edge/PDF Reader
This policy controls whether the built-in password manager can delete undecryptable passwords from its database. This is required to restore the full functionality of the built-in password manager, but it may include a permanent data loss. Undecryptable password values don't become decryptable on their own.
If fixing them is possible, it usually requires complex user actions.
Enabling this policy or leaving it unset means that users with undecryptable passwords saved to the built-in password manager will lose them. Passwords that are still in a working state remain untouched.
Disabling this policy means users will have their password manager data untouched but will experience a broken password manager functionality.
If the policy is set, users can't override it in Microsoft Edge.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: DeletingUndecryptablePasswordsEnabled
GP name: Enable deleting undecryptable passwords
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Password manager and protection
Prevent passwords from being deleted if any Edge settings is enabled to delete browsing data when Microsoft Edge closes
Supported versions:
On Windows and macOS since 117 or later
Description
When this policy is enabled, the passwords saved with Edge Password Manager are exempted from deletion when the browser closes. This policy is only effective when the ClearBrowsingDataOnExit policy is enabled.
If you enable this policy, passwords aren't cleared when the browser closes. If you disable or don't configure this policy, the user's personal configuration is used.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PasswordDeleteOnBrowserCloseEnabled
GP name: Prevent passwords from being deleted if any Edge settings is enabled to delete browsing data when Microsoft Edge closes
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Password manager and protection
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Password manager and protection
Allow users to get a strong password suggestion whenever they are creating an account online
Supported versions:
On Windows and macOS since 93 or later
Description
Configures the Password Generator Settings toggle that enables/disables the feature for users.
If you enable or don't configure this policy, then Password Generator offers users a strong and unique password suggestion (via a dropdown) on Signup and Change Password pages.
If you disable this policy, users no longer see strong password suggestions on Signup or Change Password pages.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PasswordGeneratorEnabled
GP name: Allow users to get a strong password suggestion whenever they are creating an account online
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Password manager and protection
Configure the list of domains for which the password manager UI (Save and Fill) will be disabled
Supported versions:
On Windows and macOS since 99 or later
Description
Configure the list of domains where Microsoft Edge should disable the password manager. This means that Save and Fill workflows are disabled, ensuring that passwords for those websites can't be saved or auto filled into web forms.
If you enable this policy, the password manager is disabled for the specified set of domains.
If you disable or don't configure this policy, password manager works as usual for all domains.
If you configure this policy, that is, add domains for which password manager is blocked, users can't change or override the behavior in Microsoft Edge. In addition, users can't use password manager for those URLs.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: PasswordManagerBlocklist
GP name: Configure the list of domains for which the password manager UI (Save and Fill) will be disabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Password manager and protection
Enable Microsoft Edge to save user passwords. The next time a user visits a site with a saved password, Microsoft Edge will enter the password automatically.
If you enable or don't configure this policy, users can save and add their passwords in Microsoft Edge.
If you disable this policy, users can't save and add new passwords, but they can still use previously saved passwords.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PasswordManagerEnabled
GP name: Enable saving passwords to the password manager
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Password manager and protection
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Password manager and protection
This policy controls whether users can save passkeys in the built-in password manager. It does not limit access to, or change the contents of, passkeys already saved in the password manager.
If the PasswordManagerEnabled policy is Disabled, saving to the built-in password manager is disabled in general, including passkeys. In this case, this policy has no effect.
If this policy is enabled or not configured, users can save passkeys in the built-in password manager when signed in to Microsoft Edge.
If this policy is disabled, users cannot save new passkeys to the built-in password manager. Previously saved passkeys continue to work.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PasswordManagerPasskeysEnabled
GP name: Enable saving passkeys to the password manager
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Password manager and protection
Allow users to be alerted if their passwords are found to be unsafe
Supported versions:
On Windows since 85 or later
On macOS since 93 or later
Description
Allow Microsoft Edge to monitor user passwords.
If you enable this policy, the user gets alerted if any of their passwords stored in Microsoft Edge are found to be unsafe. Microsoft Edge will show an alert and this information will also be available in Settings > Passwords > Password Monitor.
If you disable this policy, users aren't asked for permission to enable this feature. Their passwords aren't scanned, and they aren't alerted either.
If you don't configure the policy, users can turn this feature on or off.
This policy can be set as both Recommended and Mandatory, however with an important callout.
Mandatory enabled: If the policy is set to Mandatory enabled, the UI in Settings will be disabled but remain in 'On' state, and a briefcase icon will be made visible next to it with this description displayed on hover - "This setting is managed by your organization."
Recommended enabled: If the policy is set to Recommended enabled, the UI in Settings will remain in 'Off' state, but a briefcase icon will be made visible next to it with this description displayed on hover - "Your organization recommends a specific value for this setting and you have chosen a different value"
Mandatory and Recommended disabled: Both these states will work the normal way, with the usual captions being shown to users.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PasswordMonitorAllowed
GP name: Allow users to be alerted if their passwords are found to be unsafe
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Password manager and protection
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Password manager and protection
Configures the change password URL (HTTP and HTTPS schemes only).
Password protection service will send users to this URL to change their password after seeing a warning in the browser.
If you enable this policy, then password protection service sends users to this URL to change their password.
If you disable this policy or don't configure it, then password protection service will not redirect users to a change password URL.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, joined to Microsoft Azure Active Directory, or instances that enrolled for device management. On macOS, this policy is available only on instances that are managed via MDM or joined to a domain via MCX.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: PasswordProtectionChangePasswordURL
GP name: Configure the change password URL
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Password manager and protection
Configure the list of enterprise login URLs where the password protection service should capture salted hashes of a password
Supported versions:
On Windows and macOS since 77 or later
Description
Configure the list of enterprise login URLs (HTTP and HTTPS schemes only) where Microsoft Edge should capture the salted hashes of passwords and use it for password reuse detection.
If you enable this policy, the password protection service captures fingerprints of passwords on the defined URLs.
If you disable this policy or don't configure it, no password fingerprints are captured.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, joined to Microsoft Azure Active Directory, or instances that enrolled for device management. On macOS, this policy is available only on instances that are managed via MDM or joined to a domain via MCX.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: PasswordProtectionLoginURLs
GP name: Configure the list of enterprise login URLs where the password protection service should capture salted hashes of a password
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Password manager and protection
Allows you to control when to trigger password protection warning. Password protection alerts users when they reuse their protected password on potentially suspicious sites.
Set to PasswordProtectionWarningOff to not show password protection warnings.
Set to PasswordProtectionWarningOnPasswordReuse to show password protection warnings when the users reuse their protected password on a non-allowlisted site.
If you disable or don't configure this policy, then the warning trigger isn't shown.
Policy options mapping:
* PasswordProtectionWarningOff (0) = Password protection warning is off
* PasswordProtectionWarningOnPasswordReuse (1) = Password protection warning is triggered by password reuse
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: PasswordProtectionWarningTrigger
GP name: Configure password protection warning trigger
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Password manager and protection
Configures a setting that asks users to enter their device password while using password autofill
Supported versions:
On Windows and macOS since 93 or later
Description
This feature helps users add an additional layer of privacy to their online accounts by requiring device authentication (as a way of confirming the user's identity) before the saved password is autofilled into a web form. This layer ensures that non-authorized persons can't use saved passwords for autofill. This feature doesn't protect against locally running malware.
This group policy configures the radio button selector that enables this feature for users. It also has a frequency control where users can specify how often they would like to be prompted for authentication.
If you set this policy to 'Automatically', disable this policy, or don't configure this policy, autofill won't have any authentication flow.
If you set this policy to 'WithDevicePassword', users have to enter their device password (or preferred mode of authentication under Windows) to prove their identity before their password is autofilled. Authentication modes include Windows Hello, PIN, face recognition, or fingerprint. The frequency for authentication prompt is set to 'Ask permission once per browsing session' by default. However, users can change it to the other option, which is 'Always ask permission'.
If you set this policy to 'WithCustomPrimaryPassword', users are asked to create their custom password and to be redirected to Settings. After the custom password is set, users can authenticate themselves using the custom password and their passwords get autofilled after successful authentication. The frequency for authentication prompt is set to 'Ask permission once per browsing session' by default. However, users can change it to the other option, which is 'Always ask permission'.
If you set this policy to 'AutofillOff', saved passwords are no longer suggested for autofill.
The Custom Primary Password feature will be removed with Edge 149. From this version onward, the Custom Primary Password option will no longer be available. Users who currently have this setting enabled will be automatically migrated to the "Prompt for the device sign-in options" authentication method. Any associated group policies for Custom Primary Password will also be marked as obsolete.
Policy options mapping:
* Automatically (0) = Automatically
* WithDevicePassword (1) = With device password
* WithCustomPrimaryPassword (2) = With custom primary password
* AutofillOff (3) = Autofill off
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: PrimaryPasswordSetting
GP name: Configures a setting that asks users to enter their device password while using password autofill
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Password manager and protection
Configure when energy saver (previously named efficiency mode) should become active
Supported versions:
On Windows and macOS since 96 or later
Description
This policy setting lets you configure when energy saver becomes active. By default, energy saver is set to 'BalancedSavings'. On devices with no battery, energy saver is disabled by default and does not become active. Please note that Windows Energy Saver settings can influence when energy saver becomes active on all devices.
Individual sites may be blocked from participating in energy saver by configuring the policy SleepingTabsBlockedForUrls.
Set this policy to 'AlwaysActive' and energy saver is always active.
Set this policy to 'NeverActive' and energy saver never becomes active.
Set this policy to 'ActiveWhenUnplugged' and energy saver becomes active when the device is unplugged.
Set this policy to 'ActiveWhenUnpluggedBatteryLow' and energy saver becomes active when the device is unplugged and the battery is low.
Set this policy to 'BalancedSavings' and when the device is unplugged, energy saver takes moderate steps to save battery. When the device is unplugged and the battery is low, energy saver takes extra steps to save battery.
Set this policy to 'MaximumSavings' and when the device is unplugged or unplugged and the battery is low, energy saver takes extra steps to save battery.
If the device does not have a battery, energy saver never becomes active in any mode other than 'AlwaysActive' unless the setting or EfficiencyModeEnabled policy is enabled.
Learn more about energy saver: https://learn.microsoft.com/en-us/windows-hardware/design/component-guidelines/energy-saver
Policy options mapping:
* AlwaysActive (0) = Energy saver is always active
* NeverActive (1) = Energy saver is never active
* ActiveWhenUnplugged (2) = Energy saver is active when the device is unplugged
* ActiveWhenUnpluggedBatteryLow (3) = Energy saver is active when the device is unplugged and the battery is low
* BalancedSavings (4) = When the device is unplugged, energy saver takes moderate steps to save battery. When the device is unplugged and the battery is low, energy saver takes extra steps to save battery.
* MaximumSavings (5) = When the device is unplugged or unplugged and the battery is low, energy saver takes extra steps to save battery.
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: EfficiencyMode
GP name: Configure when energy saver (previously named efficiency mode) should become active
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Performance
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Performance
Enables efficiency mode which helps extend battery life by saving computer resources. By default, efficiency mode is enabled for devices with a battery and is disabled otherwise.
If you enable this policy, efficiency mode becomes active according to the setting chosen by the user. You can configure the efficiency mode setting using the EfficiencyMode policy. If the device doesn't have a battery, efficiency mode is always active.
If you don't configure this policy, efficiency mode will be enabled for devices with a battery and disabled otherwise. Users can choose the efficiency mode option they want in edge://settings/system.
This policy controls if users can access the Extensions Performance Detector Recommended Action feature in Browser Essentials. This feature alerts extension users if their extensions are causing performance regressions in the browser and allows them to take action to resolve the issue.
If you enable or don't configure this policy, users receive Extensions Performance Detector notifications from Browser Essentials. When there's an active alert, users are able to view the impact of extensions on their browser's performance and make an informed decision to disable impacting extensions. The detector will exclude browser-managed extensions, such as Google Docs offline, component extensions, and organization-managed extensions (that is, extensions that can't be disabled).
If you disable this policy, users won't receive notifications or be able to view the Extensions Performance Detector Recommended Action.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ExtensionsPerformanceDetectorEnabled
GP name: Extensions Performance Detector enabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Performance
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Performance
This policy lets you configure whether to pin the Browser essentials button on the toolbar.
When the button is pinned, it always appears on the toolbar.
When the button isn't pinned, it only appears when there's an alert. An example of this kind of alert is the performance detector alert that indicates the browser is using high CPU or memory.
If you enable or don't configure this policy, the Browser essentials button is pinned on the toolbar.
If you disable this policy, the Browser essentials button isn't pinned on the toolbar.
This policy controls whether users can access the RAM (memory) resource control feature. This feature lets users set an individual limit on how much RAM (memory) the browser can use.
If you enable or don't configure this policy, users can enable resource control and set the amount of RAM that Microsoft Edge can use. Browser performance may be affected by low limits.
If you disable this policy, users can't use resource control.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: RAMResourceControlsEnabled
GP name: Enable RAM (memory) resource controls
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Performance
Allows Microsoft Edge processes to start at OS sign-in and restart in background after the last browser window is closed.
If Microsoft Edge is running in background mode, the browser might not close when the last window is closed and the browser won't be restarted in background when the window closes. See the BackgroundModeEnabled policy for information about what happens after configuring Microsoft Edge background mode behavior.
If you enable this policy, startup boost is turned on.
If you disable this policy, startup boost is turned off.
If you don't configure this policy, startup boost may initially be off or on. The user can configure its behavior in edge://settings/system.
Overrides Microsoft Edge default printer selection rules. This policy determines the rules for selecting the default printer in Microsoft Edge, which happens the first time a user tries to print a page.
When this policy is set, Microsoft Edge tries to find a printer that matches all of the specified attributes and uses it as default printer. If there are multiple printers that meet the criteria, the first printer that matches is used.
If you don't configure this policy or no matching printers are found within the timeout, the printer defaults to the built-in PDF printer or no printer, if the PDF printer isn't available.
The value is parsed as a JSON object, conforming to the following schema: { "type": "object", "properties": { "idPattern": { "description": "Regular expression to match printer id.", "type": "string" }, "namePattern": { "description": "Regular expression to match printer display name.", "type": "string" } } }
Omitting a field means all values match; for example, if you don't specify connectivity Print Preview starts discovering all kinds of local printers. Regular expression patterns must follow the JavaScript RegExp syntax and matches are case sensitive.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultPrinterSelection
GP name: Default printer selection rules
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Printing
This policy determines whether Microsoft Edge handles interactions with printer drivers through a separate service process.
Using a service process for tasks like querying available printers, retrieving print driver settings, and submitting documents to local printers improves browser stability and prevents UI freezing during Print Preview.
Enabled or Not Set: Microsoft Edge uses a separate service process for these printing tasks.
Disabled: Microsoft Edge performs these printing tasks within the browser process.
Note: This policy will be deprecated in the future once the transition to out-of-process print drivers is fully implemented.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: OopPrintDriversAllowed
GP name: Out-of-process print drivers allowed
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Printing
Controls if Microsoft Edge makes the Print as image option the default when printing PDFs.
If you enable this policy, Microsoft Edge defaults to setting the Print as image option in the Print Preview when printing a PDF.
If you disable or don't configure this policy, Microsoft Edge won't default to setting the Print as image option in the Print Preview when printing a PDF.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PrintPdfAsImageDefault
GP name: Print PDF as Image Default
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Printing
Controls how Microsoft Edge prints on Microsoft Windows.
Printing to a PostScript printer on Microsoft Windows different PostScript generation methods can affect printing performance.
If you set this policy to Default, Microsoft Edge uses a set of default options when generating PostScript. Text in particular, is always rendered using Type 3 fonts.
If you set this policy to Type42, Microsoft Edge renders text using Type 42 fonts if possible. This should increase printing speed for some PostScript printers.
If you don't configure this policy, Microsoft Edge remains in Default mode.
Policy options mapping:
* Default (0) = Default
* Type42 (1) = Type42
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: PrintPostScriptMode
GP name: Print PostScript Mode
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Printing
Configuring this policy sets the print preview settings as the most recent choice in Print Preview instead of the default print preview settings.
Each item of this policy expects a boolean:
Layout specifies if the webpage layout should be kept sticky or not in print preview settings. If you set this to True, the webpage layout uses the recent choice; otherwise, it sets to default value.
Size specifies if the page size should be kept sticky or not in print preview settings. If you set this to True, the page size uses the recent choice; otherwise, it sets to default value.
Scale Type specifies if the scaling percentage and scale type should be kept sticky or not in print preview settings. If you set this to True, the scale percentage and scale type both use the recent choice; otherwise, it will set to default value.
Margins specifies if the page margin should be kept sticky or not in print preview settings. If you set this to True, the page margins use the recent choice; otherwise, it sets to default value.
If you enable this policy, the selected values use the most recent choice in Print Preview.
If you disable or don't configure this policy, print preview settings aren't impacted.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Dictionary
Windows information and settings
Group Policy (ADMX) info
GP unique name: PrintPreviewStickySettings
GP name: Configure the sticky print preview settings
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Printing
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Printing
Controls how Microsoft Edge prints on Windows. When printing to a non-PostScript printer on Windows, some print jobs need to be rasterized to print correctly.
If you set this policy to 'Full' or don't configure it, Microsoft Edge performs full page rasterization if necessary.
If you set this policy to 'Fast', Microsoft Edge reduces the amount of rasterization, which can decrease print job sizes and increase printing speed.
Policy options mapping:
* Full (0) = Full page rasterization
* Fast (1) = Avoid rasterization if possible
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: PrintRasterizationMode
GP name: Print Rasterization Mode
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Printing
Controls print image resolution when Microsoft Edge prints PDFs with rasterization.
When printing a PDF using the Print to image option, it can be beneficial to specify a print resolution other than a device's printer setting or the PDF default. A high resolution significantly increases the processing and printing time while a low resolution can lead to poor imaging quality.
If you set this policy, it allows a particular resolution to be specified for use when rasterizing PDFs for printing.
If you set this policy to zero or don't configure it, the system default resolution is used during rasterization of page images.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: PrintRasterizePdfDpi
GP name: Print Rasterize PDF DPI
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Printing
Specifies whether print preview should apply last used settings for Microsoft Edge PDF and webpages.
If you set this policy to 'EnableAll' or don't configure it, Microsoft Edge applies the last used print preview settings for both PDF and webpages.
If you set this policy to 'DisableAll', Microsoft Edge doesn't apply the last used print preview settings for both PDF and webpages.
If you set this policy to 'DisablePdf', Microsoft Edge doesn't apply the last used print preview settings for PDF printing and retains it for webpages.
If you set this policy to 'DisableWebpage', Microsoft Edge doesn't apply the last used print preview settings for webpage printing and retain it for PDF.
This policy is only available if you enable or don't configure the PrintingEnabled policy.
Policy options mapping:
* EnableAll (0) = Enable sticky settings for PDF and Webpages
* DisableAll (1) = Disable sticky settings for PDF and Webpages
* DisablePdf (2) = Disable sticky settings for PDF
* DisableWebpage (3) = Disable sticky settings for Webpages
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: PrintStickySettings
GP name: Print preview sticky settings
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Printing
The printer types on the deny list aren't discovered or have their capabilities fetched.
Placing all printer types on the deny list effectively disables printing because there's no print destination for documents.
If you don't configure this policy, or the printer list is empty, all printer types are discoverable.
Printer destinations include extension printers and local printers. Extension printers are also known as print provider destinations, and include any destination that belongs to a Microsoft Edge extension. Local printers are also known as native printing destinations, and include destinations available to the local machine and shared network printers.
In Microsoft version 93 or later, if you set this policy to 'pdf' it also disables the 'save as Pdf' option from the right click context menu.
In Microsoft version 103 or later, if you set this policy to 'onedrive' it also disables the 'save as Pdf (OneDrive)' option from print preview.
Overrides the last used setting for printing background graphics. If you enable this setting, background graphics printing is enabled. If you disable this setting, background graphics printing is disabled.
Enables printing in Microsoft Edge and prevents users from changing this setting.
If you enable this policy or don't configure it, users can print.
If you disable this policy, users can't print from Microsoft Edge. Printing is disabled in the wrench menu, extensions, JavaScript applications, and so on. Users can still print from plug-ins that bypass Microsoft Edge while printing. For example, certain Adobe Flash applications have the print option in their context menu, which isn't covered by this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PrintingEnabled
GP name: Enable printing
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Printing
Setting this policy to Enabled or leaving it unset enables the LPAC Sandbox for printing services when the system configuration supports it.
Setting this policy to Disabled has a detrimental effect on Microsoft Edge's security because services used for printing might run in a weaker sandbox configuration.
Only turn this policy off if there are compatibility issues with third party software that prevent printing services from operating correctly inside the LPAC Sandbox.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PrintingLPACSandboxEnabled
GP name: Enable Printing LPAC Sandbox
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Printing
Name should contain one of the listed formats or 'custom' if required paper size isn't in the list. If 'custom' value is provided custom_size property should be specified. It describes the desired height and width in micrometers. Otherwise custom_size property shouldn't be specified. Policy that violates these rules is ignored.
If the page size is unavailable on the printer chosen by the user, this policy is ignored.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Dictionary
Windows information and settings
Group Policy (ADMX) info
GP unique name: PrintingPaperSizeDefault
GP name: Default printing page size
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Printing
Specifies whether to allow websites to make requests to any network endpoint in an insecure manner. (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 137.
Supported versions:
On Windows and macOS since 92, until 137
Description
Controls whether websites are allowed to make requests to more-private network endpoints.
When this policy is enabled, all Private Network Access checks are disabled for all origins. This may allow attackers to perform cross-site request forgery (CSRF) attacks on private network servers.
When this policy is disabled or not configured, the default behavior for requests to more-private network endpoints depend on the user's personal configuration for the BlockInsecurePrivateNetworkRequests, PrivateNetworkAccessSendPreflights, and PrivateNetworkAccessRespectPreflightResults feature flags. These flags may be controlled by experimentation or set via the command line.
This policy relates to the Private Network Access specification. See https://wicg.github.io/private-network-access/ for more details.
A network endpoint is more private than another if: 1) Its IP address is localhost and the other isn't. 2) Its IP address is private and the other is public. In the future, depending on spec evolution, this policy might apply to all cross-origin requests directed at private IPs or localhost.
When this policy enabled, websites are allowed to make requests to any network endpoint, subject to other cross-origin checks.
This policy is obsolete. The previous blanket override has been replaced by the permission-based Local Network Access model, which blocks cross-space requests until users grant explicit consent.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: InsecurePrivateNetworkRequestsAllowed
GP name: Specifies whether to allow websites to make requests to any network endpoint in an insecure manner. (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Private Network Request Settings
Allow the listed sites to make requests to more-private network endpoints from in an insecure manner (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 137.
Supported versions:
On Windows and macOS since 92, until 137
Description
List of URL patterns. Requests initiated from websites served by matching origins aren't subject to Private Network Access checks.
If this policy isn't set, this policy behaves as if set to the empty list.
For origins not covered by the patterns specified here, the global default value is used either from the InsecurePrivateNetworkRequestsAllowed policy, if it's set, or the user's personal configuration otherwise.
For detailed information on valid URL patterns, see [Filter format for URL list-based policies](/DeployEdge/edge-learnmmore-url-list-filter%20format).
This policy is obsolete. The previous blanket override has been replaced by the permission-based Local Network Access model, which blocks cross-space requests until users grant explicit consent.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: InsecurePrivateNetworkRequestsAllowedForUrls
GP name: Allow the listed sites to make requests to more-private network endpoints from in an insecure manner (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Private Network Request Settings
Specifies whether to apply restrictions to requests to more private network endpoints (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 137.
Supported versions:
On Windows and macOS since 131, until 137
Description
Specifies whether to apply restrictions to requests to more private network endpoints
When this policy is Enabled, anytime when a warning is supposed to be displayed in the DevTools due to Private Network Access checks failing, the request is blocked.
When this policy is Disabled or unset, all Private Network Access warnings aren't enforced and the requests aren't blocked.
See https://wicg.github.io/private-network-access/ for Private Network Access restrictions.
Note: A network endpoint is more private than another if: 1) Its IP address is localhost and the other isn't. 2) Its IP address is private and the other is public.
This policy is obsolete. The earlier blanket override has been replaced by the permission-based Local Network Access model, which blocks cross-space requests until users give explicit consent.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PrivateNetworkAccessRestrictionsEnabled
GP name: Specifies whether to apply restrictions to requests to more private network endpoints (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Private Network Request Settings
Allows web pages to use identifiers for the purpose of protected content playback
Supported versions:
On Windows and macOS since 147 or later
Description
This policy controls whether sites can use hardware-specific device identifiers to enable hardware-secure DRM (for example, Widevine L1 or PlayReady SL3000), which may be required for high-resolution protected content playback.
If you enable this policy or do not configure it, sites are allowed to use protected content identifiers.
If you disable this policy, sites are not allowed to use protected content identifiers.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ProtectedContentIdentifiersAllowed
GP name: Allows web pages to use identifiers for the purpose of protected content playback
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Protected Content
DEPRECATED: This policy is deprecated. It is currently supported but will become obsolete in a future release.
Supported versions:
On Windows and macOS since 77 or later
Description
This policy is deprecated, use ProxySettings instead. It doesn't work in Microsoft Edge version 91.
Defines a list of hosts for which Microsoft Edge bypasses any proxy.
This policy is applied only if the ProxySettings policy isn't specified and you selected either fixed_servers or pac_script in the ProxyMode policy. If you selected any other mode for configuring proxy policies, don't enable or configure this policy.
If you enable this policy, you can create a list of hosts for which Microsoft Edge doesn't use a proxy.
If you don't configure this policy, no list of hosts is created for which Microsoft Edge bypasses a proxy. Leave this policy unconfigured if you specified any other method for setting proxy policies.
DEPRECATED: This policy is deprecated. It is currently supported but will become obsolete in a future release.
Supported versions:
On Windows and macOS since 77 or later
Description
This policy is deprecated, use ProxySettings instead. It won't work in Microsoft Edge version 91.
If you set this policy to Enabled you can specify the proxy server Microsoft Edge uses and prevents users from changing proxy settings. Microsoft Edge ignores all proxy-related options specified from the command line. The policy is only applied if the ProxySettings policy isn't specified.
Other options are ignored if you choose one of the following options: * direct = Never use a proxy server and always connect directly * system = Use system proxy settings * auto_detect = Auto detect the proxy server
If you choose to use: * fixed_servers = Fixed proxy servers. You can specify further options with ProxyServer and ProxyBypassList. * pac_script = A .pac proxy script. Use ProxyPacUrl to set the URL to a proxy .pac file.
This policy enables rule-based proxy selection that determines which proxy Microsoft Edge uses based on the destination URL and any other conditions you define.
When this policy is configured, it takes precedence over proxy settings configured by the ProxySettings policy, the Edge.proxy extension API, and any manual user settings.
If this policy is disabled or not configured, existing proxy policies and user-defined settings continue to apply.
When Edge selects a proxy, it evaluates entries in the ProxyOverrideRules policy in order. A rule is considered a match when all the following conditions are met: * At least one URL pattern in DestinationMatchers is matched. * No URL pattern in ExcludeDestinationMatchers is matched. * If Conditions is specified and non-empty, all conditions are satisfied.
For a matching rule, the value specified in ProxyList is used as the proxy. If no rule matches, proxy selection falls back to the settings defined by the ProxySettings policy.
The URL patterns supported by DestinationMatchers and ExcludeDestinationMatchers are documented at https://review.learn.microsoft.com/en-us/DeployEdge/configure-microsoft-edge-proxy-support?branch=pr-en-us-6681#proxy-config-url-patterns . Entries in ProxyList correspond to PAC-style proxy strings, such as: * DIRECT * PROXY host:port * HTTPS host:port * SOCKS4 host:port * SOCKS5 host:port
Alternatively, URL-form proxy specifiers can be used, for example: * http://host :port * https://host :port * socks4://host:port * socks5://host:port
The first reachable proxy in the list is used. Invalid entries are ignored.
The Conditions field specifies conditions that must all be met for an override rule to be applied when selecting a proxy. If this field is not set, the rule is applied when at least one host in DestinationMatchers matches.
The DnsProbe condition checks whether the specified DNS Host can be resolved to an IP address. The host must include a hostname (for example, example.com) and can optionally include a scheme or port (for example, https://example.com, example.com:123, or https://example.com:123). When a secure scheme (for example, https) is specified, the DNS lookup may also request the HTTPS record (see RFC 9460).
If Result is set to resolved, the condition is met when resolution succeeds. If set to not_found, the condition is met only when resolution fails.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Dictionary
Windows information and settings
Group Policy (ADMX) info
GP unique name: ProxyOverrideRules
GP name: Proxy override rules
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Proxy server
DEPRECATED: This policy is deprecated. It is currently supported but will become obsolete in a future release.
Supported versions:
On Windows and macOS since 77 or later
Description
This policy is deprecated; use ProxySettings instead. It doesn't work in Microsoft Edge version 91.
Specifies the URL for a proxy auto-config (PAC) file.
This policy is applied only if the ProxySettings policy isn't specified, and if you've selected pac_script in the ProxyMode policy. If you've selected any other mode for configuring proxy policies, don't enable or configure this policy.
If you enable this policy, specify the URL for a PAC file, which defines how the browser automatically chooses the appropriate proxy server for fetching a particular website.
If you disable or don't configure this policy, no PAC file is specified. Leave this policy unconfigured if you've specified any other method for setting proxy policies.
Configure address or URL of proxy server (deprecated)
DEPRECATED: This policy is deprecated. It is currently supported but will become obsolete in a future release.
Supported versions:
On Windows and macOS since 77 or later
Description
This policy is deprecated, use ProxySettings instead. It doesn't work in Microsoft Edge version 91.
Specifies the URL of the proxy server.
This policy is applied only if the ProxySettings policy isn't specified and you selected fixed_servers in the ProxyMode policy. If you selected any other mode for configuring proxy policies, don't enable or configure this policy.
If you enable this policy, the proxy server configured by this policy is used for all URLs.
If you disable or don't configure this policy, users can choose their own proxy settings while in this proxy mode. Leave this policy unconfigured if you specified any other method for setting proxy policies.
DEPRECATED: This policy is deprecated. It is currently supported but will become obsolete in a future release.
Supported versions:
On Windows and macOS since 121 or later
Description
This policy lets you control the enablement of the Related Website Sets feature. Related Website Sets (RWS) is a way for an organisation to declare relationships among sites, so that Microsoft Edge allows limited third-party cookie access for specific purposes across those sites.
If this policy set to True or unset, the Related Website Sets feature is enabled.
If this policy is set to False, the Related Website Sets feature is disabled.
This policy is deprecated as of Microsoft Edge version 144 with the deprecation of Related Website Sets.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: RelatedWebsiteSetsEnabled
GP name: Enable Related Website Sets (deprecated)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Related Website Sets Settings
DEPRECATED: This policy is deprecated. It is currently supported but will become obsolete in a future release.
Supported versions:
On Windows and macOS since 121 or later
Description
This policy provides a way to override the list of sets Microsoft Edge uses for Related Website Sets
Each set in the browser's list of Related Website Sets must meet the requirements of a Related Website Set. A Related Website Set must contain a primary site and one or more member sites. A set can also contain a list of service sites that it owns, and a map from a site to all its ccTLD variants. For more information on how Microsoft Edge uses Related Website Sets, see https://github.com/WICG/first-party-sets.
All sites in a Related Website Set must be a registrable domain served over HTTPS. Each site in a Related Website Set must also be unique, which means a site can't be listed more than once in a Related Website Set.
When this policy is given an empty dictionary, Microsoft Edge uses the public list of Related Website Sets.
For all sites in a Related Website Set from the replacements list, if a site is also present on a Related Website Set in the browser's list, then that site will be removed from the browser's Related Website Set. After this step, the policy's Related Website Set is added to the Microsoft Edge's list of Related Website Sets.
For all sites in a Related Website Set from the additions list, if a site is also present on a Related Website Set in Microsoft Edge's list, then the browser's Related Website Set is updated so that the new Related Website Set can be added to the browser's list. After the browser's list has been updated, the policy's Related Website Set is added to the browser's list of Related Website Sets.
The browser's list of Related Website Sets requires that for all sites in its list, no site is in more than one set. This requirement is also required for both the replacements list and the additions list. Similarly, a site can't be in both the replacements list and the additions list.
Wildcards (*) aren't supported as a policy value, or as a value within any Related Website Set in these lists.
This policy is deprecated as of Microsoft Edge version 144 with the deprecation of Related Website Sets.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Dictionary
Windows information and settings
Group Policy (ADMX) info
GP unique name: RelatedWebsiteSetsOverrides
GP name: Override Related Website Sets. (deprecated)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Related Website Sets Settings
Configure the list of domains where Microsoft Edge Scareware blockers don't run
Supported versions:
On Windows and macOS since 142 or later
Description
This policy configures the list of trusted domains for Microsoft Edge Scareware blocker. When a website's source URL matches any domain in this list, Microsoft Edge Scareware blocker doesn't analyze that site.
This policy takes effect only if the ScarewareBlockerProtectionEnabled policy is enabled.
If you enable this policy, Microsoft Edge Scareware blocker trusts the specified domains.
If you disable or don't configure this policy, Microsoft Edge Scareware blocker analyzes all sites.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: ScarewareBlockerAllowListDomains
GP name: Configure the list of domains where Microsoft Edge Scareware blockers don't run
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Scareware Blocker settings
Configure Microsoft Edge Scareware blocker protection
Supported versions:
On Windows since 134 or later
On macOS since 142 or later
Description
This policy setting allows administrators to control whether Microsoft Edge enables Scareware blocker, an AI-powered feature for protecting users from potential tech scams. To support this feature, Microsoft Edge downloads a machine learning model file from Microsoft to the device.
If you enable or don’t configure this policy, Microsoft Edge Scareware blocker uses local AI to detect potential tech scams.
If you disable this policy, Microsoft Edge Scareware blocker is disabled. The machine learning model file doesn't download to the device, and if downloaded, a deletion occurs.
Configure Microsoft Edge Scareware blocker to share URLs of sites detected as potential tech scams with Microsoft Defender SmartScreen
Supported versions:
On Windows and macOS since 142 or later
Description
This policy controls whether Microsoft Edge shares URLs of sites that are detected as potential tech scams with Microsoft Defender SmartScreen.
This policy only takes effect if ScarewareBlockerProtectionEnabled is enabled.
If you enable this policy, Microsoft Edge shares URLs of sites detected as potential tech scams with Microsoft Defender SmartScreen.
If you disable or don't configure this policy, Microsoft Edge doesn't share URLs of sites detected as potential tech scams with Microsoft Defender SmartScreen.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ScarewareBlockerSendDetectedSitesToSmartScreenEnabled
GP name: Configure Microsoft Edge Scareware blocker to share URLs of sites detected as potential tech scams with Microsoft Defender SmartScreen
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Scareware Blocker settings
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Scareware Blocker settings
Setting this policy enables inactive (sleeping) tabs to be automatically discarded after 1.5 days of inactivity. This is done to save memory. When the user switches back to a discarded tab, the tab needs to be reloaded.
If the SleepingTabsEnabled policy is enabled, then this feature is enabled by default.
If the SleepingTabsEnabled is disabled, then this feature is disabled by default and can't be enabled.
If enabled, idle background tabs will be discarded after 1.5 days.
If disabled, idle background tab won't be discarded after 1.5 days. Tabs can still be discarded for other reasons if this policy is disabled.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AutoDiscardSleepingTabsEnabled
GP name: Configure auto discard sleeping tabs
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Sleeping tabs settings
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Sleeping tabs settings
Define a list of sites, based on URL patterns, that aren't allowed to be put to sleep by sleeping tabs. Sites in this list are also excluded from other performance optimizations like efficiency mode and tab discard.
If the policy SleepingTabsEnabled is disabled, this list isn't used and no sites are put to sleep automatically.
If you don't configure this policy, all sites are eligible to be put to sleep unless the user's personal configuration blocks them.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: SleepingTabsBlockedForUrls
GP name: Block sleeping tabs on specific sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Sleeping tabs settings
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Sleeping tabs settings
This policy setting lets you configure whether to turn on sleeping tabs. Sleeping tabs reduces CPU, battery, and memory usage by putting idle background tabs to sleep. Microsoft Edge uses heuristics to avoid putting tabs to sleep that do useful work in the background, such as display notifications, play sound, and stream video. By default, sleeping tabs is turned on.
Individual sites may be blocked from being put to sleep by configuring the policy SleepingTabsBlockedForUrls.
If this policy is enabled, sleeping tabs are turned on.
If this policy is disabled, sleeping tabs are turned off. However, during moderate memory pressure, the system may freeze (sleep) tabs before discarding them.
If this policy is not configured, users can choose whether to enable sleeping tabs.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: SleepingTabsEnabled
GP name: Configure sleeping tabs
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Sleeping tabs settings
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Sleeping tabs settings
Set the background tab inactivity timeout for sleeping tabs
Supported versions:
On Windows and macOS since 88 or later
Description
This policy setting lets you configure the timeout, in seconds, after which inactive background tabs are automatically put to sleep if sleeping tabs is enabled. By default, this timeout is 7,200 seconds (2 hours).
Tabs are only put to sleep automatically when the policy SleepingTabsEnabled is enabled or isn't configured, and the user has enabled the sleeping tabs setting.
If you don't configure this policy, users can choose the timeout value.
Policy options mapping:
* 30Seconds (30) = 30 seconds of inactivity
* 5Minutes (300) = 5 minutes of inactivity
* 15Minutes (900) = 15 minutes of inactivity
* 30Minutes (1800) = 30 minutes of inactivity
* 1Hour (3600) = 1 hour of inactivity
* 2Hours (7200) = 2 hours of inactivity
* 3Hours (10800) = 3 hours of inactivity
* 6Hours (21600) = 6 hours of inactivity
* 12Hours (43200) = 12 hours of inactivity
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: SleepingTabsTimeout
GP name: Set the background tab inactivity timeout for sleeping tabs
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Sleeping tabs settings
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Sleeping tabs settings
Disable SmartScreen AppRep based warnings for specified file types on specified domains
Supported versions:
On Windows since 118 or later
Description
You can enable this policy to create a dictionary of file type extensions with a corresponding list of domains that are exempted from SmartScreen AppRep warnings. For example, if the `vbe` extension is associated with "contoso.com," users can't see a SmartScreen AppRep warning when downloading `vbe` files from "contoso.com." They can, however, see a download warning when downloading `vbe` files from "fabrikam.com."
Files with file type extensions specified for domains identified by this policy are still subject to file type extension-based security warnings and mixed-content download warnings.
If you disable this policy or don't configure it, files that trigger SmartScreen AppRep download warnings show warnings to the user.
If you enable this policy:
* The URL pattern should be formatted according to https://go.microsoft.com/fwlink/?linkid=2095322. * The file type extension entered must be in lower-cased ASCII. The leading separator shouldn't be included when listing the file type extension; so, `vbe` should be used instead of `.vbe`.
Example:
The following example prevents SmartScreen AppRep warnings on msi, exe, and vbe extensions for *.contoso.com domains. It might show the user a SmartScreen AppRep warning on any other domain for exe and msi files but not for vbe files.
Note: While the preceding example shows the suppression of SmartScreen AppRep download warnings for `vbe` files for all domains, applying suppression of such warnings for all domains isn't recommended due to security concerns. The ability to suppress warnings for all domains is shown in the example merely to demonstrate the ability to do so.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Dictionary
Windows information and settings
Group Policy (ADMX) info
GP unique name: ExemptSmartScreenDownloadWarnings
GP name: Disable SmartScreen AppRep based warnings for specified file types on specified domains
GP path (Mandatory):
Administrative Templates/Microsoft Edge/SmartScreen settings
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 107.
Supported versions:
On Windows and macOS since 95, until 107
Description
This policy doesn't work because it was only intended to be a short-term mechanism to support the update to a new SmartScreen client.
Allows the Microsoft Edge browser to load the new SmartScreen library (libSmartScreenN) for any SmartScreen checks on site URLs or application downloads.
If you enable or don't configure this policy, Microsoft Edge will use the new SmartScreen library (libSmartScreenN).
If you disable this policy, Microsoft Edge will use the old SmartScreen library (libSmartScreen).
Before Microsoft Edge version 103, if you don't configure this policy, Microsoft Edge will use the old SmartScreen library (libSmartScreen).
This policy is only available on Windows instances that are joined to a Microsoft Active Directory domain, Windows 10 Pro or Enterprise instances that enrolled for device management. This also includes macOS instances that are that are managed via MDM or joined to a domain via MCX.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: NewSmartScreenLibraryEnabled
GP name: Enable new SmartScreen library (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/SmartScreen settings
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/SmartScreen settings
Prevent bypassing Microsoft Defender SmartScreen prompts for sites
Supported versions:
On Windows and macOS since 77 or later
Description
This policy setting lets you decide whether users can override the Microsoft Defender SmartScreen warnings about potentially malicious websites.
If you enable this setting, users can't ignore Microsoft Defender SmartScreen warnings and they are blocked from continuing to the site.
If you disable or don't configure this setting, users can ignore Microsoft Defender SmartScreen warnings and continue to the site.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, Windows 10 Pro or Enterprise instances that enrolled for device management, or macOS instances that are that are managed via MDM or joined to a domain via MCX.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PreventSmartScreenPromptOverride
GP name: Prevent bypassing Microsoft Defender SmartScreen prompts for sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/SmartScreen settings
Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads
Supported versions:
On Windows since 77 or later
On macOS since 79 or later
Description
This policy lets you determine whether users can override Microsoft Defender SmartScreen warnings about unverified downloads.
If you enable this policy, users in your organization can't ignore Microsoft Defender SmartScreen warnings, and they're prevented from completing the unverified downloads.
If you disable or don't configure this policy, users can ignore Microsoft Defender SmartScreen warnings and complete unverified downloads.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, Windows 10 Pro or Enterprise instances that enrolled for device management, or macOS instances that are that are managed via MDM or joined to a domain via MCX.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PreventSmartScreenPromptOverrideForFiles
GP name: Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads
GP path (Mandatory):
Administrative Templates/Microsoft Edge/SmartScreen settings
Configure the list of domains for which Microsoft Defender SmartScreen won't trigger warnings
Supported versions:
On Windows and macOS since 77 or later
Description
Configures the list of Microsoft Defender SmartScreen trusted domains. This means:
- Microsoft Defender SmartScreen won't check for potentially malicious resources like phishing software and other malware if the source URLs match these domains. - The Microsoft Defender SmartScreen download protection service won't check downloads hosted on these domains.
If you enable this policy, Microsoft Defender SmartScreen trusts these domains. If you disable or don't set this policy, default Microsoft Defender SmartScreen protection is applied to all resources.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, Windows 10/11 Pro or Enterprise instances that enrolled for device management, or macOS instances that are that are managed via mobile device management (MDM) or joined to a domain via MCX. Note: If your organization has enabled Microsoft Defender for Endpoint, this policy and any allowlists created with the policy are ignored. You must configure your allowlists and blocklists in Microsoft 365 Defender portal using "Indicators" (Settings > Endpoints > Indicators).
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: SmartScreenAllowListDomains
GP name: Configure the list of domains for which Microsoft Defender SmartScreen won't trigger warnings
GP path (Mandatory):
Administrative Templates/Microsoft Edge/SmartScreen settings
Enable Microsoft Defender SmartScreen DNS requests
Supported versions:
On Windows and macOS since 97 or later
Description
This policy lets you configure whether to enable DNS requests made by Microsoft Defender SmartScreen. Note: Disabling DNS requests will prevent Microsoft Defender SmartScreen from getting IP addresses, and potentially impact the IP-based protections provided.
If you enable or don't configure this setting, Microsoft Defender SmartScreen will make DNS requests.
If you disable this setting, Microsoft Defender SmartScreen will not make any DNS requests.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, Windows 10 Pro or Enterprise instances that enrolled for device management, or macOS instances that are that are managed via MDM or joined to a domain via MCX.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: SmartScreenDnsRequestsEnabled
GP name: Enable Microsoft Defender SmartScreen DNS requests
GP path (Mandatory):
Administrative Templates/Microsoft Edge/SmartScreen settings
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/SmartScreen settings
This policy setting lets you configure whether to turn on Microsoft Defender SmartScreen. Microsoft Defender SmartScreen provides warning messages to help protect your users from potential phishing scams and malicious software. By default, Microsoft Defender SmartScreen is turned on.
If you enable this setting, Microsoft Defender SmartScreen is turned on.
If you disable this setting, Microsoft Defender SmartScreen is turned off.
If you don't configure this setting, users can choose whether to use Microsoft Defender SmartScreen.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, Windows 10 Pro or Enterprise instances that enrolled for device management, or macOS instances that are that are managed via MDM or joined to a domain via MCX.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: SmartScreenEnabled
GP name: Configure Microsoft Defender SmartScreen
GP path (Mandatory):
Administrative Templates/Microsoft Edge/SmartScreen settings
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/SmartScreen settings
Force Microsoft Defender SmartScreen checks on downloads from trusted sources
Supported versions:
On Windows since 78 or later
Description
This policy setting lets you configure whether Microsoft Defender SmartScreen checks download reputation from a trusted source.
In Windows, the policy determines a trusted source by checking its Internet zone. If the source comes from the local system, intranet, or trusted sites zone, then the download is considered trusted and safe.
If you enable or don't configure this setting, Microsoft Defender SmartScreen checks the download's reputation regardless of source.
If you disable this setting, Microsoft Defender SmartScreen doesn't check the download's reputation when downloading from a trusted source.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, Windows 10 Pro or Enterprise instances that enrolled for device management.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: SmartScreenForTrustedDownloadsEnabled
GP name: Force Microsoft Defender SmartScreen checks on downloads from trusted sources
GP path (Mandatory):
Administrative Templates/Microsoft Edge/SmartScreen settings
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/SmartScreen settings
Configure Microsoft Defender SmartScreen to block potentially unwanted apps
Supported versions:
On Windows and macOS since 80 or later
Description
This policy setting lets you configure whether to turn on blocking for potentially unwanted apps with Microsoft Defender SmartScreen. Potentially unwanted app blocking with Microsoft Defender SmartScreen provides warning messages to help protect users from adware, coin miners, bundleware, and other low-reputation apps that are hosted by websites. Potentially unwanted app blocking with Microsoft Defender SmartScreen is turned off by default.
If you enable this setting, potentially unwanted app blocking with Microsoft Defender SmartScreen is turned on.
If you disable this setting, potentially unwanted app blocking with Microsoft Defender SmartScreen is turned off.
If you don't configure this setting, users can choose whether to use potentially unwanted app blocking with Microsoft Defender SmartScreen.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, Windows 10 Pro or Enterprise instances that enrolled for device management, or macOS instances that are that are managed via MDM or joined to a domain via MCX.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: SmartScreenPuaEnabled
GP name: Configure Microsoft Defender SmartScreen to block potentially unwanted apps
GP path (Mandatory):
Administrative Templates/Microsoft Edge/SmartScreen settings
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/SmartScreen settings
Configure whether the Discover or Work feed tabs are shown on the New Tab Page.
Supported versions:
On Windows and macOS since 148 or later
Description
This policy configures whether the Discover or Work feed tabs are shown on the New Tab Page. By default, both Work and Discover tabs are enabled.
If you set this policy to 'EnableBothWorkDiscover' (0) or do not configure this policy, Microsoft Edge shows both the Work and Discover feed tabs on the new tab page.
If you set this policy to 'EnableOnlyWork' (1), Microsoft Edge shows only the Work feed tab on the new tab page.
If you set this policy to 'EnableOnlyDiscover' (2), Microsoft Edge shows only the Discover feed tab on the new tab page.
This policy works with the SetNTPDefaultFeedTab policy, which controls which feed tab is selected by default when both tabs are available.
Policy options mapping:
* EnableBothWorkDiscover (0) = Enable both Work and Discover tabs
* EnableOnlyWork (1) = Enable only Work tab
* EnableOnlyDiscover (2) = Enable only Discover tab
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: ConfigureNTPFeedTabVisibility
GP name: Configure whether the Discover or Work feed tabs are shown on the New Tab Page.
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Startup, home page and new tab page
Configures the default home page in Microsoft Edge. You can set the home page to a URL you specify or to the new tab page.
If you enable this policy, the Home button is set to the new tab page as configured by the user or with the policy NewTabPageLocation and the URL set with the policy HomepageLocation is not taken into consideration.
If you disable this policy, the Home button is the set URL as configured by the user or as configured in the policy HomepageLocation.
If you don't configure this policy, users can choose whether the set URL or the new tab page is their home page.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, joined to Microsoft Azure Active Directory, or instances that enrolled for device management. On macOS, this policy is available only on instances that are managed via MDM or joined to a domain via MCX.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: HomepageIsNewTabPage
GP name: Set the new tab page as the home page
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Startup, home page and new tab page
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Startup, home page and new tab page
Configures the default home page URL in Microsoft Edge.
The home page is the page opened by the Home button. RestoreOnStartup policies control the pages that open on startup.
You can either set a URL here or set the home page to open the new tab page 'edge://newtab'. By default, the Home button opens the new tab page (as configured by the user or with the policy NewTabPageLocation), and the user is able to choose between the URL configured by this policy and the new tab page.
If you enable this policy, users can't change their home page URL, but they can choose the behavior for the Home button to open either the set URL or the new tab page. If you wish to enforce the usage of the set URL, you must also configure HomepageIsNewTabPage=Disabled.
If you disable or don't configure this policy, users can choose their own home page, as long as the HomepageIsNewTabPage policy isn't enabled.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, joined to Microsoft Azure Active Directory, or instances that enrolled for device management. On macOS, this policy is available only on instances that are managed via MDM or joined to a domain via MCX.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: HomepageLocation
GP name: Configure the home page URL
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Startup, home page and new tab page
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Startup, home page and new tab page
By default, the App Launcher is shown every time a user opens a new tab page.
If you enable or don't configure this policy, there's no change on the Microsoft Edge new tab page and App Launcher is there for users.
If you disable this policy, App Launcher doesn't appear and users can't launch Microsoft 365 apps from Microsoft Edge new tab page via the App Launcher.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: NewTabPageAppLauncherEnabled
GP name: Hide App Launcher on Microsoft Edge new tab page
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Startup, home page and new tab page
Disable Bing chat entry-points on Microsoft Edge Enterprise new tab page
Supported versions:
On Windows and macOS since 117 or later
Description
By default, the Microsoft Edge new tab page includes three Bing Chat entry points: one inside the search box, one in the Bing autosuggest dropdown when users click or begin typing in the box, and one as a suggested prompt below the box.
If you enable or don't configure this policy, these Bing Chat entry points continue to appear on the new tab page.
If you disable this policy, all Bing Chat entry points are removed from the new tab page.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: NewTabPageBingChatEnabled
GP name: Disable Bing chat entry-points on Microsoft Edge Enterprise new tab page
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Startup, home page and new tab page
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 85.
Supported versions:
On Windows and macOS since 79, until 85
Description
This policy didn't work as expected due to changes in operational requirements. Therefore, it's obsolete and shouldn't be used.
Specifies the company logo that's to be used on the new tab page in Microsoft Edge.
The policy should be configured as a string that expresses the logo(s) in JSON format. For example: { "default_logo": { "url": "https://www.contoso.com/logo.png", "hash": "cd0aa9856147b6c5b4ff2b7dfee5da20aa38253099ef1b4a64aced233c9afe29" }, "light_logo": { "url": "https://www.contoso.com/light_logo.png", "hash": "517d286edb416bb2625ccfcba9de78296e90da8e32330d4c9c8275c4c1c33737" } }
You configure this policy by specifying the URL from which Microsoft Edge can download the logo and its cryptographic hash (SHA-256), which is used to verify the integrity of the download. The logo must be in PNG or SVG format, and its file size must not exceed 16 MB. The logo is downloaded and cached, and it will be redownloaded whenever the URL or the hash changes. The URL must be accessible without any authentication.
The 'default_logo' is required and used when there's no background image. If 'light_logo' is provided, it's used when the user's new tab page has a background image. We recommend a horizontal logo with a transparent background that's left-aligned and vertically centered. The logo should have a minimum height of 32 pixels and an aspect ratio from 1:1 to 4:1. The 'default_logo' should have proper contrast against a white/black background, while the 'light_logo' should have proper contrast against a background image.
If you enable this policy, Microsoft Edge downloads and shows the specified logo(s) on the new tab page. Users can't override or hide the logo(s).
If you disable or don't configure this policy, Microsoft Edge shows no company logo or a Microsoft logo on the new tab page.
For help with determining the SHA-256 hash, see [Get-FileHash](/powershell/module/microsoft.powershell.utility/get-filehash).
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Dictionary
Windows information and settings
Group Policy (ADMX) info
GP unique name: NewTabPageCompanyLogo
GP name: Set new tab page company logo (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Startup, home page and new tab page
This policy applies for Microsoft Edge to all profile types, namely unsigned local user profiles, profiles signed in using a Microsoft Account, profiles signed in using Active Directory, and profiles signed in using Microsoft Entra ID. The Enterprise new tab page for profiles signed in using Microsoft Entra ID can be configured in the Microsoft 365 admin portal, but this policy setting takes precedence; therefore, any Microsoft 365 admin portal configurations are ignored.
If you enable or don't configure this policy, Microsoft Edge displays Microsoft content on the new tab page. The user can choose different display options for the content. These options include, but aren't limited to: "Content off", "Content visible on scroll", "Headings only", and "Content visible". Enabling this policy doesn't force content to be visible - the users can keep setting their own preferred content position.
If you disable this policy, Microsoft Edge doesn't display Microsoft content on the new tab page. The Content control in the NTP settings flyout is disabled and set to "Content off", and the Layout control in the NTP settings flyout is disabled and set to "Custom".
The recommended version of this policy doesn't currently work and functions exactly like the mandatory version.
This policy determines the page that opens when new tabs are created (including when new windows are opened). It also affects the startup page if this page opens to the new tab page.
This policy doesn't determine which page opens on startup; that factor is controlled by the RestoreOnStartup policy. It also doesn't affect the home page if this home page opens to the new tab page.
If you don't configure this policy, the default new tab page is used.
If you configure this policy *and* the NewTabPageSetFeedType policy, this policy takes precedence.
If a blank tab is preferred, "about:blank" is the correct URL to use, not "about://blank".
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, joined to Microsoft Azure Active Directory, or joined to instances that enrolled for device management. On macOS, this policy is available only on instances that are managed via MDM or joined to a domain via MCX.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: NewTabPageLocation
GP name: Configure the new tab page URL
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Startup, home page and new tab page
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Startup, home page and new tab page
By default, Microsoft Edge displays quick links on the new tab page from user-added shortcuts and top sites based on browsing history. With this policy, you can configure up to three quick link tiles on the new tab page, expressed as a JSON object:
The 'url' field is required; 'title' and 'pinned' are optional. If 'title' isn't provided, the URL is used as the default title. If 'pinned' isn't provided, the default value is false.
Microsoft Edge presents these tiles in the order listed, from left to right, with all pinned tiles displayed ahead of nonpinned tiles.
If you set this policy as mandatory, the 'pinned' field is ignored and all tiles are pinned. The tiles can't be deleted by the user and always appear at the front of the quick links list.
If you set this policy as recommended, pinned tiles remain in the list but the user has the ability to edit and delete them. Quick link tiles that aren't pinned behave like default top sites and are pushed off the list if other websites are visited more frequently. When applying nonpinned links via this policy to an existing browser profile, the links don't appear at all, depending on how they rank compared to the user's browsing history.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Dictionary
Windows information and settings
Group Policy (ADMX) info
GP unique name: NewTabPageManagedQuickLinks
GP name: Set new tab page quick links
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Startup, home page and new tab page
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Startup, home page and new tab page
Enable preload of the new tab page for faster rendering
Supported versions:
On Windows and macOS since 85 or later
Description
If you configure this policy, preloading the New tab page is enabled, and users can't change this setting. If you don't configure this policy, preloading is enabled and a user can change this setting.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: NewTabPagePrerenderEnabled
GP name: Enable preload of the new tab page for faster rendering
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Startup, home page and new tab page
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Startup, home page and new tab page
If you enable or don't configure this policy, Microsoft Edge displays quick links on the new tab page, and the user can interact with the control, turning quick links on and off. Enabling this policy does not force quick links to be visible - the user can continue to turn quick links on and off.
If you disable this policy, Microsoft Edge hides quick links on the new tab page and disables the quick links control in the NTP settings flyout.
This policy only applies for Microsoft Edge local user profiles, profiles signed in using a Microsoft Account, and profiles signed in using Active Directory. To configure the Enterprise new tab page for profiles signed in using Azure Active Directory, use the M365 admin portal.
Configure the Microsoft Edge new tab page experience (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 92.
Supported versions:
On Windows and macOS since 79, until 92
Description
This policy is obsolete because the new version of the enterprise new tab page no longer requires choosing between different content types. Instead, the content that's presented to the user can be controlled via the Microsoft 365 admin center. To get to the Microsoft 365 admin center, sign in at https://admin.microsoft.com with your admin account.
Lets you choose either the Microsoft News or Office 365 feed experience for the new tab page.
If you set this policy to 'News', users see the Microsoft News feed experience on the new tab page.
If you set this policy to 'Office', users with an Azure Active Directory browser sign-in see the Office 365 feed experience on the new tab page.
If you disable or don't configure this policy, users with an Azure Active Directory browser sign-in are offered the Office 365 new tab page feed experience, and the standard new tab page feed experience. Users without an Azure Active Directory browser sign-in to see the standard new tab page experience.
Specify how Microsoft Edge behaves when it starts.
If you want a new tab to always open on startup, choose 'RestoreOnStartupIsNewTabPage'.
If you want to reopen URLs that were open the last time Microsoft Edge closed, choose 'RestoreOnStartupIsLastSession'. The browsing session will be restored as it was. Note that this option disables some settings that rely on sessions or that perform actions on exit (such as Clear browsing data on exit or session-only cookies).
If you want to open a specific set of URLs, choose 'RestoreOnStartupIsURLs'.
Starting in Microsoft Edge version 125, if you want to reopen URLs that were open the last time Microsoft Edge closed and open a specific set of URLs, choose 'RestoreOnStartupIsLastSessionAndURLs'.
Disabling this setting is the same as leaving it not configured. Users will be able to change it in Microsoft Edge.
This policy is only available on Windows instances that are joined to a Microsoft Active Directory domain, joined to Microsoft Azure Active Directory, or instances that enrolled for device management. On macOS, this policy is only available on instances that are managed via MDM or joined to a domain via MCX.
Policy options mapping:
* RestoreOnStartupIsNewTabPage (5) = Open a new tab
* RestoreOnStartupIsLastSession (1) = Restore the last session
* RestoreOnStartupIsURLs (4) = Open a list of URLs
* RestoreOnStartupIsLastSessionAndURLs (6) = Open a list of URLs and restore the last session
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: RestoreOnStartup
GP name: Action to take on Microsoft Edge startup
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Startup, home page and new tab page
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Startup, home page and new tab page
Specify a list of websites to open automatically when the browser starts. If you don't configure this policy, no site is opened on startup.
This policy only works if you also set the RestoreOnStartup policy to 'Open a list of URLs' (4).
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, joined to Microsoft Azure Active Directory` or instances that enrolled for device management.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: RestoreOnStartupURLs
GP name: Sites to open when the browser starts
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Startup, home page and new tab page
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Startup, home page and new tab page
Allow users to add and remove their own sites during startup when the RestoreOnStartupURLs policy is configured.
Supported versions:
On Windows since 107 or later
On macOS since 111 or later
Description
This policy only works if you set the RestoreOnStartup policy to 'Open a list of URLs' (4) and the RestoreOnStartupURLs policy as mandatory. If you enable this policy, users are allowed to add and remove their own URLs to open when starting Microsoft Edge while maintaining the admin specified mandatory list of sites specified by setting RestoreOnStartup policy to open a list of URLS and providing the list of sites in the RestoreOnStartupURLs policy.
If you disable or don't configure this policy, there's no change to how the RestoreOnStartup and RestoreOnStartupURLs policies work.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: RestoreOnStartupUserURLsEnabled
GP name: Allow users to add and remove their own sites during startup when the RestoreOnStartupURLs policy is configured.
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Startup, home page and new tab page
Set the default New Tab Page feed tab to Work or Discover
Supported versions:
On Windows and macOS since 148 or later
Description
This policy sets the default feed tab on the New Tab Page to Work or Discover.
If you set this policy to 'Work' (0) or don't configure this policy, Microsoft Edge sets the default feed tab to Work.
If you set this policy to 'Discover' (1), Microsoft Edge sets the default feed tab to Discover.
This policy only takes effect when ConfigureNTPFeedTabVisibility is set to 'EnableBothWorkDiscover' (0) or is not configured. If only one tab is visible, this policy has no effect.
Policy options mapping:
* NTPDefaultFeedTabWork (0) = Work
* NTPDefaultFeedTabDiscover (1) = Discover
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: SetNTPDefaultFeedTab
GP name: Set the default New Tab Page feed tab to Work or Discover
GP path (Mandatory):
Administrative Templates/Microsoft Edge/Startup, home page and new tab page
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/Startup, home page and new tab page
Controls which IP addresses and network interfaces WebRTC can use when establishing connections for specific URL patterns.
How It Works: Accepts a list of URL patterns, each paired with a handling type. WebRTC evaluates patterns sequentially; the first match determines the handling type. If no match is found, WebRTC defaults to the WebRtcLocalhostIpHandling WebRtcLocalhostIpHandling. policy. This policy applies only to origins—URL path components are ignored. Wildcards (*) are supported in URL patterns.
Supported Handling Values: default – Uses all available network interfaces. default_public_and_private_interfaces – WebRTC uses all public and private interfaces. default_public_interface_only – WebRTC uses only public interfaces. disable_non_proxied_udp – WebRTC uses UDP SOCKS proxying or falls back to TCP proxying.
Allows you to set whether or not WebRTC exposes the user's local IP address.
If you set this policy to "AllowAllInterfaces" or "AllowPublicAndPrivateInterfaces", WebRTC exposes the local IP address.
If you set this policy to "AllowPublicInterfaceOnly" or "DisableNonProxiedUdp", WebRTC doesn't expose the local IP address.
If you don't set this policy, or if you disable it, WebRTC exposes the local IP address.
Note that this policy doesn't provide an option to exclude specific domains.
Policy options mapping:
* AllowAllInterfaces (default) = Allow all interfaces. This exposes the local IP address
* AllowPublicAndPrivateInterfaces (default_public_and_private_interfaces) = Allow public and private interfaces over http default route. This exposes the local IP address
* AllowPublicInterfaceOnly (default_public_interface_only) = Allow public interface over http default route. This doesn't expose the local IP address
* DisableNonProxiedUdp (disable_non_proxied_udp) = Use TCP unless proxy server supports UDP. This doesn't expose the local IP address
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: WebRtcLocalhostIpHandling
GP name: Restrict exposure of local IP address by WebRTC
GP path (Mandatory):
Administrative Templates/Microsoft Edge/WebRtc settings
This policy controls the use of post-quantum key agreement for WebRTC in Microsoft Edge.
If you enable this policy, Microsoft Edge will offer post-quantum key agreement for WebRTC.
If you disable this policy, post-quantum key agreement won't be offered for WebRTC.
If you don't configure this policy, post-quantum key agreement won't be offered for WebRTC. A future version of Microsoft Edge may enable this feature by default.
Offering a post-quantum key agreement is backwards compatible. Existing datagram transport layer security (DTLS) peers and networking middleware are expected to ignore the new option and continue using previous options.
However, devices that don't correctly implement DTLS may malfunction when offered the new option. For example, they may disconnect in response to unrecognized options or larger message sizes. Such devices aren’t post-quantum-ready and may interfere with an organization's post-quantum transition. If this issue occurs, administrators should contact the device vendor for a fix.
This policy is temporary and will be removed in a future release.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: WebRtcPostQuantumKeyAgreement
GP name: Enable post-quantum key agreement for WebRTC
GP path (Mandatory):
Administrative Templates/Microsoft Edge/WebRtc settings
Single sign-on for work or school sites using this profile enabled
Supported versions:
On Windows and macOS since 92 or later
Description
'Allow single sign-on for work or school sites using this profile' option allows non-AAD profiles to be able to use single sign-on for work or school sites using work or school credentials present on the machine. This option shows up for end-users as a toggle in Settings -> Profiles -> Profile Preferences for non-AAD profiles only.
If you enable or disable this policy, 'Intelligent enablement of Single sign-on (SSO) for all Windows Azure Active Directory (Azure AD) accounts for users with a single non-Azure AD Microsoft Edge profile' will be turned off.
If you don't configure this policy, users can control whether to use SSO using other credentials present on the machine in edge://settings/profiles/multiProfileSettings.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AADWebSiteSSOUsingThisProfileEnabled
GP name: Single sign-on for work or school sites using this profile enabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Let screen reader users get image descriptions from Microsoft
Supported versions:
On Windows and macOS since 97 or later
Description
Lets screen reader users get descriptions of unlabeled images on the web.
If you enable or don't configure this policy, users have the option of using an anonymous Microsoft service. This service provides automatic descriptions for unlabeled images users encounter on the web when they're using a screen reader.
If you disable this policy, users can't enable the Get Image Descriptions from Microsoft feature.
When this feature is enabled, the content of images that need a generated description is sent to Microsoft servers to generate a description.
No cookies or other user data is sent to Microsoft, and Microsoft doesn't save or log any image content.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AccessibilityImageLabelsEnabled
GP name: Let screen reader users get image descriptions from Microsoft
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Native application signing during Progressive Web Application installation
Supported versions:
On macOS since 132 or later
Description
Enabling this policy or leaving it unset enables the use of ad-hoc signatures for the native application that's created when installing a Progressive Web Application (PWA). This ensures that each installed application has a unique identity to macOS system components.
Disabling this policy results in every native application created when installing Progressive Web Applications having the same identity. This can interfere with macOS functionality.
Turn off the policy only if you're using an endpoint security solution that blocks applications with an ad-hoc signature.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
This policy controls whether Microsoft Edge can query more DNS record types when making insecure (non-Secure DNS) requests.
If this policy is unset or set to Enabled, more record types such as HTTPS (DNS type 65) may be queried in addition to A (DNS type 1) and AAAA (DNS type 28).
If this policy is set to Disabled, Microsoft Edge will only query A and AAAA record types for insecure DNS requests.
This setting doesn't affect DNS queries made via Secure DNS, which may always use more record types.
Note: This is a temporary policy and is planned for removal in a future version of Microsoft Edge. After removal, Microsoft Edge will always be able to query more DNS types during insecure requests.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AdditionalDnsQueryTypesEnabled
GP name: Allow DNS queries for more DNS record types
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
A search box is another text input field located next to the address bar in a web browser. It allows users to perform web searches directly from the browser interface.
If you enable or don't configure this policy, the search box is visible and available for use. Users can toggle the search box in Microsoft Edge Settings page edge://settings/appearance#SearchBoxInToolbar.
If you disable this policy, search box won't be visible, and users have to use the address bar or navigate to a search engine to perform web searches.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AdditionalSearchBoxEnabled
GP name: Enable additional search box in browser
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
If you enable or don't configure this policy, users can change the URL in the address bar.
If you disable this policy, it prevents users from changing the URL in the address bar.
Note: This policy doesn't prevent the browser from navigating to any URL. Users can still navigate to any URL using the search option in the default New Tab Page, or using any link that leads to a web search engine. To ensure that users can only go to sites you expect, consider configuring the following policies in addition to this policy:
Enable Microsoft Search in Bing suggestions in the address bar (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 136.
Supported versions:
On Windows and macOS since 81, until 136
Description
Enables the display of relevant Microsoft Search in Bing suggestions in the address bar's suggestion list when the user enters a search query in the address bar. If you enable or don't configure this policy, users can see internal results powered by Microsoft Search in Bing in the Microsoft Edge address bar suggestion list. To access Microsoft Search in Bing results, the user must be signed in to Microsoft Edge with their organization's Azure AD account.
If you disable this policy, users won't see internal results in the Microsoft Edge address bar suggestion list.
Starting with Microsoft Edge version 89, Microsoft Search in Bing suggestions will be available even if Bing isn't the user's default search provider.
This policy is no longer applicable due to changes in access to work search through Bing-related endpoints.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AddressBarMicrosoftSearchInBingProviderEnabled
GP name: Enable Microsoft Search in Bing suggestions in the address bar (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Enable Microsoft Bing trending suggestions in the address bar
Supported versions:
On Windows and macOS since 135 or later
Description
This policy controls whether Microsoft Bing trending suggestions appear in the address bar’s suggestion dropdown when users select the address bar while on a New Tab Page.
If this policy is enabled or not configured, Microsoft Bing trending suggestions appear in the address bar suggestion dropdown.
If this policy is disabled, Microsoft Edge doesn't display Microsoft Bing trending suggestions when users select the address bar.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AddressBarTrendingSuggestEnabled
GP name: Enable Microsoft Bing trending suggestions in the address bar
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Enables the display of relevant workplace suggestions in the address bar’s suggestion dropdown when users type a query in the address bar.
If this policy is enabled or not configured, users can view internal work-related suggestions, such as bookmarks, files, and people results powered by Microsoft 365, in the Microsoft Edge address bar suggestion dropdown. To access these results, users must be signed into Microsoft Edge with their Entra ID account associated with that organization.
If this policy is disabled, users can't see internal workplace results in the Microsoft Edge address bar suggestion dropdown.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AddressBarWorkSearchResultsEnabled
GP name: Enable Work Search suggestions in the address bar
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Configure if the ads transparency feature is enabled
Supported versions:
On Windows and macOS since 100 or later
Description
Lets you decide whether the ads transparency feature is enabled. This behavior only applies to the "balanced" mode of tracking prevention, and doesn't impact "basic" or "strict" modes. Your users' tracking prevention level can be configured using the TrackingPrevention policy. AdsTransparencyEnabled will only have an effect if TrackingPrevention is set to TrackingPreventionBalanced or isn't configured.
If you enable or don't configure this policy, transparency metadata provided by ads are available to the user when the feature is active.
When the feature is enabled, Tracking Prevention enables exceptions for the associated ad providers that have met Microsoft's privacy standards.
If you disable this policy, Tracking Prevention won't adjust its behavior even when transparency metadata is provided by ads.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AdsTransparencyEnabled
GP name: Configure if the ads transparency feature is enabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allow pages with Cache-Control: no-store header to enter back/forward cache
Supported versions:
On Windows and macOS since 123 or later
Description
This policy controls whether a page with Cache-Control: no-store header can be stored in back/forward cache. The website setting in this header may not expect the page to be restored from back/forward cache since some sensitive information could still be displayed after the restoration even if it's no longer accessible.
If you enable or don't configure this policy, the page with Cache-Control: no-store header is restored from back/forward cache unless the cache eviction is triggered (for example, when there's HTTP-only cookie change to the site).
If you disable this policy, the page with Cache-Control: no-store header isn't stored in back/forward cache.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AllowBackForwardCacheForCacheControlNoStorePageEnabled
GP name: Allow pages with Cache-Control: no-store header to enter back/forward cache
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Controls the availability of browsing with Copilot in Microsoft Edge.
Supported versions:
On Windows and macOS since 148 or later
Description
When browsing with Copilot is enabled, users can explicitly invoke it for a query. It isn't invoked automatically.
Browsing with Copilot is available only on domains specified in the BrowsingWithCopilotAllowList policy and is blocked on domains specified in the BrowsingWithCopilotBlockList policy. If no domains are configured in the allow list, browsing with Copilot is effectively disabled.
This feature is available only to users with an active Microsoft 365 Copilot subscription.
Enables deleting browser history and download history and prevents users from changing this setting.
Note that even with this policy is disabled, the browsing and download history aren't guaranteed to be retained: users can edit or delete the history database files directly, and the browser itself may remove (based on expiration period) or archive any or all history items at any time.
If you enable this policy or don't configure it, users can delete the browsing and download history.
If you disable this policy, users can't delete browsing and download history. Disabling this policy will disable history sync and open tab sync.
If you enable this policy, don't enable the ClearBrowsingDataOnExit policy, because they both deal with deleting data. If you enable both, the ClearBrowsingDataOnExit policy takes precedence and deletes all data when Microsoft Edge closes, regardless of how this policy is configured.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AllowDeletingBrowserHistory
GP name: Enable deleting browser and download history
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allow access to local files by letting Microsoft Edge display file selection dialogs.
If you enable or don't configure this policy, users can open file selection dialogs as normal.
If you disable this policy, whenever the user performs an action that triggers a file selection dialog (like importing favorites, uploading files, or saving links), a message is displayed instead, and the system interprets the action as a Cancel selection in the file selection dialog.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AllowFileSelectionDialogs
GP name: Allow file selection dialogs
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allows a page to show popups during its unloading (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 87.
Supported versions:
On Windows and macOS since 78, until 87
Description
This policy allows an admin to specify that a page can show popups during its unloading.
When the policy is set to enabled, pages are allowed to show popups while they're being unloaded.
When the policy is set to disabled or unset, pages aren't allowed to show popups while they're being unloaded. This is as per the spec: (https://html.spec.whatwg.org/#apis-for-creating-and-navigating-browsing-contexts-by-name).
This policy was removed in Microsoft Edge 88 and is ignored if set.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AllowPopupsDuringPageUnload
GP name: Allows a page to show popups during its unloading (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allow pages to send synchronous XHR requests during page dismissal (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 99.
Supported versions:
On Windows and macOS since 79, until 99
Description
This policy is obsolete because it was only intended to be a short-term mechanism to give enterprises more time to update their web content if and when it was found to be incompatible with the change to disallow synchronous XHR requests during page dismissal. It doesn't work in Microsoft Edge after version 99.
This policy lets you specify that a page can send synchronous XHR requests during page dismissal.
If you enable this policy, pages can send synchronous XHR requests during page dismissal.
If you disable this policy or don't configure this policy, pages aren't allowed to send synchronous XHR requests during page dismissal.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AllowSyncXHRInPageDismissal
GP name: Allow pages to send synchronous XHR requests during page dismissal (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Configure the list of sites for which Microsoft Edge will attempt to establish a Token Binding with (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 129.
Supported versions:
On Windows since 83, until 129
Description
This policy is obsolete because Token Binding is no longer supported, starting with Microsoft Edge 130.
Configure the list of URL patterns for sites that the browser attempts to perform the Token Binding protocol with. For the domains on this list, the browser sends the Token Binding ClientHello in the TLS handshake (See https://tools.ietf.org/html/rfc8472). If the server responds with a valid ServerHello response, the browser creates and sends Token Binding messages on subsequent https requests. See https://tools.ietf.org/html/rfc8471 for more info.
If this list is empty, Token Binding is disabled.
This policy is only available on Windows 10 devices with Virtual Secure Mode capability.
Starting in Microsoft Edge 86, this policy no longer supports dynamic refresh.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: AllowTokenBindingForUrls
GP name: Configure the list of sites for which Microsoft Edge will attempt to establish a Token Binding with (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Configure tracking prevention exceptions for specific sites
Supported versions:
On Windows and macOS since 78 or later
Description
Configure the list of URL patterns that are excluded from tracking prevention.
If you configure this policy, the list of configured URL patterns is excluded from tracking prevention.
If you don't configure this policy, the global default value from the "Block tracking of users' web-browsing activity" policy (if set) or the user's personal configuration is used for all sites.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: AllowTrackingForUrls
GP name: Configure tracking prevention exceptions for specific sites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allow Web Authentication requests on sites with broken TLS certificates.
Supported versions:
On Windows and macOS since 123 or later
Description
If you enable this policy, Microsoft Edge allows Web Authentication requests on websites that have TLS certificates with errors (that is, websites considered not secure).
If you disable or don't configure this policy, the default behavior of blocking such requests apply.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AllowWebAuthnWithBrokenTlsCerts
GP name: Allow Web Authentication requests on sites with broken TLS certificates.
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Setting the policy on Microsoft Edge turns on the restricted sign-in feature in Google Workspace and prevents users from changing this setting. Users can only access Google tools using accounts from the specified domains. To allow gmail or googlemail accounts, add consumer_accounts to the list of domains. This policy is based on the Chrome policy of the same name.
If you don't provide a domain name or leave this policy unset, users can access Google Workspace with any account.
Users cannot change or override this setting.
Note: This policy causes the X-GoogApps-Allowed-Domains header to be appended to all HTTP and HTTPS requests to all google.com domains, as described in https://go.microsoft.com/fwlink/?linkid=2197973.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: AllowedDomainsForApps
GP name: Define domains allowed to access Google Workspace
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Suggest similar pages when a webpage can't be found
Supported versions:
On Windows and macOS since 80 or later
Description
Allow Microsoft Edge to issue a connection to a web service to generate URL and search suggestions for connectivity issues such as DNS errors.
If you enable this policy, a web service is used to generate url and search suggestions for network errors.
If you disable this policy, no calls to the web service are made and a standard error page is shown.
If you don't configure this policy, Microsoft Edge respects the user preference that's set under Services at edge://settings/privacy. Specifically, there's a **Suggest similar pages when a webpage can't be found** toggle, which the user can switch on or off. If you enable this policy (AlternateErrorPagesEnabled), the **Suggest similar pages when a webpage can't be found** setting is turned on, but the user can't change the setting by using the toggle. If you disable this policy, the **Suggest similar pages when a webpage can't be found** setting is turned off, and the user can't change the setting by using the toggle.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AlternateErrorPagesEnabled
GP name: Suggest similar pages when a webpage can't be found
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Enable Ambient Authentication for InPrivate and Guest profiles
Supported versions:
On Windows and macOS since 81 or later
Description
Configures this policy to allow/disallow ambient authentication for InPrivate and Guest profiles in Microsoft Edge.
Ambient Authentication is http authentication with default credentials when explicit credentials aren't provided via New Technology LAN Manager (NTLM)/Kerberos/Negotiate challenge/response schemes.
If you set the policy to 'RegularOnly', it allows ambient authentication for Regular sessions only. InPrivate and Guest sessions aren't allowed to ambiently authenticate.
If you set the policy to 'InPrivateAndRegular', it allows ambient authentication for InPrivate and Regular sessions. Guest sessions aren't allowed to ambiently authenticate.
If you set the policy to 'GuestAndRegular', it allows ambient authentication for Guest and Regular sessions. InPrivate sessions aren't allowed to ambiently authenticate
If you set the policy to 'All', it allows ambient authentication for all sessions.
Ambient authentication is always allowed on regular profiles.
In Microsoft Edge version 81 and later, if you don't configure this policy, ambient authentication is enabled in regular sessions only.
Policy options mapping:
* RegularOnly (0) = Enable ambient authentication in regular sessions only
* InPrivateAndRegular (1) = Enable ambient authentication in InPrivate and regular sessions
* GuestAndRegular (2) = Enable ambient authentication in guest and regular sessions
* All (3) = Enable ambient authentication in regular, InPrivate, and guest sessions
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: AmbientAuthenticationInPrivateModesEnabled
GP name: Enable Ambient Authentication for InPrivate and Guest profiles
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Enabling this policy or leaving it unset binds the encryption keys used for local data storage to Microsoft Edge whenever possible.
Disabling this policy has a detrimental effect on Microsoft Edge's security because unknown and potentially hostile apps can retrieve the encryption keys used to secure data.
Only turn off this policy if there are compatibility issues, such as scenarios where other applications need legitimate access to Microsoft Edge's data. Encrypted user data is expected to be fully portable between different computers or the integrity and location of Microsoft Edge's executable files isn’t consistent.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ApplicationBoundEncryptionEnabled
GP name: Enable Application Bound Encryption
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Configures the application locale in Microsoft Edge and prevents users from changing the locale.
If you enable this policy, Microsoft Edge uses the specified locale. If the configured locale isn't supported, 'en-US' is used instead.
If you disable or don't configure this setting, Microsoft Edge uses either the user-specified preferred locale (if configured) or the fallback locale 'en-US'.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: ApplicationLocaleValue
GP name: Set application locale
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Get user confirmation before closing a browser window with multiple tabs
Supported versions:
On Windows and macOS since 104 or later
Description
This policy lets you configure whether users see a confirmation dialog before closing a browser window with multiple tabs. This dialog asks users to confirm that the browser window can be closed.
If you enable this policy, users will be presented with a confirmation dialog when closing a browser window with multiple tabs.
If you disable or don't configure this policy, a browser window with multiple tabs will close immediately without user confirmation.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AskBeforeCloseEnabled
GP name: Get user confirmation before closing a browser window with multiple tabs
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Allows you to set whether a user is prompted to grant a website access to their audio capture device. This policy applies to all URLs except for the ones configured in the AudioCaptureAllowedUrls list.
If you enable this policy or don't configure it (the default setting), the user is prompted for audio capture access except from the URLs in the AudioCaptureAllowedUrls list. These listed URLs are granted access without prompting.
If you disable this policy, the user isn't prompted, and audio capture is accessible only to the URLs configured in AudioCaptureAllowedUrls.
This policy affects all types of audio inputs, not only the built-in microphone.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AudioCaptureAllowed
GP name: Allow or block audio capture
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Sites that can access audio capture devices without requesting permission
Supported versions:
On Windows and macOS since 77 or later
Description
Specify websites, based on URL patterns, that can use audio capture devices without asking the user for permission. Patterns in this list are matched against the security origin of the requesting URL. If they match, the site is automatically granted access to audio capture devices. Note, however, that the pattern "*", which matches any URL, isn't supported by this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: AudioCaptureAllowedUrls
GP name: Sites that can access audio capture devices without requesting permission
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allow the audio process to run with priority above normal on Windows
Supported versions:
On Windows since 96 or later
Description
This policy controls the priority of the audio process on Windows. If you enable this policy, the audio process runs with above normal priority. If you disable this policy, the audio process runs with normal priority. If you don't configure this policy, the default configuration for the audio process is used. This policy is intended as a temporary measure to give enterprises the ability to run audio with higher priority to address certain performance issues with audio capture. This policy will be removed in the future.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AudioProcessHighPriorityEnabled
GP name: Allow the audio process to run with priority above normal on Windows
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
If you enable this policy, the audio process runs sandboxed.
If you disable this policy, the audio process runs unsandboxed and the WebRTC audio-processing module will run in the renderer process. This leaves users open to security risks related to running the audio subsystem unsandboxed.
If you don't configure this policy, the default configuration for the audio sandbox is used, which might differ based on the platform.
This policy is intended to give enterprises flexibility to disable the audio sandbox if they use security software setups that interfere with the sandbox.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AudioSandboxEnabled
GP name: Allow the audio sandbox to run
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Automatically import another browser's data and settings at first run
Supported versions:
On Windows and macOS since 77 or later
Description
If you enable this policy, all supported datatypes and settings from the specified browser are silently and automatically imported at first run. During the First Run Experience, the import section is also skipped.
The browser data from Microsoft Edge Legacy is always silently migrated at the first run, irrespective of the value of this policy.
If you set this policy to 'FromDefaultBrowser' to FromDefaultBrowser, then the datatypes corresponding to the default browser on the managed device are imported.
If the browser specified as the value of this policy isn't present in the managed device, Microsoft Edge simply skips the import without any notification to the user.
If you set this policy to DisabledAutoImport, the import section of the first-run experience is skipped entirely, and Microsoft Edge doesn't import browser data and settings automatically.
If you set this policy to FromInternetExplorer, the following datatypes are imported from Internet Explorer:
1. Favorites or bookmarks 2. Saved passwords 3. Search engines 4. Browsing history 5. Home page
If you set this policy to FromGoogleChrome, the following datatypes are imported from Google Chrome:
1. Favorites 2. Saved passwords 3. Addresses and more 4. Payment info 5. Browsing history 6. Settings 7. Pinned and Open tabs 8. Extensions 9. Cookies
If you set this policy to FromSafari, user data is no longer imported into Microsoft Edge. This is because of the way in which Full Disk Access works on Mac. On macOS Mojave and above, it's no longer possible to have automated and unattended import of Safari data into Microsoft Edge.
Starting with Microsoft Edge version 83, if you set this policy to 'FromMozillaFirefox', the following datatypes are imported from Mozilla Firefox: 1. Favorites or bookmarks 2. Saved passwords 3. Addresses and more 4. Browsing History
Specifies whether the AutoLaunch Protocols component should be enabled. This component allows Microsoft to provide a list similar to that of the AutoLaunchProtocolsFromOrigins policy, allowing certain external protocols to launch without prompt or blocking certain protocols (on specified origins). By default, this component is enabled.
If you enable or don't configure this policy, the AutoLaunch Protocols component is enabled.
If you disable this policy, the AutoLaunch Protocols component is disabled.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AutoLaunchProtocolsComponentEnabled
GP name: AutoLaunch Protocols Component Enabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Define a list of protocols that can launch an external application from listed origins without prompting the user
Supported versions:
On Windows and macOS since 85 or later
Description
Allows you to set a list of protocols, and for each protocol an associated list of allowed origin patterns, that can launch an external application without prompting the user. The trailing separator shouldn't be included when listing the protocol and the protocol should be all lower case. For example, list "skype" instead of "skype:", "skype://" or "Skype".
If you configure this policy, a protocol is only permitted to launch an external application without prompting by policy if:
- the protocol is listed
- the origin of the site trying to launch the protocol matches one of the origin patterns in that protocol's allowed_origins list.
If either condition is false, the external protocol launch prompt isn't omitted, by policy.
If you don't configure this policy, no protocols can launch without a prompt. Users can opt out of prompts on a per-protocol/per-site basis unless the ExternalProtocolDialogShowAlwaysOpenCheckbox policy is set to Disabled. This policy has no impact on per-protocol/per-site prompt exemptions set by users.
However, origin-matching patterns for this policy can't contain "/path" or "@query" elements. Any pattern that contains a "/path" or "@query" element is ignored.
This policy doesn't work as expected with file://* wildcards.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Dictionary
Windows information and settings
Group Policy (ADMX) info
GP unique name: AutoLaunchProtocolsFromOrigins
GP name: Define a list of protocols that can launch an external application from listed origins without prompting the user
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
A list of URLs to which AutoOpenFileTypes applies to. This policy has no impact on automatically open values set by users via the download shelf ... > "Always open files of this type" menu entry.
If you set URLs in this policy, files will only automatically open by policy if the URL is part of this set and the file type is listed in AutoOpenFileTypes. If either condition is false, the download won't automatically open by policy.
If you don't set this policy, all downloads where the file type is in AutoOpenFileTypes automatically opens.
List of file types that should be automatically opened on download
Supported versions:
On Windows and macOS since 85 or later
Description
This policy sets a list of file types that should be automatically opened on download. Note: The leading separator shouldn't be included when listing the file type, so list "txt" instead of ".txt".
By default, these file types are automatically opened on all URLs. You can use the AutoOpenAllowedForURLs policy to restrict the URLs on which these file types are automatically opened.
Files with types that should be automatically opened are still subject to the enabled Microsoft Defender SmartScreen checks and won't be opened if they fail those checks.
File types that a user has already specified to automatically be opened continue to do so when downloaded. The user continues to be able to specify other file types to be automatically opened.
If you don't set this policy, only file types that a user has already specified to automatically be opened will do so when downloaded.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, joined to Microsoft Azure Active Directory or instances that enrolled for device management.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: AutoOpenFileTypes
GP name: List of file types that should be automatically opened on download
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Enables the AutoFill feature and allows users to autocomplete address information in web forms through previously stored information.
If you have enabled or not configured this policy, users manage AutoFill for addresses in Microsoft Edge settings. AutoFill allows users to complete address fields in web forms using previously saved information.
If you have disabled this policy, Microsoft Edge doesn't suggest, fill in, or save address information. AutoFill is also disabled for all web forms except payment and password fields, and previously saved addresses aren't available.
If you disable this policy, all activities for all web forms are stopped, except payment and password forms. No further entries are saved, and Microsoft Edge doesn't suggest or AutoFill any previous entries.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AutofillAddressEnabled
GP name: Enable AutoFill for addresses
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Enables Microsoft Edge's AutoFill feature and lets users auto complete payment instruments like credit or debit cards in web forms using previously stored information. Includes suggesting new payment instruments like Buy Now Pay Later (BNPL) in web forms and Express Checkout.
If you enable this policy or don't configure it, users can control AutoFill for payment instruments.
If you disable this policy, AutoFill never suggests, fills, or recommends new payment Instruments. Additionally, it won't save any payment instrument information that users submit while browsing the web.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AutofillCreditCardEnabled
GP name: Enable AutoFill for payment instruments
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
This policy lets you decide whether users can have their membership info (for example, program name and membership number) automatically saved and used to fill form fields while using Microsoft Edge. By default, users can choose whether to enable it or not.
If you enable this policy, users can only have their membership info automatically saved and used to fill form fields while using Microsoft Edge.
If you don't configure this policy, users can choose whether to have their membership info automatically saved and used to fill form fields while using Microsoft Edge.
If you disable this policy, users can't have their membership info automatically saved and used to fill form fields while using Microsoft Edge.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AutofillMembershipsEnabled
GP name: Save and fill memberships
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 139.
Supported versions:
On Windows and macOS since 92, until 139
Description
This policy lets you manage settings for AutomaticHttpsDefault, which switches connections from HTTP to HTTPS.
This feature helps protect against man-in-the-middle attacks by enforcing more secure connections, but users might experience more connection errors.
Microsoft Edge attempts to upgrade some navigations from HTTP to HTTPS, when possible. This policy can be used to disable this behavior. If set to "AlwaysUpgrade" or left unset, this feature is enabled by default.
The separate HttpAllowlist policy can be used to exempt specific hostnames or hostname patterns from being upgraded to HTTPS by this feature.
This policy sets the media autoplay policy for websites.
The default setting, "Not configured" respects the current media autoplay settings and lets users configure their autoplay settings.
Setting to "Enabled" sets media autoplay to "Allow". All websites are allowed to autoplay media. Users can't override this policy.
Setting to "Disabled" sets media autoplay to "Block". This setting blocks all websites from autoplaying media, regardless of engagement or site activity. Media will only play after an explicit user action. Before Microsoft Edge version 92, this would set media autoplay to "Block", and from version 92 through 145 it mapped to "Limit". This limits websites that are allowed to autoplay media to webpages with high media engagement and active WebRTC streams. Beginning with Microsoft Edge version 146, "Disabled" once again maps to "Block". Users can't override this policy.
A tab needs to be closed and re-opened for this policy to take effect.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: AutoplayAllowed
GP name: Allow media autoplay for websites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Define a list of sites, based on URL patterns, that are allowed to autoplay media.
If you don't configure this policy, the global default value from the AutoplayAllowed policy (if set) or the user's personal configuration is used for all sites.
Continue running background apps after Microsoft Edge closes
Supported versions:
On Windows since 77 or later
Description
Allows Microsoft Edge processes to start at OS sign-in and keep running after the last browser window is closed. In this scenario, background apps and the current browsing session remain active, including any session cookies. An open background process displays an icon in the system tray and can always be closed from there.
If you enable this policy, background mode is turned on.
If you disable this policy, background mode is turned off.
If you don't configure this policy, background mode is initially turned off, and the user can configure its behavior in edge://settings/system.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: BackgroundModeEnabled
GP name: Continue running background apps after Microsoft Edge closes
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Enables background updates to the list of available templates for Collections and other features that use templates (deprecated)
DEPRECATED: This policy is deprecated. It is currently supported but will become obsolete in a future release.
Supported versions:
On Windows and macOS since 79 or later
Description
This policy is deprecated because we are moving to a new policy. It won't work in Microsoft Edge as soon as version 104. The new policy to use is EdgeAssetDeliveryServiceEnabled.
Lets you enable or disable background updates to the list of available templates for Collections and other features that use templates. Templates are used to extract rich metadata from a webpage when the page is saved to a collection.
If you enable this setting or the setting is unconfigured, the list of available templates are downloaded in the background from a Microsoft service every 24 hours.
If you disable this setting the list of available templates are downloaded on demand. This type of download might result in small performance penalties for Collections and other features.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: BackgroundTemplateListUpdatesEnabled
GP name: Enables background updates to the list of available templates for Collections and other features that use templates (deprecated)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Control the behavior for the cancel dialog produced by the beforeunload event (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 130.
Supported versions:
On Windows and macOS since 118, until 130
Description
This policy provides a temporary opt-out for two related fixes to the behavior of the confirmation dialog that’s shown by the beforeunload event.
If you've enabled this policy, the new (correct) behavior is used. If you've disabled this policy, the old (legacy) behavior is used. If you haven't configured this policy, the default behavior is used. Note: This policy is a temporary workaround and is going to be removed in a future release.
New and correct behavior: In `beforeunload`, calling `event.preventDefault()` triggers the confirmation dialog. Setting `event.returnValue` to the empty string doesn’t trigger the confirmation dialog.
Old and legacy behavior: In `beforeunload`, calling `event.preventDefault()` doesn’t trigger the confirmation dialog. Setting `event.returnValue` to the empty string triggers the confirmation dialog.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: BeforeunloadEventCancelByPreventDefaultEnabled
GP name: Control the behavior for the cancel dialog produced by the beforeunload event (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
If you enable this policy, then a user can search on bing.com and have an ad-free search experience. At the same time, the SafeSearch setting is set to 'Strict' and can't be changed by the user.
If you don't configure this policy, then the default experience has ads in the search results on bing.com. SafeSearch is set to 'Moderate' by default and can be changed by the user.
This policy is only available for K-12 SKUs that are identified as EDU tenants by Microsoft.
This policy controls whether third-party cookies are blocked in regular browsing sessions.
If you enable this policy, web page elements that are not from the domain shown in the address bar can't set cookies.
If you disable this policy, third-party cookies are allowed, including from domains other than the one shown in the address bar.
If you don't configure this policy, third-party cookies are allowed by default, but users can change this setting.
Note: This policy doesn't apply in InPrivate mode. In InPrivate, third-party cookies are blocked by default and can only be allowed at the site level using the CookiesAllowedForUrls policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: BlockThirdPartyCookies
GP name: Block third party cookies
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Enable profile creation from the Identity flyout menu or the Settings page
Supported versions:
On Windows and macOS since 77 or later
Description
Allows users to create new profiles, using the **Add profile** option. If you enable this policy or don't configure it, Microsoft Edge allows users to use **Add profile** on the Identity flyout menu or the Settings page to create new profiles.
If you disable this policy, users cannot add new profiles from the Identity flyout menu or the Settings page.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: BrowserAddProfileEnabled
GP name: Enable profile creation from the Identity flyout menu or the Settings page
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Configure browser process code integrity guard setting
Supported versions:
On Windows since 104 or later
Description
This policy controls the use of code integrity guard in the browser process, which only allows Microsoft signed binaries to load.
If you enable this policy, it enables code integrity guard in the browser process.
If you disable or don't configure this policy, it prevents the browser from enabling code integrity guard in the browser process.
The policy value Audit (1) is obsolete as of Microsoft Edge version 110. Setting this value is equivalent to the Disabled value.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, or Windows 10 Pro or Enterprise instances that enrolled for device management.
This policy only takes effect on Windows 10 RS2 and above.
Policy options mapping:
* Disabled (0) = Do not enable code integrity guard in the browser process.
* Audit (1) = Enable code integrity guard audit mode in the browser process.
* Enabled (2) = Enable code integrity guard enforcement in the browser process.
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: BrowserCodeIntegritySetting
GP name: Configure browser process code integrity guard setting
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Enable the option to allow the use of guest profiles in Microsoft Edge. In a guest profile, the browser doesn't import browsing data from existing profiles, and it deletes browsing data when all guest profiles are closed.
If you enable this policy or don't configure it, Microsoft Edge lets users browse in guest profiles.
If you disable this policy, Microsoft Edge doesn't let users browse in guest profiles.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: BrowserGuestModeEnabled
GP name: Enable guest mode
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Controls whether Microsoft Edge enforces Guest-only browsing.
If you enable this policy, Microsoft Edge enforces Guest sessions and prevents profile sign-in. Guest sessions run in InPrivate mode.
If you disable or don't configure this policy, users can create and use profiles. Guest mode can also be controlled separately using the BrowserGuestModeEnabled policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: BrowserGuestModeEnforced
GP name: Enforce Edge guest mode
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Sets the ProcessExtensionPointDisablePolicy on Microsoft Edge's browser process to block code injection from legacy third party applications.
If you enable or don't configure this policy, the ProcessExtensionPointDisablePolicy is applied to block legacy extension points in the browser process.
If you disable this policy, the ProcessExtensionPointDisablePolicy isn't applied to block legacy extension points in the browser process. This action has a detrimental effect on Microsoft Edge's security and stability as unknown and potentially hostile code can load inside Microsoft Edge's browser process. Only turn off the policy if there are compatibility issues with third-party software that must run inside Microsoft Edge's browser process.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: BrowserLegacyExtensionPointsBlockingEnabled
GP name: Enable browser legacy extension point blocking
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Specify whether a user can sign into Microsoft Edge with their account and use account-related services like sync and single sign-on (SSO). To control the availability of sync, use the SyncDisabled policy instead.
If you set this policy to 'Disable', make sure that you also set the NonRemovableProfileEnabled policy to disabled because NonRemovableProfileEnabled disables the creation of an automatically signed in browser profile. If both policies are set, Microsoft Edge uses the 'Disable browser sign-in' policy and behaves as if NonRemovableProfileEnabled is set to disabled.
If you set this policy to 'Enable', users can sign in to the browser. Signing in to the browser doesn't mean that sync is turned on by default; the user must separately opt in to use this feature.
If you set this policy to 'Force', users must sign in to a profile to use the browser. By default, this allows the user to choose whether they want to sync to their account, unless sync is disabled by the domain admin or with the SyncDisabled policy. The default value of BrowserGuestModeEnabled policy is set to false.
If you don't configure this policy, users can decide if they want to enable the browser sign-in option and use it as they see fit.
Policy options mapping:
* Disable (0) = Disable browser sign-in
* Enable (1) = Enable browser sign-in
* Force (2) = Force users to sign-in to use the browser (all profiles)
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: BrowserSignin
GP name: Browser sign-in settings
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
This policy controls how long specific types of browsing data are retained. If Sync is enabled, this policy has no effect.
You can specify the following data types: 'browsing_history' 'download_history' 'cookies_and_other_site_data' 'cached_images_and_files' 'password_signin' 'autofill' 'site_settings' 'hosted_app_data'
Microsoft Edge periodically deletes data of the selected types that is older than the value set by 'time_to_live_in_hours'.
Expired data is removed 15 seconds after browser startup and every hour while the browser is running.
Note: Deleting cookies using this policy does not sign the user out of their profile, the user stays signed in.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Dictionary
Windows information and settings
Group Policy (ADMX) info
GP unique name: BrowsingDataLifetime
GP name: Browsing Data Lifetime Settings
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allows you to define a list of URLs where browsing with Copilot is available. Users cannot modify this list.
If you enable this policy, browsing with Copilot is available only on the sites specified in the list. To allow a broader set of sites while blocking specific exceptions, configure this policy together with the BrowsingWithCopilotBlockList policy. For example, you can include '*' to allow all sites, and then use the block list to restrict access to specific URLs.
You can define exceptions based on schemes, subdomains, ports, or origins. When multiple filters apply, the most specific match determines whether a URL is allowed or blocked. The block list takes precedence over the allow list.
If you disable or do not configure this policy, browsing with Copilot is unavailable on all sites, even if the AllowBrowsingWithCopilot policy is enabled.
Browsing with Copilot supports only HTTP and HTTPS protocols. Wildcards (*) are supported, and subdomains are matched even without wildcards. This policy applies only to the site origin; any path specified in the URL pattern is ignored. For guidance on formatting URL patterns, see https://go.microsoft.com/fwlink/?linkid=2095322.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: BrowsingWithCopilotAllowList
GP name: Browsing with Copilot Allowed URLs
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Controls the list of URLs where browsing with Copilot is blocked. Users can't modify this list.
Use this policy to define exceptions to broader allowlists. For example, you can set BrowsingWithCopilotAllowList to '*' to allow all sites, and then use this policy to block access to specific URLs.
This policy supports blocking by scheme, subdomain, or port. When multiple URL patterns apply, the most specific match determines whether access is allowed or blocked. Blocklist entries take precedence over allowlist entries.
Browsing with Copilot supports only HTTP and HTTPS protocols. Wildcards (*) are supported, and subdomains are matched even without wildcards. URL matching is based on the site origin only; any path specified in the pattern is ignored.
Use this policy to control whether websites can access the built-in AI APIs, including the LanguageModel API, Summarization API, Writer API, and Rewriter API.
Enable this policy to allow pages to use the APIs. If you don’t configure this policy, the APIs are still allowed.
Disable this policy to block access to the APIs. The APIs will return an error when used.
For more information, see https://github.com/webmachinelearning/writing-assistance-apis/blob/main/README.md.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: BuiltInAIAPIsEnabled
GP name: Allow pages to use the built-in AI APIs.
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
This policy controls which software stack is used to communicate with the DNS server: the operating system DNS client, or Microsoft Edge's built-in DNS client. This policy doesn't affect which DNS servers are used: if, for example, the operating system is configured to use an enterprise DNS server, that same server would be used by the built-in DNS client. It also does not control if DNS-over-HTTPS is used; Microsoft Edge always uses the built-in resolver for DNS-over-HTTPS requests. See the DnsOverHttpsMode policy for information on controlling DNS-over-HTTPS.
If you enable this policy or you don't configure this policy, the built-in DNS client is used.
If you disable this policy, the built-in DNS client is only used when DNS-over-HTTPS is in use.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: BuiltInDnsClientEnabled
GP name: Use built-in DNS client
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Determines whether the built-in certificate verifier will be used to verify server certificates (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 106.
Supported versions:
On macOS since 83, until 106
Description
This policy is obsolete because it was a short-term mechanism to give enterprises more time to update their environments and report issues if they're found to be incompatible with the built-in certificate verifier.
The policy doesn't work in Microsoft Edge version 107.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
CECPQ2 post-quantum key-agreement enabled for TLS (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 113.
Supported versions:
On Windows and macOS since 93, until 113
Description
This policy was removed in Microsoft Edge version 114 and is ignored if set. It served to disable CECPQ2, but CECPQ2 is disabled by default. A separate policy is introduced to control the rollout of the replacement of CECPQ2. That replacement is a combination of the standard key-agreement X25519 with NIST's chosen post-quantum KEM, called "Kyber".
If you enable or don't configure this policy, then Microsoft Edge follows the default rollout process for CECPQ2, a post-quantum key-agreement algorithm in Transport Layer Security (TLS).
CECPQ2 results in larger TLS messages that, in rare cases, can trigger bugs in some networking hardware. This policy can be set to False to disable CECPQ2 while networking issues are resolved.
This policy is a temporary measure and is removed in future versions of Microsoft Edge.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: CECPQ2Enabled
GP name: CECPQ2 post-quantum key-agreement enabled for TLS (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
This policy lets you configure support for CORS non-wildcard request headers.
Microsoft Edge version 97 introduces support for CORS non-wildcard request headers. When a script makes a cross-origin network request via fetch() and XMLHttpRequest with a script-added Authorization header, the header is explicitly allowed by the Access-Control-Allow-Headers header in the CORS preflight response. "Explicitly" here means that the wild card symbol "*" doesn't cover the Authorization header. For more information, see https://go.microsoft.com/fwlink/?linkid=2180022.
If you enable or don't configure the policy, Microsoft Edge supports the CORS non-wildcard request headers and behaves as previously described.
If you disable this policy, Microsoft Edge allows the wildcard symbol ("*") in the Access-Control-Allow-Headers header in the CORS preflight response to cover the Authorization header.
This policy is a temporary workaround for the new CORS non-wildcard request header feature. It's planned to be removed in the future.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: CORSNonWildcardRequestHeadersSupport
GP name: CORS non-wildcard request header support enabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Controls whether the deprecated :--foo syntax for CSS custom state is enabled (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 132.
Supported versions:
On Windows and macOS since 127, until 132
Description
The :--foo syntax for the CSS custom state feature is being changed to :state(foo) in Microsoft Edge to comply with changes that are made in Firefox and Safari. This policy allows the deprecated syntax to be used until Stable 132.
This deprecation breaks some Microsoft Edge-only websites that use the deprecated :--foo syntax.
If you enable this policy, the deprecated syntax is enabled.
If you disable or don't configure this policy, the deprecated syntax is disabled.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: CSSCustomStateDeprecatedSyntaxEnabled
GP name: Controls whether the deprecated :--foo syntax for CSS custom state is enabled (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes
Supported versions:
On Windows and macOS since 77 or later
Description
Disables enforcement of Certificate Transparency requirements for a list of subjectPublicKeyInfo hashes.
This policy lets you disable Certificate Transparency disclosure requirements for certificate chains that contain certificates with one of the specified subjectPublicKeyInfo hashes. This allows certificates that would otherwise be untrusted because they weren't properly publicly disclosed to still be used for Enterprise hosts.
To disable Certificate Transparency enforcement when this policy is set, one of the following sets of conditions must be met: 1. The hash is of the server certificate's subjectPublicKeyInfo. 2. The hash is of a subjectPublicKeyInfo that appears in a CA certificate in the certificate chain, that CA certificate is constrained via the X.509v3 nameConstraints extension, one or more directoryName nameConstraints are present in the permittedSubtrees, and the directoryName contains an organizationName attribute. 3. The hash is of a subjectPublicKeyInfo that appears in a CA certificate in the certificate chain, the CA certificate has one or more organizationName attributes in the certificate Subject, and the server's certificate contains the same number of organizationName attributes, in the same order, and with byte-for-byte identical values.
A subjectPublicKeyInfo hash is specified by concatenating the hash algorithm name, the "/" character, and the Base64 encoding of that hash algorithm applied to the DER-encoded subjectPublicKeyInfo of the specified certificate. This Base64 encoding is the same format as an SPKI Fingerprint, as defined in RFC 7469, Section 2.4. Unrecognized hash algorithms are ignored. The only supported hash algorithm at this time is "sha256".
If you disable this policy or don't configure it, any certificate required to be disclosed via Certificate Transparency is treated as untrusted if not disclosed according to the Certificate Transparency policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: CertificateTransparencyEnforcementDisabledForCas
GP name: Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Disable Certificate Transparency enforcement for a list of legacy certificate authorities (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 131.
Supported versions:
On Windows and macOS since 77, until 131
Description
Disables enforcing Certificate Transparency requirements for a list of legacy certificate authorities (Cas).
This policy lets you disable Certificate Transparency disclosure requirements for certificate chains that contain certificates with one of the specified subjectPublicKeyInfo hashes. This disablement of requirements allows otherwise-untrusted certificates (on account of not being publicly disclosed) to continue to be used for enterprise hosts.
For Certificate Transparency enforcement to be disabled, you must set the hash to a subjectPublicKeyInfo appearing in an authority-issued certificate that's recognized as a legacy certificate authority (CA). A legacy CA is a CA publicly trusted, by default, by one or more operating systems supported by Microsoft Edge.
You specify a subjectPublicKeyInfo hash by concatenating the hash algorithm name, the "/" character, and the Base64 encoding of that hash algorithm applied to the DER-encoded subjectPublicKeyInfo of the specified certificate. This Base64 encoding is the same format as an SPKI Fingerprint, as defined in RFC 7469, Section 2.4. Unrecognized hash algorithms are ignored. The only supported hash algorithm at this time is "sha256".
If you don't configure this policy, any certificate that's required to be disclosed via Certificate Transparency is treated as untrusted if it isn't disclosed according to the Certificate Transparency policy.
This policy is obsolete because the feature to disable Certificate Transparency enforcement for legacy certificates has been removed.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: CertificateTransparencyEnforcementDisabledForLegacyCas
GP name: Disable Certificate Transparency enforcement for a list of legacy certificate authorities (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Disable Certificate Transparency enforcement for specific URLs
Supported versions:
On Windows and macOS since 77 or later
Description
Disables enforcing Certificate Transparency requirements for the listed URLs.
This policy lets you not disclose certificates for the hostnames in the specified URLs via Certificate Transparency. This lets you use certificates that would otherwise be untrusted, because they weren't properly publicly disclosed, but it makes it harder to detect mis-issued certificates for those hosts.
Form your URL pattern according to https://go.microsoft.com/fwlink/?linkid=2095322. Because certificates are valid for a given hostname, independent of the scheme, port, or path, only the hostname part of the URL is considered. Wildcard hosts aren't supported.
If you don't configure this policy, any certificate that should be disclosed via Certificate Transparency is treated as untrusted if it's not disclosed.
This policy doesn't work as expected with file://* wildcards.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: CertificateTransparencyEnforcementDisabledForUrls
GP name: Disable Certificate Transparency enforcement for specific URLs
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Microsoft Edge doesn't clear the browsing data by default when it closes. Browsing data includes information entered in forms, passwords, and even the websites visited.
If you enable this policy, all browsing data is deleted each time Microsoft Edge closes. Note that if you enable this policy, it takes precedence over how you configured DefaultCookiesSetting
If you disable or don't configure this policy, users can configure the Clear browsing data option in Settings.
Clear cached images and files when Microsoft Edge closes
Supported versions:
On Windows and macOS since 83 or later
Description
Microsoft Edge doesn't clear cached images and files by default when it closes.
If you enable this policy, cached images and files will be deleted each time Microsoft Edge closes.
If you disable this policy, users cannot configure the cached images and files option in edge://settings/clearBrowsingDataOnClose.
If you don't configure this policy, users can choose whether cached images and files are cleared on exit.
If you disable this policy, don't enable the ClearBrowsingDataOnExit policy, because they both deal with deleting data. If you configure both, the ClearBrowsingDataOnExit policy takes precedence and deletes all data when Microsoft Edge closes, regardless of how you configured ClearCachedImagesAndFilesOnExit.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ClearCachedImagesAndFilesOnExit
GP name: Clear cached images and files when Microsoft Edge closes
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Allow users to open files using the ClickOnce protocol
Supported versions:
On Windows since 78 or later
Description
Allow users to open files using the ClickOnce protocol. The ClickOnce protocol allows websites to request that the browser open files from a specific URL using the ClickOnce file handler on the user's computer or device.
If you enable this policy, users can open files using the ClickOnce protocol. This policy overrides the user's ClickOnce setting in the edge://flags/ page.
If you disable this policy, users can't open files using the ClickOnce protocol. Instead, the file is saved to the file system using the browser. This policy overrides the user's ClickOnce setting in the edge://flags/ page.
If you don't configure this policy, users with Microsoft Edge versions before Microsoft Edge 87 can't open files using the ClickOnce protocol by default. However, they can enable the use of the ClickOnce protocol with the edge://flags/ page. Users with Microsoft Edge versions 87 and later can open files using the ClickOnce protocol by default but can disable the ClickOnce protocol with edge://flags/ page.
Disabling ClickOnce can prevent ClickOnce applications (.application files) from launching properly.
Configure the list of URL patterns that specify which sites can use the clipboard site permission.
Setting the policy lets you create a list of URL patterns that specify which sites can use the clipboard site permission. This doesn't include all clipboard operations on origins that match the patterns. For example, users can still paste using keyboard shortcuts because this isn't controlled by the clipboard site permission.
Leaving the policy unset means DefaultClipboardSetting applies for all sites if it's set. If it isn't set, the user's personal setting applies.
Configure the list of URL patterns that specify which sites can use the clipboard site permission.
Setting the policy lets you create a list of URL patterns that specify sites that can't use the clipboard site permission. This doesn't include all clipboard operations on origins that match the patterns. For example, users can still paste using keyboard shortcuts because this isn't controlled by the clipboard site permission.
Leaving the policy unset means DefaultClipboardSetting applies for all sites if it's set. If it isn't set, the user's personal setting applies.
Block access to a specified list of services and export targets in Collections
Supported versions:
On Windows and macOS since 86 or later
Description
List specific services and export targets that users can't access in the Collections feature in Microsoft Edge. This includes displaying additional data from Bing and exporting collections to Microsoft products or external partners.
If you enable this policy, services and export targets that match the given list are blocked.
If you don't configure this policy, no restrictions on the acceptable services and export targets are enforced.
If disabled, this policy prevents security warnings from appearing when Microsoft Edge is launched with potentially dangerous command-line flags.
If enabled or unset, security warnings are displayed when these command-line flags are used to launch Microsoft Edge.
For example, the --disable-gpu-sandbox flag generates this warning: You're using an unsupported command-line flag: --disable-gpu-sandbox. This poses stability and security risks.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, joined to Microsoft Azure Active Directory, or enrolled for device management. On macOS, this policy is available only on instances that are managed via MDM or joined to a domain via MCX.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: CommandLineFlagSecurityWarningsEnabled
GP name: Enable security warnings for command-line flags
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
If you enable or don't configure this policy, component updates are enabled in Microsoft Edge.
If you disable this policy or set it to false, component updates are disabled for all components in Microsoft Edge.
However, some components are exempt from this policy. This includes any component that doesn't contain executable code, doesn't significantly alter the behavior of the browser, or that's critical for security. That is, updates that are deemed "critical for security" are still applied even if you disable this policy.
Examples of such components include the certificate revocation lists and security lists like tracking prevention lists.
Disabling this policy can potentially prevent the Microsoft Edge developers from providing critical security fixes in a timely manner and is thus not recommended.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ComponentUpdatesEnabled
GP name: Enable component updates in Microsoft Edge
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Control access to Microsoft 365 Copilot writing assistance in Microsoft Edge for Business
Supported versions:
On Windows and macOS since 115 or later
Description
This policy controls whether users can use writing support features in Microsoft Edge for Business, such as Rewrite, which utilizes Microsoft 365 Copilot Chat. With Rewrite, users can receive help with drafting content, rewriting text, and adjusting style directly in their browser tab. In Microsoft Edge, users can trigger it when highlighting editable content in their main browser through the right-click context menu.
This policy applies only to Microsoft Entra accounts and doesn't apply to Microsoft accounts.
If you enable this policy, users can use Rewrite in Microsoft Edge when logged in with an Entra account.
If you disable this policy, users within your tenant can't use Rewrite.
If you don't configure this policy, the default behavior is as follows:
- Rewrite is available to users
- Users can enable or disable Microsoft 365 Copilot access to Microsoft Edge page content using the toggle in Microsoft Edge settings.
Note: Rewrite isn't available on pages protected by data loss prevention (DLP) policies to help maintain compliance.
Specify whether to send Do Not Track requests to websites that ask for tracking info. Do Not Track requests let the websites you visit know that you don't want your browsing activity to be tracked. By default, Microsoft Edge doesn't send Do Not Track requests, but users can turn on this feature to send them.
If you enable this policy, Do Not Track requests are always sent to websites asking for tracking info.
If you disable this policy, requests are never sent.
If you don't configure this policy, users can choose whether to send these requests.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ConfigureDoNotTrack
GP name: Configure Do Not Track
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Configure the default paste format of URLs copied from Microsoft Edge, and determine if additional formats will be available to users
Supported versions:
On Windows since 87 or later
On macOS since 88 or later
Description
If FriendlyURLs are enabled, Microsoft Edge computes more representations of the URL and places them on the clipboard.
This policy configures what format is pasted when the user pastes in external applications or inside Microsoft Edge without the 'Paste as' context menu item.
If you configure this policy, it makes a choice on behalf of the user. The options in edge://settings/shareCopyPaste will be grayed out, and the options in the 'Paste As' context menu won't be available.
* Not configured = The users are able to choose their preferred paste format. By default, this is set to the friendly URL format. The 'Paste As' menu will be available in Microsoft Edge.
* 1 = No additional formats are stored on the clipboard. There will be no 'Paste as' context menu item in Microsoft Edge, and the only format available to paste will be the plain text URL format. Effectively, the friendly URL feature is disabled.
* 3 = The user gets a friendly URL whenever they paste into surfaces that accept rich text. The plain URL is still available for nonrich surfaces. There will be no 'Paste As' menu in Microsoft Edge.
* 4 = (Not currently used)
The richer formats may not be supported in some paste destinations and/or websites. In these scenarios, the plain URL option is recommended when configuring this policy.
The recommended policy is available in Microsoft Edge 105 or later.
Policy options mapping:
* PlainText (1) = The plain URL without any extra information, such as the page's title. This is the recommended option when this policy is configured. For more information, see the description.
* TitledHyperlink (3) = Titled Hyperlink: A hyperlink that points to the copied URL but whose visible text is the title of the destination page. This is the Friendly URL format.
* WebPreview (4) = Coming soon. If set, behaves the same as 'Plain URL'.
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: ConfigureFriendlyURLFormat
GP name: Configure the default paste format of URLs copied from Microsoft Edge, and determine if additional formats will be available to users
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Configure automatic sign in with an Active Directory domain account when there is no Azure AD domain account
Supported versions:
On Windows since 81 or later
Description
Enables the use of Azure Active Directory (Azure AD) accounts for automatic sign in if your users' machines are Domain Joined and if your environment isn't hybrid joined. If you want users automatically signed in with their Azure AD accounts instead, Azure AD join (See https://go.microsoft.com/fwlink/?linkid=2118197 for more information) or hybrid join (See https://go.microsoft.com/fwlink/?linkid=2118365 for more information) your environment.
On every launch, Microsoft Edge tries to sign in using this policy, as long as the first profile being launched isn't signed in or an auto sign in doesn't happen before.
If you configure the BrowserSignin policy to disabled, this policy doesn't take any effect.
If you enable this policy and set it to 'SignInAndMakeDomainAccountNonRemovable', Microsoft Edge automatically signs in users that are on domain-joined machines using their Azure AD accounts.
If you set this policy to 'Disabled' or don't set it, Microsoft Edge doesn't automatically sign in users that are on domain-joined machines with Azure AD accounts.
From Microsoft Edge version 89, if there's an existing on-premises profile with RoamingProfileSupportEnabled policy disabled, and if the machine is now hybrid joined, that is, it has an Azure AD account, it autoupgrades the on-premises profile to Azure AD profile to get full Azure AD sync facilities.
From Microsoft Edge version 93, if policy ImplicitSignInEnabled is disabled, this policy doesn't take any effect.
From Microsoft Edge version 94, if policy OnlyOnPremisesImplicitSigninEnabled is enabled, and this policy is set to 'SignInAndMakeDomainAccountNonRemovable', it takes effect even on hybrid-joined environment. Microsoft Edge automatically signs in users using their Azure AD domain account even if there are Microsoft Account (MSA) or Azure AD accounts.
Policy options mapping:
* Disabled (0) = Disabled
* SignInAndMakeDomainAccountNonRemovable (1) = Sign in and make domain account non-removable
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: ConfigureOnPremisesAccountAutoSignIn
GP name: Configure automatic sign in with an Active Directory domain account when there is no Azure AD domain account
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Set whether the browser can leverage Online Text to Speech voice fonts, part of Azure Cognitive Services. These voice fonts are higher quality than the pre-installed system voice fonts.
If you enable or don't configure this policy, web-based applications that use the SpeechSynthesis API can use Online Text to Speech voice fonts.
If you disable this policy, the voice fonts aren't available.
If you set this policy to 'ShareAllowed' (the default), users can access the Share experience from the Settings and More Menu in Microsoft Edge to share with other apps on the system.
If you set this policy to 'ShareDisallowed', users can't access the Share experience. If the Share button is on the toolbar, it's hidden as well.
Policy options mapping:
* ShareAllowed (0) = Allow using the Share experience
* ShareDisallowed (1) = Don't allow using the Share experience
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: ConfigureShare
GP name: Configure the Share experience
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Configure the View in File Explorer feature for SharePoint pages in Microsoft Edge
Supported versions:
On Windows since 93 or later
Description
This setting allows you to configure the View in File Explorer capability for file management in SharePoint Online while using Microsoft Edge.
You'll need to list the specific domains where this is allowed and list cookies needed for SharePoint authentication (rtFa and FedAuth).
Behind the scenes, the policy allows URLs with the viewinfileexplorer: scheme to open WebDAV URLs in Windows File Explorer on pages matching the list of domains and uses the cookies you specified for WebDAV authentication.
If you enable this policy, you can use the "View in File Explorer" feature on the SharePoint document libraries you list. You'll need to specify the SharePoint domain and authentication cookies. See example value below.
If you disable or don't configure this policy, you can't use the "View in File Explorer" feature on SharePoint document libraries.
Note that while this is an available option through Microsoft Edge, rather than use the View in File Explorer option, the recommended approach to managing files and folders outside of SharePoint is to sync your SharePoint files or move or copy files in SharePoint. Sync your SharePoint files: https://go.microsoft.com/fwlink/p/?linkid=2166983 Move or copy files in SharePoint: https://go.microsoft.com/fwlink/p/?linkid=2167123
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, or Windows 10 Pro or Enterprise instances enrolled for device management.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Dictionary
Windows information and settings
Group Policy (ADMX) info
GP unique name: ConfigureViewInFileExplorer
GP name: Configure the View in File Explorer feature for SharePoint pages in Microsoft Edge
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Control Copilot with Commercial Data Protection access to page context for Microsoft Entra ID profiles (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 132.
Supported versions:
On Windows and macOS since 124, until 132
Description
This policy has been obsoleted as of Edge 133. Instead of this obsolete policy, we recommend using EdgeEntraCopilotPageContext.
This policy controls access to page contents for Copilot with Commercial Data Protection in the Edge sidebar. This policy applies only to Microsoft Entra ID profiles. To summarize pages and interact with text selections, it needs to be able to access the page contents. This policy doesn't apply to MSA profiles. This policy doesn't control access for Copilot without Commercial Data Protection. Access for Copilot without Commercial Data Protection is controlled by the policy CopilotPageContext.
If you enable this policy, Copilot with Commercial Data Protection will have access to page context.
If you don't configure this policy, a user can enable access to page context for Copilot with Commercial Data Protection using the setting toggle in Edge.
If you disable this policy, Copilot with Commercial Data Protection won't be able to access page context.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: CopilotCDPPageContext
GP name: Control Copilot with Commercial Data Protection access to page context for Microsoft Entra ID profiles (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
This policy configures the availability of the Copilot new tab page in Microsoft Edge for Business.
The Copilot new tab page combines search and chat into a single input box and includes personalized cards that provide quick access to relevant files, calendar events, and suggested Copilot prompts. Users who do not have a Microsoft 365 Copilot license might experience limited relevance in Copilot prompt card content.
Most policies that customize the New Tab Page are supported on the Copilot new tab page. For a complete list of supported and unsupported policies, see https://go.microsoft.com/fwlink/?linkid=2330462.
This policy applies only to Microsoft Entra ID profiles and controls the Copilot new tab page experience in Microsoft Edge for Business. This policy does not apply to the Copilot new tab page on MSA profiles.
If you enable this policy, the Copilot new tab page is turned on.
If you disable or don't configure this policy, the Copilot new tab page is turned off. When the policy is not configured, users can turn it on via user settings.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: CopilotNewTabPageEnabled
GP name: Enable the Copilot new tab page
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Control Copilot access to page context for Microsoft Entra ID profiles
Supported versions:
On Windows and macOS since 124 or later
Description
This policy controls whether Copilot in the Microsoft Edge side pane can access page content.
This policy applies only to Microsoft Entra ID profiles in Microsoft Edge. It doesn't apply to Microsoft account (MSA) profiles.
Copilot requires access to page content to summarize pages and interact with text selections.
This policy doesn't control access for Copilot with enterprise data protection (EDP). Access for Copilot with EDP is controlled by the EdgeEntraCopilotPageContext policy.
If you enable this policy, Copilot can access page content.
If you disable this policy, Copilot can't access page content. This also disables the M365LinksAutoOpenCopilotEnabled feature, because Copilot requires page content access to provide contextual insights for Microsoft 365 links.
If you don't configure this policy: - Access is enabled by default in non-EU regions. - Access is disabled by default in EU regions. - Users can turn this setting on or off in Microsoft Edge settings.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: CopilotPageContext
GP name: Control Copilot access to page context for Microsoft Entra ID profiles
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Control whether passkey creation will default to iCloud Keychain.
Supported versions:
On macOS since 132 or later
Description
Microsoft Edge may direct passkey/WebAuthn creation requests directly to iCloud Keychain on macOS version 13.5 or later. If iCloud Keychain syncing isn't enabled yet, this will prompt the user to sign in with iCloud, or might prompt them to enable iCloud Keychain syncing.
If you have enabled this policy, then iCloud Keychain is the default whenever the WebAuthn request is compatible with that choice.
If you haven't configured this policy, then the default behavior depends on factors such as whether iCloud Drive is enabled, or whether the user has recently used or created a credential in their Microsoft Edge profile.
If you have disabled this policy, iCloud Keychain isn't used by default and the previous behavior (of creating the credential in the Microsoft Edge profile) is used instead. Users can still select iCloud Keychain as an option, and can still see iCloud Keychain credentials when signing in.
Specifies whether WebAssembly modules can be sent cross-origin (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 98.
Supported versions:
On Windows and macOS since 95, until 98
Description
Specifies whether WebAssembly modules can be sent to another window or worker cross-origin. Cross-origin WebAssembly module sharing was deprecated as part of the efforts to deprecate document.domain, see https://github.com/mikewest/deprecating-document-domain. This policy allowed re-enabling of cross-origin WebAssembly module sharing. This policy is obsolete because it was intended to offer a longer transition period in the deprecation process.
If you enable this policy, sites can send WebAssembly modules cross-origin without restrictions.
If you disable or don't configure this policy, sites can only send WebAssembly modules to windows and workers in the same origin.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: CrossOriginWebAssemblyModuleSharingEnabled
GP name: Specifies whether WebAssembly modules can be sent cross-origin (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 128.
Supported versions:
On Windows since 112, until 128
Description
This policy is obsoleted because this feature will no longer be supported, starting in Microsoft Edge 128. There's no replacement for this policy. Enables CryptoWallet feature in Microsoft Edge.
If you enable this policy or don't configure it, users can use CryptoWallet feature that allows users to securely store, manage, and transact digital assets such as Bitcoin, Ethereum, and other cryptocurrencies. Therefore, Microsoft Edge may access Microsoft servers to communicate with the web3 world during the use of the CryptoWallet feature.
If you disable this policy, users can't use CryptoWallet feature.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: CryptoWalletEnabled
GP name: Enable CryptoWallet feature (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
If you enable this policy, an admin can specify a link for the Help menu or the F1 key.
If you disable or don't configure this policy, the default link for the Help menu or the F1 key is used.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, Windows 10 Pro or Enterprise instances that enrolled for device management, or macOS instances that are that are managed via MDM or joined to a domain via MCX.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: CustomHelpLink
GP name: Specify custom help link
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
This policy configures a local switch that can be used to disable DNS interception checks. These checks attempt to discover whether the browser is behind a proxy that redirects unknown host names.
This detection might not be necessary in an enterprise environment where the network configuration is known. It can be disabled to avoid additional DNS and HTTP traffic on start-up and each DNS configuration change.
If you enable or don't set this policy, the DNS interception checks are performed.
If you disable this policy, DNS interception checks aren't performed.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: DNSInterceptionChecksEnabled
GP name: DNS interception checks enabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
If you set this policy to True, Microsoft Edge always checks whether it's the default browser on startup and, if possible, automatically registers itself.
If you set this policy to False, Microsoft Edge is stopped from ever checking if it's the default and turns user controls off for this option.
If you don't set this policy, Microsoft Edge lets users control whether it's the default and, if not, whether user notifications should appear.
Note for Windows administrators: This policy only works for PCs running Windows 7. For later versions of Windows, you have to deploy a "default application associations" file that makes Microsoft Edge the handler for the https and http protocols (and, optionally, the ftp protocol and file formats such as .html, .htm, .pdf, .svg, .webp). See https://go.microsoft.com/fwlink/?linkid=2094932 for more information.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultBrowserSettingEnabled
GP name: Set Microsoft Edge as default browser
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
This policy enables the default browser settings campaign. If a user selects to accept the campaign, their default browser and/or default search engine will be changed to Microsoft Edge and Microsoft Bing, respectively. If the user dismisses the campaign, the user's browser settings remain unchanged.
If you enable or don't configure this policy, users will be prompted to set Microsoft Edge as the default browser and Microsoft Bing as the default search engine, if they don't have those browser settings.
If you disable this policy, users won't be prompted to set Microsoft Edge as the default browser, or to set Microsoft Bing as the default search engine.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultBrowserSettingsCampaignEnabled
GP name: Enables default browser settings campaigns
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
This policy controls the default value for the clipboard site permission.
Setting the policy to 2 blocks sites from using the clipboard site permission.
Setting the policy to 3 or leaving it unset lets the user change the setting and decide if the clipboard APIs are available when a site wants to use an API.
This policy only affects clipboard operations controlled by the clipboard site permission and doesn't affect sanitized clipboard writes or trusted copy and paste operations.
Policy options mapping:
* BlockClipboard (2) = Do not allow any site to use the clipboard site permission
* AskClipboard (3) = Allow sites to ask the user to grant the clipboard site permission
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultClipboardSetting
GP name: Default clipboard site permission
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
If you don't configure this policy, websites can access and use sensors, and users can change this setting. This setting is the global default for SensorsAllowedForUrls and SensorsBlockedForUrls.
Policy options mapping:
* AllowSensors (1) = Allow sites to access sensors
* BlockSensors (2) = Do not allow any site to access sensors
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: DefaultSensorsSetting
GP name: Default sensors setting
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Set whether websites can access serial ports. You can completely block access or ask the user each time a website wants to get access to a serial port.
Setting the policy to 3 lets websites ask for access to serial ports. Setting the policy to 2 denies access to serial ports.
Set the default "share additional operating system region" setting
Supported versions:
On Windows and macOS since 108 or later
Description
This policy controls the default value for the "share additional operating system region" setting in Microsoft Edge.
The "share additional operating system region" Microsoft Edge setting controls whether the OS Regional format setting is shared with the web through the default JavaScript locale. If shared, websites can query the OS Regional format using JavaScript code, for example; "Intl.DateTimeFormat().resolvedOptions().locale". The default value for the setting is "Limited".
If you set this policy to "Limited", the OS Regional format is shared only if its language part matches the Microsoft Edge display language.
If you set this policy to "Always", the OS Regional format is always shared. This value could cause unexpected website behavior if the OS Regional format language is different from the Microsoft Edge display language. For example, if a website uses the JavaScript default locale to format dates, the names of the days and months are displayed in one language while the surrounding text is displayed in another language.
If you set this policy to "Never", the OS Regional format is never shared.
Example 1: In this example the OS Regional format is set to "en-GB", and the browser display language is set to "en-US". Then the OS Regional format is shared if the policy is set to "Limited", or "Always".
Example 2: In this example the OS Regional format is set to "es-MX", and the browser display language is set to "en-US". Then the OS Regional format is shared if the policy is set to "Always"; however, the OS Regional format isn't shared if the policy is set to "Limited".
Define an ordered list of preferred languages that websites should display in if the site supports the language
Supported versions:
On Windows and macOS since 89 or later
Description
Configures the language variants that Microsoft Edge sends to websites as part of the Accept-Language request HTTP header and prevents users from adding, removing, or changing the order of preferred languages in Microsoft Edge settings. Users who want to change the languages Microsoft Edge displays in or offers to translate pages to will be limited to the languages configured in this policy.
If you enable this policy, websites will appear in the first language in the list that they support unless other site-specific logic is used to determine the display language. The language variants defined in this policy override the languages configured as part of the SpellcheckLanguage policy.
If you don't configure or disable this policy, Microsoft Edge sends websites the user-specified preferred languages as part of the Accept-Language request HTTP header.
Require that the Enterprise Mode Site List is available before tab navigation
Supported versions:
On Windows since 84 or later
Description
Lets you specify whether Microsoft Edge tabs wait to navigate until the browser downloaded the initial Enterprise Mode Site List. This setting is intended for the scenario where the browser home page should load in Internet Explorer (IE) mode, and it's important that it does so on browser first run after IE mode is enabled. If this scenario doesn't exist, we recommend not enabling this setting because it negatively impacts the performance of loading the home page. The setting only applies when Microsoft Edge doesn't have a cached Enterprise Mode Site List, such as on browser first run after IE mode is enabled.
If you set this policy to 'All' and when Microsoft Edge doesn't have a cached version of the Enterprise Mode Site List, tabs delay navigating until the browser downloaded the site list. Sites configured to open in Internet Explorer mode by the site list load in Internet Explorer mode, even during the initial navigation of the browser. Sites that can't be configured to open in Internet Explorer, such as any site with a scheme other than http:, https:, file:, or ftp: don't delay navigating and load immediately in Microsoft Edge mode.
When used with the InternetExplorerIntegrationCloudSiteList policy, during first launch of Microsoft Edge, there is a delay because implicit sign in needs to finish before Microsoft Edge attempts to download the site list from the Microsoft cloud since this requires authentication to the cloud service.
If you set this policy to 'None' or don't configure it and when Microsoft Edge doesn't have a cached version of the Enterprise Mode Site List, tabs navigate immediately and don't wait for the browser to download the Enterprise Mode Site List. Sites configured to open in Internet Explorer mode by the site list open in Microsoft Edge mode until the browser finished downloading the Enterprise Mode Site List.
Policy options mapping:
* None (0) = None
* All (1) = All eligible navigations
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: DelayNavigationsForInitialSiteListDownload
GP name: Require that the Enterprise Mode Site List is available before tab navigation
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
This policy determines whether user browsing data from Microsoft Edge Legacy will be deleted after migrating to the Microsoft Edge version 81 or later.
If you set this policy to "Enabled", all browsing data from Microsoft Edge Legacy after migrating to the Microsoft Edge version 81 or later is deleted. This policy must be set before migrating to the Microsoft Edge version 81 or later to have any effect on existing browsing data.
If you set this policy to "Disabled", or the policy isn't configured, user browsing data isn't deleted after migrating to the Microsoft Edge version 83 or later.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: DeleteDataOnMigration
GP name: Delete old browser data on migration
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Controls whether users can access developer tools in Microsoft Edge.
If you set this policy to 'DeveloperToolsDisallowedForForceInstalledExtensions' (default), users can access developer tools and the JavaScript console, except in the context of extensions installed by enterprise policy.
If you set this policy to 'DeveloperToolsAllowed', users can access developer tools and the JavaScript console in all contexts, including extensions installed by enterprise policy.
If you set this policy to 'DeveloperToolsDisallowed', users cannot access developer tools or inspect website elements. Keyboard shortcuts, menu options, and context menu entries that open developer tools or the JavaScript console are disabled.
As of version 99, this policy also controls access to the 'View page source' feature. If you set this policy to 'DeveloperToolsDisallowed', users cannot view page source through keyboard shortcuts or the context menu. To fully block source viewing, add 'view-source:*' to the URLBlocklist policy.
As of version 119, this policy also controls whether developer mode for Isolated Web Apps can be enabled.
As of version 128, this policy does not control developer mode on the extensions page if the ExtensionDeveloperModeSettings policy is configured.
Developer tools availability is determined in the following order of precedence:
1. If a URL matches a pattern in DeveloperToolsAvailabilityAllowlist, developer tools are allowed. 2. If the allowlist is configured and the blocklist is not, URLs not on the allowlist are blocked. 3. If a URL matches a pattern in DeveloperToolsAvailabilityBlocklist, developer tools are blocked. 4. If a URL is not covered by either list, this policy (DeveloperToolsAvailability) applies.
Policy options mapping:
* DeveloperToolsDisallowedForForceInstalledExtensions (0) = Block the developer tools on extensions installed by enterprise policy, allow in other contexts
* DeveloperToolsAllowed (1) = Allow using the developer tools
* DeveloperToolsDisallowed (2) = Don't allow using the developer tools
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: DeveloperToolsAvailability
GP name: Control where developer tools can be used
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
List of URL patterns for which developer tools are allowed to be opened
Supported versions:
On Windows and macOS since 148 or later
Description
This policy controls where developer tools can be used in Microsoft Edge by specifying an allowlist of URL patterns.
URL patterns are matched against the URL of every frame on the page being inspected.
If you configure this policy and do not configure the DeveloperToolsAvailabilityBlocklist policy, developer tools are available only when every frame on the page matches a pattern in this allowlist. If any frame does not match, developer tools are blocked for the entire page. For information on the URL format, see https://go.microsoft.com/fwlink/?linkid=2095322 .
If you configure both this policy and the DeveloperToolsAvailabilityBlocklist policy, this allowlist takes precedence. URLs that match this allowlist are allowed even if they also match the blocklist. URLs that match the blocklist but not this allowlist are blocked. URLs that match neither are governed by the DeveloperToolsAvailability policy.
URL patterns are evaluated against the URL of every frame on the page being inspected. If any frame matches a pattern in this policy, developer tools are blocked for the entire page.
If you configure this policy and do not configure the DeveloperToolsAvailabilityAllowlist policy, developer tools are blocked when any frame matches a pattern in this policy. If no frames match, availability is determined by the DeveloperToolsAvailability policy.
If you configure both this policy and the DeveloperToolsAvailabilityAllowlist policy, the allowlist takes precedence. URLs that match the allowlist are allowed, even if they also match this policy. URLs that match this policy (but not the allowlist) are blocked. If a URL matches neither, the DeveloperToolsAvailability policy determines availability.
Send required and optional diagnostic data about browser usage
Supported versions:
On Windows since 122 or later
On macOS since 86 or later
Description
This policy controls sending required and optional diagnostic data about browser usage to Microsoft.
Required diagnostic data is collected to keep Microsoft Edge secure, up to date and performing as expected.
Optional diagnostic data includes data about how you use the browser, websites you visit, and crash reports to Microsoft for product and service improvement.
Up to Microsoft Edge version 121, this policy isn't supported on Windows 10 devices. To control this data collection on Windows 10 for 121 and previous, IT admins must use the Windows diagnostic data group policy. This policy can either be 'Allow Telemetry' or 'Allow Diagnostic Data', depending on the version of Windows. Learn more about Windows 10 diagnostic data collection: https://go.microsoft.com/fwlink/?linkid=2099569
For Microsoft Edge version 122 and later, this policy is supported on Windows 10 devices to allow controlling Microsoft Edge data collection separately from Windows 10 diagnostics data collection.
Use one of the following settings to configure this policy:
'Off' turns off required and optional diagnostic data collection. This option isn't recommended.
'RequiredData' sends required diagnostic data but turns off optional diagnostic data collection. Microsoft Edge sends required diagnostic data to keep Microsoft Edge secure, up to date and performing as expected.
'OptionalData' sends optional diagnostic data includes data about browser usage, websites that are visited, crash reports sent to Microsoft for product and service improvement.
On Windows 7/macOS, this policy controls sending required and optional data to Microsoft.
If you don't configure this policy or disable it, Microsoft Edge defaults to the user's preference.
Policy options mapping:
* Off (0) = Off (Not recommended)
* RequiredData (1) = Required data
* OptionalData (2) = Optional data
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: DiagnosticData
GP name: Send required and optional diagnostic data about browser usage
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allow users to open files using the DirectInvoke protocol
Supported versions:
On Windows since 78 or later
Description
Allow users to open files using the DirectInvoke protocol. The DirectInvoke protocol allows websites to request that the browser open files from a specific URL using a specific file handler on the user's computer or device.
If you enable or don't configure this policy, users can open files using the DirectInvoke protocol.
If you disable this policy, users can't open files using the DirectInvoke protocol. Instead, the file is saved to the file system.
Note: Disabling DirectInvoke can prevent certain Microsoft SharePoint Online features from working as expected.
Prevent web pages from accessing the graphics processing unit (GPU). Specifically, web pages can't access the WebGL API and plug-ins can't use the Pepper 3D API.
If you don't configure or disable this policy, it potentially allows web pages to use the WebGL API and plug-ins to use the Pepper 3D API. Microsoft Edge might, by default, still require command line arguments to be passed in order to use these APIs.
If HardwareAccelerationModeEnabled policy is set to false, the setting for 'Disable3DAPIs' policy is ignored - it's the equivalent of setting 'Disable3DAPIs' policy to true.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: Disable3DAPIs
GP name: Disable support for 3D graphics APIs
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Controls if users can take screenshots of the browser page.
If you enable this policy, users can't take screenshots using keyboard shortcuts or extension APIs.
If you disable or don't configure this policy, users can take screenshots.
Note: Even if you disable screenshots using this policy, users might still be able to take screenshots using Web Capture within the browser or other methods outside of the browser. For example, using an operating system feature or another application.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: DisableScreenshots
GP name: Disable taking screenshots
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Enable Discover access to page contents for AAD profiles (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 127.
Supported versions:
On Windows and macOS since 113, until 127
Description
This policy is obsolete as of Microsoft Edge version 127. Two new Microsoft Edge Policies took its place. Those policies are CopilotPageContext (Control Copilot access to page contents for AAD profiles) and CopilotCDPPageContext (Control Copilot with Commercial Data Protection access to page contents for AAD profiles).
This policy didn't allow for separate control of Copilot and Copilot with Commercial Data Protection. The new policies allow separate control of these versions of Copilot. The new policies also allow admins to force-enable Copilot access to Microsoft Edge page contents by enabling the policy, whereas DiscoverPageContextEnabled only allows force-disabling of Copilot page access.
This policy controls Discover access to page contents for AAD profiles. Discover is an extension that hosts Bing Chat. To summarize pages and interact with text selections, it must access the page contents. When enabled, page contents are sent to Bing. This policy doesn't affect MSA profiles.
If you enable or don't configure this policy, Discover has access to page contents.
If you disable this policy, Discover can't access page contents.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: DiscoverPageContextEnabled
GP name: Enable Discover access to page contents for AAD profiles (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Configures the directory to use to store cached files.
If you enable this policy, Microsoft Edge uses the provided directory regardless of whether the user has specified the '--disk-cache-dir' flag. To avoid data loss or other unexpected errors, don't configure this policy to a volume's root directory or to a directory used for other purposes, because Microsoft Edge manages its contents.
If you don't configure this policy, the default cache directory is used, and users can override that default with the '--disk-cache-dir' command line flag.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: DiskCacheDir
GP name: Set disk cache directory
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
This policy configures the disk cache size in Microsoft Edge.
If you enable this policy, Microsoft Edge uses the specified cache size, regardless of whether the user set the --disk-cache-size command-line flag.
The value defined in this policy is treated as a suggestion to the caching system, not a strict limit. Values below a few megabytes are rounded up to a reasonable minimum.
If you set the value to 0, the default cache size is used and users can't override it.
It's recommended not to configure a custom value, as Microsoft Edge automatically manages the cache size for optimal performance. Setting a small value can degrade performance and increase network usage.
If you don’t configure this policy, the default size is used, but users can override it with the --disk-cache-size flag.
Note: The specified value is treated as a hint to multiple cache subsystems. The total disk usage of all caches can be larger than (but within the same order of magnitude as) the configured value.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: DiskCacheSize
GP name: Set disk cache size, in bytes
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Specifies whether the display-capture permissions-policy is checked or skipped (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 109.
Supported versions:
On Windows and macOS since 95, until 109
Description
This policy is obsolete. The policy was a temporary workaround for non-spec-compliant enterprise applications.
This policy stopped working in Microsoft Edge version 107 and was obsoleted in Microsoft Edge 110.
The display-capture permissions-policy gates access to getDisplayMedia(), as per this spec: https://www.w3.org/TR/screen-capture/#feature-policy-integration However, if this policy is Disabled, this requirement isn't enforced, and getDisplayMedia() is allowed from contexts that would otherwise be forbidden.
If you enable or don't configure this policy, sites can only call getDisplayMedia() from contexts that are allowlisted by the display-capture permissions-policy.
If you disable this policy, sites can call getDisplayMedia() even from contexts which are not allowlisted by the display-capture permissions policy. Other restrictions may still apply.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: DisplayCapturePermissionsPolicyEnabled
GP name: Specifies whether the display-capture permissions-policy is checked or skipped (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Control the mode of the DNS-over-HTTPS resolver. This policy only sets the default mode for each query. The mode can be overridden for special types of queries such as requests to resolve a DNS-over-HTTPS server hostname.
The "off" mode disables DNS-over-HTTPS.
The "automatic" mode sends DNS-over-HTTPS queries first if a DNS-over-HTTPS server is available, and falls back to sending insecure queries on error.
The "secure" mode only sends DNS-over-HTTPS queries and will fail to resolve on error.
If you don't configure this policy for managed devices, DNS-over-HTTPS queries aren't sent. Instead, the browser may send DNS requests to a resolver associated with the user's system resolver. This could lead to a less secure or private DNS resolution process, depending on the resolver in use.
Policy options mapping:
* off (off) = Disable DNS-over-HTTPS
* automatic (automatic) = Enable DNS-over-HTTPS with insecure fallback
* secure (secure) = Enable DNS-over-HTTPS without insecure fallback
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: DnsOverHttpsMode
GP name: Control the mode of DNS-over-HTTPS
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Specify URI template of desired DNS-over-HTTPS resolver
Supported versions:
On Windows and macOS since 83 or later
Description
The URI template of the desired DNS-over-HTTPS resolver. To specify multiple DNS-over-HTTPS resolvers, separate the corresponding URI templates with spaces.
If you set DnsOverHttpsMode to "secure", then this policy must be set and can't be empty.
If you set DnsOverHttpsMode to "automatic" and this policy is set, then the URI templates specified are used. If you don't set this policy, then hardcoded mappings are used to attempt to upgrade the user's current DNS resolver to a DoH resolver operated by the same provider.
If the URI template contains a dns variable, requests to the resolver use GET; otherwise, requests use POST.
Incorrectly formatted templates will be ignored.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: DnsOverHttpsTemplates
GP name: Specify URI template of desired DNS-over-HTTPS resolver
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Define a list of protocols that can not be silently blocked by anti-flood protection
Supported versions:
On Windows and macOS since 99 or later
Description
Allows you to create a list of protocols and an associated list of allowed origin patterns, for each protocol. These origins aren't silently blocked from launching an external application by anti-flood protection. The trailing separator shouldn't be included when listing the protocol. For example, list "skype" instead of "skype:" or "skype://".
If you configure this policy, a protocol is only permitted to bypass being silently blocked by anti-flood protection if:
- the protocol is listed
- the origin of the site trying to launch the protocol matches one of the origin patterns in that protocol's allowed_origins list.
If either condition is false, anti-flood protection protection blocks the external protocol launch.
If you don't configure this policy, no protocols can bypass being silently blocked.
However, origin-matching patterns for this policy can't contain "/path" or "@query" elements. Any pattern that contains a "/path" or "@query" element is ignored.
This policy doesn't work as expected with file://* wildcards.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Dictionary
Windows information and settings
Group Policy (ADMX) info
GP unique name: DoNotSilentlyBlockProtocolsFromOrigins
GP name: Define a list of protocols that can not be silently blocked by anti-flood protection
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Configures the directory to use when downloading files.
If you enable this policy, Microsoft Edge uses the provided directory regardless of whether the user specified one or chose to be prompted for download location every time. See https://go.microsoft.com/fwlink/?linkid=2095041 for a list of variables that can be used.
If you disable or don't configure this policy, the default download directory is used, and the user can change it.
If you set an invalid path, Microsoft Edge defaults to the user's default download directory.
If the folder specified by the path doesn't exist, the download triggers a prompt that asks the user where they want to save their download.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: DownloadDirectory
GP name: Set download directory
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Configures the type of downloads that Microsoft Edge completely blocks, without letting users override the security decision.
Set 'BlockDangerousDownloads' to allow all downloads except for those that carry Microsoft Defender SmartScreen warnings of known dangerous downloads or that have dangerous file type extensions.
Set 'BlockPotentiallyDangerousDownloads' to allow all downloads except for those that carry Microsoft Defender SmartScreen warnings of potentially dangerous or unwanted downloads or that have dangerous file type extensions.
Set 'BlockAllDownloads' to block all downloads.
Set 'BlockMaliciousDownloads' to allow all downloads except for those that carry Microsoft Defender SmartScreen warnings of known malicious downloads.
If you don't configure this policy or set the 'DefaultDownloadSecurity' option, the downloads go through the usual security restrictions based on Microsoft Defender SmartScreen analysis results.
Note that these restrictions apply to downloads from web page content, as well as the 'download link...' context menu option. These restrictions don't apply to saving or downloading the currently displayed page, nor do they apply to the Save as PDF option from the printing options.
This policy controls the dynamic code settings for Microsoft Edge.
Disabling dynamic code improves the security of Microsoft Edge by preventing potentially hostile dynamic code and third-party code from making changes to Microsoft Edge's behavior. However this might cause compatibility issues with third-party software (for example, certain printer drivers) that must run in the browser process.
If you set this policy to 0 (the default) or leave unset, then Microsoft Edge uses the default settings.
If you set this policy to 1 – (EnabledForBrowser) then the Microsoft Edge browser process is prevented from creating dynamic code.
Policy options mapping:
* Default (0) = Default dynamic code settings
* EnabledForBrowser (1) = Prevent the browser process from creating dynamic code
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: DynamicCodeSettings
GP name: Dynamic Code Settings
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Edge3P Telemetry in Microsoft Edge captures the searches that a user does on third-party search providers without identifying the person or the device only if the user has consented to this collection of data. User can turn off the collection at any time in the browser settings.
If you enable or don't configure this policy, Edge 3P SERP Telemetry feature is enabled.
If you disable this policy, Edge 3P SERP Telemetry feature is disabled.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: Edge3PSerpTelemetryEnabled
GP name: Edge 3P SERP Telemetry Enabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Allow features to download assets from the Asset Delivery Service
Supported versions:
On Windows and macOS since 101 or later
Description
The Asset Delivery Service is a general pipeline used to deliver assets to the Microsoft Edge Clients. These assets can be config files or Machine Learning models that power the features that use this service.
If you enable or don't configure this policy, features can download assets from the Asset Delivery Service.
If you disable this policy, features won't be able to download assets needed for them to run correctly.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EdgeAssetDeliveryServiceEnabled
GP name: Allow features to download assets from the Asset Delivery Service
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Allows ML technology to predict and fill in forms and text fields for better browsing. Your personal data is secure and isn't used elsewhere.
If you enable this policy or don't configure it, users can benefit from machine learning powered autofill suggestions, which improve efficiency by offering more accurate, context aware form recommendations based on historical autofill data.
If you disable this policy, machine learning-powered autofill suggestions aren't shown, and autofill no longer uses cloud-based machine learning models to enhance form filling with smarter, context aware suggestions. Instead, autofill will rely on basic form data without the benefits of machine learning.
Lets you allow users to access the Collections feature, where they can collect, organize, share, and export content more efficiently and with Office integration.
If you enable or don't configure this policy, users can access and use the Collections feature in Microsoft Edge.
If you disable this policy, users can't access and use Collections in Microsoft Edge.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EdgeCollectionsEnabled
GP name: Enable the Collections feature
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 121.
Supported versions:
On Windows and macOS since 97, until 121
Description
The enhance images feature is deprecated and starting in Microsoft Edge version 122, this policy will be removed. Set whether Microsoft Edge can automatically enhance images to show you sharper images with better color, lighting, and contrast.
If you enable this policy or don't configure the policy, Microsoft Edge automatically enhances images on specific web applications.
If you disable this policy, Microsoft Edge doesn't enhance images.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EdgeEnhanceImagesEnabled
GP name: Enhance images enabled (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Control Copilot access to Microsoft Edge page content for Entra account user profiles when using Copilot in the Microsoft Edge sidepane
Supported versions:
On Windows and macOS since 130 or later
Description
This policy controls whether Copilot in the Microsoft Edge side pane can access page content. This includes page summarization and other contextual queries.
This policy applies only to users who are signed in to Microsoft Edge with a Microsoft Entra account and are using Copilot in the side pane. It applies to Copilot experiences in the side pane, including Microsoft 365 Copilot Business Chat and Microsoft Copilot with enterprise data protection (EDP).
If you enable this policy, Copilot can access page content when users submit contextual queries in the side pane.
If you disable this policy, Copilot can't access page content. This also disables the M365LinksAutoOpenCopilotEnabled feature, because Copilot requires page content access to provide contextual insights for Microsoft 365 links.
If you don't configure this policy: - Access is enabled by default in non-EU regions. - Access is disabled by default in EU regions. - Users can turn this setting on or off in Microsoft Edge settings.
Copilot can't access page content on pages protected by data loss prevention (DLP) policies, even if this policy is enabled.
This policy lets users compare the prices of a product they're looking at, get coupons or rebates from the website they're on, autoapply coupons, and help checkout faster using autofill data.
If you enable or don't configure this policy, shopping features such as price comparison, coupons, rebates, and express checkout are automatically applied for retail domains. Coupons for the current retailer and prices from other retailers are fetched from a server.
If you disable this policy, shopping features such as price comparison, coupons, rebates, and express checkout aren't automatically found for retail domains.
Starting from version 90.0.818.56, the behavior of the messaging letting users know that there's a coupon, rebate, price comparison, or price history available on shopping domains is also done through a horizontal banner below the address bar. Previously, this messaging was done on the address bar.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EdgeShoppingAssistantEnabled
GP name: Shopping in Microsoft Edge Enabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
If you enable or don't configure this policy, users can access sidebar customize. If you disable this policy, users won't be able to access the sidebar customize.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EdgeSidebarCustomizeEnabled
GP name: Enable sidebar customize
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Re-enable deprecated web platform features for a limited time (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 86.
Supported versions:
On Windows and macOS since 77, until 86
Description
This policy is obsolete because dedicated web platform policies are now used to manage individual web platform feature deprecations.
Specify a list of deprecated web platform features to temporarily re-enable.
This policy lets you re-enable deprecated web platform features for a limited time. Features are identified by a string tag.
If you don't configure this policy, if the list is empty, or if a feature doesn't match one of the supported string tags, all deprecated web platform features remain disabled.
While the policy itself is supported on the above platforms, the feature it's enabling might not be available on all of those platforms. Not all deprecated Web Platform features can be re-enabled. Only the following explicitly listed features can be re-enabled, and only for a limited period of time, which differs per feature. You can review the intent behind the Web Platform feature changes at https://bit.ly/blinkintents.
The general format of the string tag is [DeprecatedFeatureName]_EffectiveUntil[yyyymmdd].
Policy options mapping:
* ExampleDeprecatedFeature (ExampleDeprecatedFeature_EffectiveUntil20080902) = Enable ExampleDeprecatedFeature API through 2008/09/02
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: EnableDeprecatedWebPlatformFeatures
GP name: Re-enable deprecated web platform features for a limited time (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Enable Domain Actions Download from Microsoft (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 84.
Supported versions:
On Windows and macOS since 77, until 84
Description
This policy doesn't work because conflicting states should be avoided. This policy was used to enable/disable download of the domain actions list, but it didn't always achieve the desired state. The Experimentation and Configuration Service, which handles the download, has its own policy to configure what's downloaded from the service. Use the ExperimentationAndConfigurationServiceControl policy instead.
In Microsoft Edge, Domain Actions represent a series of compatibility features that help the browser work correctly on the web.
Microsoft keeps a list of actions to take on certain domains for compatibility reasons. For example, the browser may override the User Agent string on a website if that website is broken due to the new User Agent string on Microsoft Edge. Each of these actions is intended to be temporary while Microsoft tries to resolve the issue with the site owner.
When the browser starts up and then periodically afterwards, the browser will contact the Experimentation and Configuration Service that contains the most up to date list of compatibility actions to perform. This list is saved locally after it's first retrieved so that subsequent requests will only update the list if the server's copy has changed.
If you enable this policy, the list of Domain Actions continues to be downloaded from the Experimentation and Configuration Service.
If you disable this policy, the list of Domain Actions will no longer be downloaded from the Experimentation and Configuration Service.
If you don't configure this policy, the list of Domain Actions continues to be downloaded from the Experimentation and Configuration Service.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EnableDomainActionsDownload
GP name: Enable Domain Actions Download from Microsoft (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Online revocation checks don't provide a significant security benefit and are disabled by default.
If you enable this policy, Microsoft Edge performs soft-fail, online OCSP/CRL checks. "Soft fail" means that if the revocation server can't be reached, the certificate is considered valid.
If you disable the policy or don't configure it, Microsoft Edge can't perform online revocation checks.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EnableOnlineRevocationChecks
GP name: Enable online OCSP/CRL checks
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allow certificates signed using SHA-1 when issued by local trust anchors (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 91.
Supported versions:
On Windows and macOS since 85, until 91
Description
If you enable this policy, Microsoft Edge allows connections secured by SHA-1 signed certificates so long as the certificate chains to a locally installed root certificate and is otherwise valid.
This policy depends on the operating system (OS) certificate verification stack allowing SHA-1 signatures. If an OS update changes the OS handling of SHA-1 certificates, this policy might no longer have effect. Further, this policy is intended as a temporary workaround to give enterprises more time to move away from SHA-1. This policy will be removed in Microsoft Edge 92 releasing in mid 2021.
If you disable or don't configure this policy, or if the SHA-1 certificate chains to a publicly trusted certificate root, then Microsoft Edge won't allow certificates signed by SHA-1.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, Windows 10 Pro or Enterprise instances that enrolled for device management, or macOS instances that are that are managed via MDM or joined to a domain via MCX.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EnableSha1ForLocalAnchors
GP name: Allow certificates signed using SHA-1 when issued by local trust anchors (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Controls whether SwiftShader is used as a fallback for WebGL when hardware GPU acceleration isn't available.
When enabled, Microsoft Edge uses SwiftShader to support WebGL on systems without GPU acceleration, such as headless environments or virtual machines.
Starting in Microsoft Edge version 144, SwiftShader is deprecated due to security concerns. As a result, WebGL context creation fails in scenarios where SwiftShader is used. Enabling this policy allows organizations to temporarily defer the deprecation and continue using SwiftShader.
If you disable or don't configure this policy, WebGL context creation can fail on systems without hardware acceleration. This could cause web content relying on WebGL to function incorrectly if it doesn't handle context creation failures.
Note: This policy is temporary and scheduled for removal in a future release. Microsoft doesn't guarantee the security of environments where this policy is enabled.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EnableUnsafeSwiftShader
GP name: Allow software WebGL fallback using SwiftShader
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Encrypted ClientHello (ECH) is an extension to TLS that encrypts the sensitive fields of ClientHello to improve privacy.
If ECH is enabled, Microsoft Edge might or might not use ECH depending on server support, the availability of the HTTPS DNS record, or the rollout status.
If you enable or don't configure this policy, Microsoft Edge follows the default rollout process for ECH.
If this policy is disabled, Microsoft Edge won't enable ECH.
Because ECH is an evolving protocol, Microsoft Edge's implementation is subject to change.
As such, this policy is a temporary measure to control the initial experimental implementation. It will be replaced with final controls as the protocol finalizes.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EncryptedClientHelloEnabled
GP name: TLS Encrypted ClientHello Enabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Determines whether the built-in certificate verifier will enforce constraints encoded into trust anchors loaded from the platform trust store (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 127.
Supported versions:
On Windows and macOS since 113, until 127
Description
X.509 certificates might encode constraints, such as Name Constraints, in extensions in the certificate. RFC 5280 specifies that enforcing such constraints on trust anchor certificates is optional.
From Microsoft Edge 112, such constraints in certificates loaded from the platform certificate store will now be enforced.
This policy exists as a temporary opt-out in case an enterprise encounters issues with the constraints encoded in their private roots. In that case this policy may be used to temporarily disable enforcement of the constraints while correcting the certificate issues.
If you enable this policy or don't configure it, Microsoft Edge enforces constraints encoded into trust anchors loaded from the platform trust store.
If you disable this policy, Microsoft Edge won't enforce constraints encoded into trust anchors loaded from the platform trust store.
This policy was removed in Microsoft Edge version 128. Starting with that version, constraints in trust anchors are always enforced.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EnforceLocalAnchorConstraintsEnabled
GP name: Determines whether the built-in certificate verifier will enforce constraints encoded into trust anchors loaded from the platform trust store (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
This policy lets you enhance the security state in Microsoft Edge.
If you set this policy to 'StandardMode', the enhanced mode is turned off, and Microsoft Edge falls back to its standard security mode.
If you set this policy to 'BalancedMode', the security state is in balanced mode.
If you set this policy to 'StrictMode', the security state is in strict mode.
If you set this policy to 'BasicMode', the security state is in basic mode.
Note: Sites that use WebAssembly (WASM) aren't supported on 32-bit systems when EnhanceSecurityMode is enabled. If you require access to a site that uses WASM, consider adding it to your exception list as described in https://go.microsoft.com/fwlink/?linkid=2183321.
Starting from Microsoft Edge version 113, 'BasicMode' is deprecated and is treated the same as 'BalancedMode'. It doesn't work in Microsoft Edge version 116.
Microsoft Edge lets users bypass Enhanced Security Mode on a site via Settings page or PageInfo flyout. This policy lets you configure whether users can bypass Enhanced Security Mode.
If you disable this policy, Microsoft Edge can't allow users to bypass Enhanced Security Mode.
If you enable or don't configure this policy, Microsoft Edge allows users to bypass Enhanced Security Mode.
Configure the list of domains for which enhance security mode will not be enforced
Supported versions:
On Windows and macOS since 98 or later
Description
Configures the list of enhance security trusted domains. This means that enhance security mode isn't enforced when loading the sites in trusted domains.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: EnhanceSecurityModeBypassListDomains
GP name: Configure the list of domains for which enhance security mode will not be enforced
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Configure the list of domains for which enhance security mode will always be enforced
Supported versions:
On Windows and macOS since 98 or later
Description
Configure the list of enhance security untrusted domains. This means that enhance security mode is always enforced when loading the sites in untrusted domains.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: EnhanceSecurityModeEnforceListDomains
GP name: Configure the list of domains for which enhance security mode will always be enforced
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Manage the indicator UI of the Enhanced Security Mode (ESM) feature in Microsoft Edge
Supported versions:
On Windows and macOS since 115 or later
Description
This policy lets you manage whether the indicator User Interface (UI) for enhanced security mode is shown or not when ESM is turned on.
If you enable or don't configure this policy, the indicator UI is on.
If you disable this policy, the indicator UI is off.
Note: If this policy is used, only the indicator User Interface experience is supressed - ESM is still turned on. For more information, see the EnhanceSecurityMode policy.
Manage opt-out user experience for Enhanced Security Mode (ESM) in Microsoft Edge (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 135.
Supported versions:
On Windows and macOS since 115, until 135
Description
This policy is obsolete because we determined that this experimental opt-out UX isn't required.
This policy lets you manage whether the opt-out user experience for enhanced security mode is presented when ESM is turned on for Microsoft Edge.
If you enable or don't configure this policy, the UI for the opt-out user experience is on.
If you disable this policy, the UI for the opt-out user experience is off.
Note: If this policy is used, only the User Interface for the opt-out experience is supressed - ESM is still turned on. For more information, see the EnhanceSecurityMode policy.
Allow managed extensions to use the Enterprise Hardware Platform API
Supported versions:
On Windows and macOS since 78 or later
Description
When this policy is set to enabled, extensions installed by enterprise policy are allowed to use the Enterprise Hardware Platform API. When this policy is set to disabled or isn't set, no extensions are allowed to use the Enterprise Hardware Platform API. This policy also applies to component extensions.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EnterpriseHardwarePlatformAPIEnabled
GP name: Allow managed extensions to use the Enterprise Hardware Platform API
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Re-enable the Event.path API until Microsoft Edge version 115 (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 115.
Supported versions:
On Windows and macOS since 107, until 115
Description
Starting in Microsoft Edge version 109, the nonstandard API Event.path is removed to improve web compatibility. This policy re-enables the API until version 115.
If you enable this policy, the Event.path API is available.
If you disable this policy, the Event.path API is unavailable.
If you don't configure this policy, the Event.path API is in the following default states: available before version 109, and unavailable in version 109 to version 114.
This policy is made obsolete after Microsoft Edge version 115.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: EventPathEnabled
GP name: Re-enable the Event.path API until Microsoft Edge version 115 (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Disable download file type extension-based warnings for specified file types on domains (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 109.
Supported versions:
On Windows and macOS since 85, until 109
Description
This policy is obsoleted in favor of ExemptFileTypeDownloadWarnings because of a type mismatch that caused errors in Mac.
You can enable this policy to create a dictionary of file type extensions with a corresponding list of domains that are exempted from file type extension-based download warnings. This exemption lets enterprise administrators block file type extension-based download warnings for files that are associated with a listed domain. For example, if the "jnlp" extension is associated with "website1.com", users don't see a warning when downloading "jnlp" files from "website1.com" but see a download warning when downloading "jnlp" files from "website2.com".
Files with file type extensions specified for domains identified by this policy are still subject to nonfile type extension-based security warnings such as mixed-content download warnings and Microsoft Defender SmartScreen warnings.
If you disable this policy or don't configure it, file types that trigger extension-based download warnings show warnings to the user.
If you enable this policy:
* The URL pattern should be formatted according to https://go.microsoft.com/fwlink/?linkid=2095322. * The file type extension entered must be in lower-cased ASCII. The leading separator shouldn't be included when listing the file type extension; so, list "jnlp" should be used instead of ".jnlp".
Example:
The following example value prevents file type extension-based download warnings on swf, exe, and jnlp extensions for *.contoso.com domains. It shows the user a file type extension-based download warning on any other domain for exe and jnlp files but not for swf files.
While the preceding example shows the suppression of file type extension-based download warnings for "swf" files for all domains, applying suppression of such warnings for all domains for any dangerous file type extension isn't recommended due to security concerns. It's shown in the example merely to demonstrate the ability to do so.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: ExemptDomainFileTypePairsFromFileTypeDownloadWarnings
GP name: Disable download file type extension-based warnings for specified file types on domains (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Disable download file type extension-based warnings for specified file types on domains
Supported versions:
On Windows and macOS since 105 or later
Description
You can enable this policy to create a dictionary of file type extensions with a corresponding list of domains that are exempted from file type extension-based download warnings. This exemption lets enterprise administrators block file type extension-based download warnings for files that are associated with a listed domain. For example, if the "jnlp" extension is associated with "website1.com", users can't see a warning when downloading "jnlp" files from "website1.com" but can see a download warning when downloading "jnlp" files from "website2.com".
Files with file type extensions specified for domains identified by this policy are still subject to nonfile type extension-based security warnings such as mixed-content download warnings and Microsoft Defender SmartScreen warnings.
If you disable this policy or don't configure it, file types that trigger extension-based download warnings show warnings to the user.
If you enable this policy:
* The URL pattern should be formatted according to https://go.microsoft.com/fwlink/?linkid=2095322. * The file type extension entered must be in lower-cased ASCII. The leading separator shouldn't be included when listing the file type extension; so, list "jnlp" should be used instead of ".jnlp".
Example:
The following example value prevents file type extension-based download warnings on swf, exe, and jnlp extensions for *.contoso.com domains. It shows the user a file type extension-based download warning on any other domain for exe and jnlp files, but not for swf files.
While the preceding example shows the suppression of file type extension-based download warnings for "swf" files for all domains, applying suppression of such warnings for all domains for any dangerous file type extension isn't recommended due to security concerns. It's shown in the example merely to demonstrate the ability to do so.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Dictionary
Windows information and settings
Group Policy (ADMX) info
GP unique name: ExemptFileTypeDownloadWarnings
GP name: Disable download file type extension-based warnings for specified file types on domains
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Control communication with the Experimentation and Configuration Service
Supported versions:
On Windows and macOS since 77 or later
Description
The Experimentation and Configuration Service is used to deploy Experimentation and Configuration payloads to the client.
Experimentation payload consists of a list of early-in-development features that Microsoft is enabling for testing and feedback.
Configuration payload consists of a list of recommended settings that Microsoft wants to deploy to optimize the user experience.
Configuration payload may also contain a list of actions to take on certain domains for compatibility reasons. For example, the browser may override the User Agent string on a website if that website is broken. Each of these actions is intended to be temporary while Microsoft tries to resolve the issue with the site owner.
If you set this policy to 'FullMode', the full payload is downloaded from the Experimentation and Configuration Service. This includes both the experimentation and configuration payloads.
If you set this policy to 'ConfigurationsOnlyMode', only the configuration payload is downloaded.
If you set this policy to 'RestrictedMode', the communication with the Experimentation and Configuration Service is stopped completely. Microsoft doesn't recommend this setting.
If you don't configure this policy on a managed device, the behavior on Beta and Stable channels is the same as the 'ConfigurationsOnlyMode'. On Canary and Dev channels, the behavior is the same as 'FullMode'.
If you don't configure this policy on an unmanaged device, the behavior is the same as the 'FullMode'.
Policy options mapping:
* FullMode (2) = Retrieve configurations and experiments
* ConfigurationsOnlyMode (1) = Retrieve configurations only
* RestrictedMode (0) = Disable communication with the Experimentation and Configuration Service
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: ExperimentationAndConfigurationServiceControl
GP name: Control communication with the Experimentation and Configuration Service
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
There's a list of restricted ports built into Microsoft Edge. Connections to these ports fail. This policy allows bypassing that list. The set of ports is defined as a comma-separated list that outgoing connections should be permitted on.
Ports are restricted to prevent Microsoft Edge from being used as a vector to exploit various network vulnerabilities. Setting this policy exposes your network to attacks. This policy is intended as a temporary workaround for error code "ERR_UNSAFE_PORT" while migrating a service running on a blocked port to a standard port (for example, port 80 or 443).
Malicious websites can easily detect that this policy is set. They also detect the ports for which this policy is set, and then they use that information to target attacks.
Each port listed in this policy is labeled with a date until which that port can be unblocked. After that date, the port is restricted, regardless of whether it's specified by the value of this policy.
Leaving the value empty or unset means that all restricted ports are blocked. Invalid port values set through this policy are ignored while valid ones are still applied.
This policy overrides the "--explicitly-allowed-ports" command-line option.
Policy options mapping:
* 554 (554) = port 554 (can be unblocked until 2021/10/15)
* 10080 (10080) = port 10080 (can be unblocked until 2022/04/01)
* 6566 (6566) = port 6566 (can be unblocked until 2021/10/15)
* 989 (989) = port 989 (can be unblocked until 2022/02/01)
* 990 (990) = port 990 (can be unblocked until 2022/02/01)
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: ExplicitlyAllowedNetworkPorts
GP name: Explicitly allowed network ports
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Show an "Always open" checkbox in external protocol dialog
Supported versions:
On Windows and macOS since 79 or later
Description
This policy controls whether the "Always allow this site to open links of this type" checkbox is shown on external protocol launch confirmation prompts. This policy only applies to https:// links.
If you enable this policy, when an external protocol confirmation prompt is shown, the user can select "Always allow" to skip all future confirmation prompts for the protocol on this site.
If you disable this policy, the "Always allow" checkbox isn't displayed. The user is prompted for confirmation every time an external protocol is invoked.
Prior to Microsoft Edge 83, if you don't configure this policy, the "Always allow" checkbox isn't displayed. The user is prompted for confirmation every time an external protocol is invoked.
On Microsoft Edge 83, if you don't configure this policy, the checkbox visibility is controlled by the "Enable remembering protocol launch prompting preferences" flag in edge://flags
As of Microsoft Edge 84, if you don't configure this policy, when an external protocol confirmation prompt is shown, the user can select "Always allow" to skip all future confirmation prompts for the protocol on this site.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ExternalProtocolDialogShowAlwaysOpenCheckbox
GP name: Show an "Always open" checkbox in external protocol dialog
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allow users to configure Family safety and Kids Mode
Supported versions:
On Windows and macOS since 83 or later
Description
This policy disables two family safety-related features in the browser. This hides the Family page inside Settings, and navigation to edge://settings/family is blocked. The family settings page describes what features are available with family groups with Microsoft Family Safety. Learn more about Family Safety here: (https://go.microsoft.com/fwlink/?linkid=2098432). Starting in Microsoft Edge version 90, this policy also disables Kids Mode, a kid-friendly browsing mode with custom themes and allow list browsing that requires the device password to exit. Learn more about Kids Mode here: (https://go.microsoft.com/fwlink/?linkid=2146910)
If you enable this policy or don't configure it, the family page in Settings is shown and Kids Mode is available.
If you disable this policy, the family page isn't shown, and Kids Mode is hidden.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: FamilySafetySettingsEnabled
GP name: Allow users to configure Family safety and Kids Mode
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Controls the duration (in seconds) that keepalive requests are allowed to prevent the browser from completing its shutdown.
If you configure this policy, the browser blocks completing shutdown while it processes any outstanding keepalive requests (see https://fetch.spec.whatwg.org/#request-keepalive-flag) up to the maximum period of time specified by this policy.
If you disable or don't configure this policy, the default value of 0 seconds is used, and the outstanding keepalive requests are immediately cancelled during browser shutdown.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: FetchKeepaliveDurationSecondsOnShutdown
GP name: Fetch keepalive duration on shutdown
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allow file or directory picker APIs to be called without prior user gesture
Supported versions:
On Windows and macOS since 123 or later
Description
For security reasons, the showOpenFilePicker(), showSaveFilePicker(), and showDirectoryPicker() web APIs require a prior user gesture ("transient activation") to be called; else, they fail.
If you enable this policy, admins can specify origins on which these APIs can be called without prior user gesture.
Ensure that queries in Bing web search are done with SafeSearch set to the value specified. Users can't change this setting.
If you configure this policy to 'BingSafeSearchNoRestrictionsMode', SafeSearch in Bing search falls back to the bing.com value.
If you configure this policy to 'BingSafeSearchModerateMode', the moderate setting is used in SafeSearch. The moderate setting filters adult videos and images but not text from search results.
If you configure this policy to 'BingSafeSearchStrictMode', the strict setting in SafeSearch is used. The strict setting filters adult text, images, and videos.
If you disable this policy or don't configure it, SafeSearch in Bing search isn't enforced, and users can set the value they want on bing.com.
Policy options mapping:
* BingSafeSearchNoRestrictionsMode (0) = Don't configure search restrictions in Bing
* BingSafeSearchModerateMode (1) = Configure moderate search restrictions in Bing
* BingSafeSearchStrictMode (2) = Configure strict search restrictions in Bing
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: ForceBingSafeSearch
GP name: Enforce Bing SafeSearch
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Forces Microsoft Edge to use its built-in WNS push client to connect to the Windows Push Notification Service.
Supported versions:
On Windows since 118 or later
Description
In some environments, the Windows OS client can't connect to the Windows Push Notification Service (WNS). For these environments, you can use the Microsoft Edge built-in WNS push client, which can connect successfully.
If enabled, Microsoft Edge uses its built-in WNS push client to connect to WNS.
If disabled or not configured, Microsoft Edge uses the Windows OS client to connect to the Windows Push Notification Service. This is the default setting.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ForceBuiltInPushMessagingClient
GP name: Forces Microsoft Edge to use its built-in WNS push client to connect to the Windows Push Notification Service.
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Configure whether Microsoft Edge should automatically select a certificate when there are multiple certificate matches for a site configured with "AutoSelectCertificateForUrls" (deprecated)
DEPRECATED: This policy is deprecated. It is currently supported but will become obsolete in a future release.
Supported versions:
On Windows and macOS since 81 or later
Description
This policy is deprecated because we are moving to a new policy. It won't work in Microsoft Edge version 104. The new policy to use is PromptOnMultipleMatchingCertificates.
Toggles whether users are prompted to select a certificate if there are multiple certificates available and a site is configured with AutoSelectCertificateForUrls. If you don't configure AutoSelectCertificateForUrls for a site, the user is always prompted to select a certificate.
If you enable this policy, Microsoft Edge prompts a user to select a certificate for sites on the list defined in AutoSelectCertificateForUrls if and only if there's more than one certificate.
If you disable or don't configure this policy, Microsoft Edge automatically selects a certificate even if there are multiple matches for a certificate. The user won't be prompted to select a certificate for sites on the list defined in AutoSelectCertificateForUrls.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ForceCertificatePromptsOnMultipleMatches
GP name: Configure whether Microsoft Edge should automatically select a certificate when there are multiple certificate matches for a site configured with "AutoSelectCertificateForUrls" (deprecated)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Controls whether user profiles are switched to ephemeral mode. An ephemeral profile is created when a session begins, is deleted when the session ends, and is associated with the user's original profile.
If you enable this policy, profiles run in ephemeral mode. This lets users work from their own devices without saving browsing data to those devices. If you enable this policy as an OS policy (by using GPO on Windows, for example), it applies to every profile on the system.
If you disable this policy or don't configure it, users get their regular profiles when they sign in to the browser.
In ephemeral mode, profile data is saved on disk only for the length of the user session. Features like browser history, extensions and their data, web data like cookies, and web databases aren't saved after the browser is closed. This doesn't prevent a user from manually downloading any data to disk, or from saving pages or printing them. If the user has enabled sync, all data is preserved in their sync accounts just like with regular profiles. Users can also use InPrivate browsing in ephemeral mode unless you explicitly disable this.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ForceEphemeralProfiles
GP name: Enable use of ephemeral profiles
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
This policy controls whether background web content runs at foreground priority.
By default, the browser optimizes resource usage by lowering the scheduling priority of content in background tabs. This helps improve overall system responsiveness and performance for the active tab.
If you enable this policy, background web content runs at the same foreground priority as the active tab, regardless of visibility state.
If you disable or don't configure this policy, the browser determines the priority of web content based on standard heuristics. For example, content that is not visible, not playing audio, and not participating in video calls may be deprioritized.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ForceForegroundPriorityForAllTabs
GP name: Force foreground priority for all tabs
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Use a default referrer policy of no-referrer-when-downgrade (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 88.
Supported versions:
On Windows and macOS since 81, until 88
Description
This policy doesn't work because it was only intended to be a short-term mechanism to give enterprises more time to update their web content if it was found to be incompatible with the new default referrer policy.
Microsoft Edge's default referrer policy was strengthened from the value of no-referrer-when-downgrade to the more secure strict-origin-when-cross-origin.
When this enterprise policy is enabled, Microsoft Edge's default referrer policy will be set to its old value of no-referrer-when-downgrade.
This enterprise policy is disabled by default.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ForceLegacyDefaultReferrerPolicy
GP name: Use a default referrer policy of no-referrer-when-downgrade (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Enable or disable freezing the User-Agent string at major version 99 (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 117.
Supported versions:
On Windows and macOS since 99, until 117
Description
This policy was removed in Microsoft Edge 118 and is ignored if configured.
This policy controls whether the User-Agent string major version should be frozen at 99.
The User-Agent request header lets websites identify the application, operating system, vendor, and/or version of the requesting user agent. Some websites make assumptions about how this header is formatted and may encounter issues with version strings that include three digits in the major position (for example, 100.0.0.0).
If you set this policy to 'Default' or don't configure it, then it defaults to browser settings for the User-Agent string major version. If you set this policy to 'ForceEnabled', the User-Agent string will always report the major version as 99 and include the browser's major version in the minor position. For example, browser version 101.0.0.0 would send a User-Agent request header that reports version 99.101.0.0. If you set this policy to 'ForceDisabled', the User-Agent string won't freeze the major version.
This policy is temporary and will be deprecated in the future. If this policy and User-Agent Reduction are both enabled, the User-Agent version string will always be 99.0.0.0.
Policy options mapping:
* Default (0) = Default to browser settings for User-Agent string version.
* ForceDisabled (1) = The User-Agent string won't freeze the major version.
* ForceEnabled (2) = The User-Agent string will freeze the major version as 99 and include the browser's major version in the minor position.
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: ForceMajorVersionToMinorPositionInUserAgent
GP name: Enable or disable freezing the User-Agent string at major version 99 (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Force networking code to run in the browser process (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 83.
Supported versions:
On Windows since 78, until 83
Description
This policy doesn't work because it was only intended to be a short-term mechanism to give enterprises more time to migrate to 3rd party software that doesn't depend on hooking networking APIs. Proxy servers are recommended over LSPs and Win32 API patching.
This policy forces networking code to run in the browser process.
This policy is disabled by default. If enabled, users are open to security issues when the networking process is sandboxed.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ForceNetworkInProcess
GP name: Force networking code to run in the browser process (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Controls whether unload event handlers can be disabled.
Supported versions:
On Windows and macOS since 118 or later
Description
unload event handlers are being deprecated. Whether they fire depends on the unload Permissions-Policy. Currently, the policy allows them by default. In the future, they move to being disallowed by default, and sites must explicitly enable them using Permissions-Policy headers. This enterprise policy can be used to opt out of this gradual deprecation by forcing the default to stay enabled.
Pages might depend on unload event handlers to save data or to signal the end of a user session to the server. This dependency isn't recommended because it's unreliable and impacts performance by blocking use of BackForwardCache. Recommended alternatives exist, but the unload event has been used for a long time. Some applications might still rely on them.
If you disable this policy or don't configure it, unload event handlers are gradually deprecated in-line with the deprecation rollout, and sites that don't set Permissions-Policy header stop firing `unload` events.
If you enable this policy, the unload event handlers continue to work by default.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ForcePermissionPolicyUnloadDefaultEnabled
GP name: Controls whether unload event handlers can be disabled.
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Force synchronization of browser data and do not show the sync consent prompt
Supported versions:
On Windows and macOS since 86 or later
Description
Forces data synchronization in Microsoft Edge. This policy also prevents the user from turning off sync.
If you don't configure this policy, users can turn on or turn off sync. If you enable this policy, users can't turn off sync.
For this policy to work as intended, BrowserSignin policy must not be configured, or must be set to enabled. If BrowserSignin is set to disabled, then ForceSync doesn't take affect.
SyncDisabled must not be configured or must be set to False. If this policy is set to True, ForceSync doesn't take affect. If you wish to ensure specific datatypes sync or don't sync, use the ForceSyncTypes policy and SyncTypesListDisabled policy, respectively.
0 = Do not automatically start sync and show the sync consent (default) 1 = Force sync to turn on for Azure AD/Azure AD-Degraded user profile and do not show the sync consent prompt
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ForceSync
GP name: Force synchronization of browser data and do not show the sync consent prompt
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Configure the list of types that are included for synchronization
Supported versions:
On Windows and macOS since 96 or later
Description
If you enable this policy, all the specified data types are included for synchronization for Azure AD/Azure AD-Degraded user profiles. This policy can be used to ensure the type of data uploaded to the Microsoft Edge synchronization service.
You can provide one of the following data types for this policy: "favorites", "settings", "passwords", "addressesAndMore", "extensions", "history", "openTabs", "edgeWallet", "collections", "apps", and "edgeFeatureUsage". The "edgeFeatureUsage" data type is supported starting in Microsoft Edge version 134. Note that these data type names are case sensitive.
Users can't override the enabled data types.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: ForceSyncTypes
GP name: Configure the list of types that are included for synchronization
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Enforces a minimum Restricted Mode on YouTube and prevents users from picking a less restricted mode.
Set to 'Strict' to enforce Strict Restricted Mode on YouTube.
Set to 'Moderate' to enforce the user to only use Moderate Restricted Mode and Strict Restricted Mode on YouTube. They can't disable Restricted Mode.
Set to 'Off' or don't configure this policy to not enforce Restricted Mode on YouTube. External policies such as YouTube policies might still enforce Restricted Mode.
Policy options mapping:
* Off (0) = Do not enforce Restricted Mode on YouTube
* Moderate (1) = Enforce at least Moderate Restricted Mode on YouTube
* Strict (2) = Enforce Strict Restricted Mode for YouTube
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: ForceYouTubeRestrict
GP name: Force minimum YouTube Restricted Mode
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
This policy configures a single global per profile cache with HTTP server authentication credentials.
If you disable or don't set this policy, the browser uses the default behavior of cross-site auth. This behavior is to scope HTTP server authentication credentials by top-level site. So, if two sites use resources from the same authenticating domain, credentials need to be provided independently in the context of both sites. Cached proxy credentials are reused across sites.
If you enable this policy, HTTP auth credentials entered in the context of one site is automatically used in the context of another site.
Enabling this policy leaves sites open to some types of cross-site attacks, and allows users to be tracked across sites even without cookies by adding entries to the HTTP auth cache using credentials embedded in URLs.
This policy is intended to give enterprises depending on the legacy behavior a chance to update their login procedures and will be removed in the future.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: GloballyScopeHTTPAuthCacheEnabled
GP name: Enable globally scoped HTTP auth cache
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Force direct intranet site navigation instead of searching on single word entries in the Address Bar
Supported versions:
On Windows and macOS since 78 or later
Description
If you enable this policy, the top autosuggest result in the address bar suggestion list navigates to intranet sites if the text entered in the address bar is a single word without punctuation.
Default navigation when typing a single word without punctuation conducts a navigation to an intranet site matching the entered text.
If you enable this policy, the second autosuggest result in the address bar suggestion list conducts a web search exactly as it was entered, if this text is a single word without punctuation. The default search provider is used unless a policy to prevent web search is also enabled.
Two effects of enabling this policy are:
Navigation to sites in response to single word queries that would typically resolve to a history item will no longer happen. Instead, the browser will attempt navigate to internal sites that may not exist in an organization's intranet. This will result in a 404 error.
Popular, single-word search terms will require manual selection of search suggestions to properly conduct a search.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: GoToIntranetSiteForSingleWordEntryInAddressBar
GP name: Force direct intranet site navigation instead of searching on single word entries in the Address Bar
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Configure the list of names that will bypass the HSTS policy check
Supported versions:
On Windows and macOS since 79 or later
Description
Setting the policy specifies a list of hostnames that bypass preloaded HSTS (HTTP Strict Transport Security) upgrades from http to https.
Only single-label hostnames are allowed in this policy, and this policy only applies to static HSTS-preloaded entries (for example, "app", "new", "search", and "play"). This policy doesn't prevent HSTS upgrades for servers that have dynamically requested HSTS upgrades using a Strict-Transport-Security response header.
Supplied hostnames must be canonicalized: Any IDNs must be converted to their A-label format, and all ASCII letters must be lowercase. This policy only applies to the specific single-label hostnames specified and not to subdomains of those names.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: HSTSPolicyBypassList
GP name: Configure the list of names that will bypass the HSTS policy check
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
If you enable this policy, or leave it unconfigured, graphics acceleration will be utilized if it’s available. If you disable this policy, turns off graphics acceleration.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: HardwareAccelerationModeEnabled
GP name: Use graphics acceleration when available
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
If you enable this policy, the First-run experience and the splash screen won't be shown to users when they run Microsoft Edge for the first time.
For the configuration options shown in the First Run Experience, the browser defaults to the following results:
-On the New Tab Page, the feed type is set to MSN News and the layout to Inspirational.
-The user is still automatically signed in to Microsoft Edge if the Windows account is of Azure AD or MSA type.
-Sync won't be enabled by default and users will be prompted to choose whether they'd like to sync on browser startup. You can use the ForceSync or the SyncDisabled policy to configure sync and the sync consent prompt.
If you disable or don't configure this policy, the First-run experience and the Splash screen will be shown.
Note: The specific configuration options shown to the user in the First Run Experience, can also be managed by using other specific policies. You can use the HideFirstRunExperience policy in combination with these policies to configure a specific browser experience on your managed devices. Some of these other policies are:
Hide the one-time redirection dialog and the banner on Microsoft Edge
Supported versions:
On Windows since 87 or later
Description
This policy gives an option to disable one-time redirection dialog and the banner. If you enable this policy, users don't see both the one-time dialog and the banner. Users continue to be redirected to Microsoft Edge when they encounter an incompatible website on Internet Explorer; however, their browsing data isn't imported.
- If you enable this policy, the one-time redirection dialog and banner are never shown to users. Users' browsing data isn't imported when a redirection happens.
- If you disable or don't set this policy, the redirection dialog is shown on the first redirection, and the persistent redirection banner is shown to users on sessions that begin with a redirection. Users' browsing data will be imported every time user encounters such redirection (ONLY IF user consents to it on the one-time dialog).
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: HideInternetExplorerRedirectUXForIncompatibleSitesEnabled
GP name: Hide the one-time redirection dialog and the banner on Microsoft Edge
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
This policy gives an option to hide the "Restore pages" dialog after Microsoft Edge has crashed. The "Restore pages" dialog gives users the option to restore the pages that were previously open before Microsoft Edge crashed.
If you enable this policy, the "Restore pages" dialog isn't shown. In the event of a crash, Microsoft Edge doesn't restore previous tabs and starts the session with a new tab page.
If you disable or don't set this policy, the "Restore pages" dialog is shown.
Setting the policy specifies a list of hostnames or hostname patterns (such as '[*.]example.com') that won't be upgraded to HTTPS. Organizations can use this policy to maintain access to servers that don't support HTTPS, without needing to disable HttpsUpgradesEnabled.
Supplied hostnames must be canonicalized: Any IDNs must be converted to their A-label format, and all ASCII letters must be lowercase.
Blanket host wildcards (that is, "*" or "[*]") aren't allowed. Instead, HTTPS-First Mode and HTTPS Upgrades should be explicitly disabled via their specific policies.
Note: This policy doesn't apply to HSTS upgrades.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: HttpAllowlist
GP name: HTTP Allowlist
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
This policy controls whether users can enable HTTPS-Only Mode (Always Use Secure Connections) in Settings. HTTPS-Only Mode attempts to upgrade all navigation to HTTPS.
If this setting isn't set or is set to Allowed, users are able to enable HTTPS-Only Mode. If this setting is set to Disallowed, HTTPS-Only Mode will be disabled. If this setting is set to Force Enabled, HTTPS-Only Mode is enabled in Strict mode. If this setting is set to Force Balance Enabled, HTTPS-Only Mode is enabled in Balanced mode.
The settings Force Enabled and Force Enabled can be recommended to users. HTTPS-Only Mode will be set to Strict or Balanced initially, but users are allowed to change it.
If you set this policy to a value that isn't supported by the version of Microsoft Edge that receives the policy, Microsoft Edge defaults to the Allowed setting.
The separate HttpAllowlist policy can be used to exempt specific hostnames or hostname patterns from being upgraded to HTTPS by this feature.
As of Microsoft Edge version 120, Microsoft Edge tries to upgrade HTTP navigations to HTTPS, whenever possible, to improve security. Navigations to captive portals, IP addresses, and nonunique hostnames are excluded from automatic upgrades.
If this policy is enabled or not configured, automatic HTTPS upgrades are turned on by default.
If this policy is disabled, Microsoft Edge doesn't attempt to upgrade HTTP connections to HTTPS.
To exempt specific hostnames or hostname patterns from being upgraded, use the HttpAllowlist policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: HttpsUpgradesEnabled
GP name: Enable automatic HTTPS upgrades
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
The Sidebar is a launcher bar located on the right side of Microsoft Edge.
If you enable this policy, the Sidebar is always visible.
If you disable this policy, the Sidebar is never shown.
If you don't configure this policy, the Sidebar's visibility follows the user's Microsoft Edge settings.
As of Microsoft Edge version 141, the Microsoft365CopilotChatIconEnabled policy is the only means of controlling the display of Copilot in the toolbar.
Note: The recommended version of this policy-also known as the "Default Settings (users can override)" policy-is obsolete. This policy has never supported the recommended capability.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: HubsSidebarEnabled
GP name: Show Hubs Sidebar
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Allows users to import autofill form data from another browser into Microsoft Edge.
If you enable this policy, the option to manually import autofill data is automatically selected.
If you disable this policy, autofill form data isn't imported at first run, and users can't import it manually.
If you don't configure this policy, autofill data is imported at first run, and users can choose whether to import this data manually during later browsing sessions.
You can set this policy as a recommendation. This means that Microsoft Edge imports autofill data on first run, but users can select or clear autofill data option during manual import.
Note: This policy currently manages import from Google Chrome (on Windows 7, 8, and 10 and on macOS) and Mozilla Firefox (on Windows 7, 8, and 10 and on macOS) browsers.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ImportAutofillFormData
GP name: Allow importing of autofill form data
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Allows users to import browser settings from another browser into Microsoft Edge.
If you enable this policy, the **Browser settings** check box is automatically selected in the **Import browser data** dialog box.
If you disable this policy, browser settings aren't imported at first run, and users can't import them manually.
If you don't configure this policy, browser settings are imported at first run, and users can choose whether to import them manually during later browsing sessions.
You can also set this policy as a recommendation. This means that Microsoft Edge imports the settings on first run, but users can select or clear the **browser settings** option during manual import.
**Note**: This policy currently manages importing Google Chrome (on Windows 7, 8, and 10 and on macOS).
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ImportBrowserSettings
GP name: Allow importing of browser settings
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Allows users to import extensions from another browser into Microsoft Edge.
If you enable this policy, the **Extensions** check box is automatically selected in the **Import browser data** dialog box.
If you disable this policy, extensions aren't imported at first run, and users can't import them manually.
If you don't configure this policy, extensions are imported at first run, and users can choose whether to import them manually during later browsing sessions.
You can also set this policy as a recommendation. This means that Microsoft Edge imports extensions on first run, but users can select or clear the **extensions** option during manual import.
**Note**: This policy currently only supports importing from Google Chrome (on Windows 7, 8, and 10 and on macOS).
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ImportExtensions
GP name: Allow importing of extensions
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Allows users to import favorites from another browser into Microsoft Edge.
If you enable this policy, the Favorites check box is automatically selected in the Import browser data dialog box.
If you disable this policy, favorites aren't imported at first run, and users can't import them manually.
If you don't configure this policy, favorites are imported at first run, and users can choose whether to import them manually during later browsing sessions.
You can also set this policy as a recommendation. This means that Microsoft Edge imports favorites on first run, but users can select or clear the **favorites** option during manual import.
Note: This policy currently manages import from Internet Explorer (on Windows 7, 8, and 10), Google Chrome (on Windows 7, 8, and 10 and on macOS), Mozilla Firefox (on Windows 7, 8, and 10 and on macOS), and Apple Safari (on macOS) browsers.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ImportFavorites
GP name: Allow importing of favorites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Allows users to import their browsing history from another browser into Microsoft Edge.
If you enable this policy, the Browsing history check box is automatically selected in the Import browser data dialog box.
If you disable this policy, browsing history data isn't imported at first run, and users can't import this data manually.
If you don't configure this policy, browsing history data is imported at first run, and users can choose whether to import it manually during later browsing sessions.
You can also set this policy as a recommendation. This means that Microsoft Edge imports browsing history on first run, but users can select or clear the **history** option during manual import.
Note: This policy currently manages import from Internet Explorer (on Windows 7, 8, and 10), Google Chrome (on Windows 7, 8, and 10 and on macOS), Mozilla Firefox (on Windows 7, 8, and 10 and on macOS), and Apple Safari (macOS) browsers.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ImportHistory
GP name: Allow importing of browsing history
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Allows users to import their home page setting from another browser into Microsoft Edge.
If you enable this policy, the option to manually import the home page setting is automatically selected.
If you disable this policy, the home page setting isn't imported at first run, and users can't import it manually.
If you don't configure this policy, the home page setting is imported at first run, and users can choose whether to import this data manually during later browsing sessions.
You can set this policy as a recommendation. This means that Microsoft Edge imports the home page setting on first run, but users can select or clear the **home page** option during manual import.
**Note**: This policy currently manages importing from Internet Explorer (on Windows 7, 8, and 10).
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ImportHomepage
GP name: Allow importing of home page settings
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allow import of data from other browsers on each Microsoft Edge launch
Supported versions:
On Windows since 104 or later
Description
If you enable this policy, users will see a prompt to import their browsing data from other browsers on each Microsoft Edge launch.
If you disable this policy, users will never see a prompt to import their browsing data from other browsers on each Microsoft Edge launch.
If the policy is left unconfigured, users can activate this feature from a Microsoft Edge prompt or from the Settings page.
Note: A similar policy named AutoImportAtFirstRun exists. This policy should be used if you want to import supported data from other browsers only once while setting up your device.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ImportOnEachLaunch
GP name: Allow import of data from other browsers on each Microsoft Edge launch
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allows users to import open and pinned tabs from another browser into Microsoft Edge.
If you enable this policy, the **Open tabs** check box is automatically selected in the **Import browser data** dialog box.
If you disable this policy, open tabs aren't imported at first run, and users can't import them manually.
If you don't configure this policy, open tabs are imported at first run, and users can choose whether to import them manually during later browsing sessions.
You can also set this policy as a recommendation. This means that Microsoft Edge imports open tabs on first run, but users can select or clear the **Open tabs** option during manual import.
**Note**: This policy currently only supports importing from Google Chrome (on Windows 7, 8, and 10 and on macOS).
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ImportOpenTabs
GP name: Allow importing of open tabs
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Allows users to import payment info from another browser into Microsoft Edge.
If you enable this policy, the **payment info** check box is automatically selected in the **Import browser data** dialog box.
If you disable this policy, payment info isn't imported at first run, and users can't import it manually.
If you don't configure this policy, payment info is imported at first run, and users can choose whether to import it manually during later browsing sessions.
You can also set this policy as a recommendation. This means that Microsoft Edge imports payment info on first run, but users can select or clear the **payment info** option during manual import.
**Note:** This policy currently manages importing from Google Chrome (on Windows 7, 8, and 10 and on macOS).
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ImportPaymentInfo
GP name: Allow importing of payment info
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Allows users to import saved passwords from another browser into Microsoft Edge.
If you enable this policy, the option to manually import saved passwords is automatically selected.
If you disable this policy, saved passwords aren't imported on first run, and users can't import them manually.
If you don't configure this policy, no passwords are imported at first run, and users can choose whether to import them manually during later browsing sessions.
You can set this policy as a recommendation. This means that Microsoft Edge imports passwords on first run, but users can select or clear the **passwords** option during manual import.
Note: This policy currently manages import from Internet Explorer (on Windows 7, 8, and 10), Google Chrome (on Windows 7, 8, and 10 and on macOS), and Mozilla Firefox (on Windows 7, 8, and 10 and on macOS) browsers.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ImportSavedPasswords
GP name: Allow importing of saved passwords
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Allows users to import search engine settings from another browser into Microsoft Edge.
If you enable, this policy, the option to import search engine settings is automatically selected.
If you disable this policy, search engine settings aren't imported at first run, and users can't import them manually.
If you don't configure this policy, search engine settings are imported at first run, and users can choose whether to import this data manually during later browsing sessions.
You can set this policy as a recommendation. This means that Microsoft Edge imports search engine settings on first run, but users can select or clear the **search engine** option during manual import.
**Note**: This policy currently manages importing from Internet Explorer (on Windows 7, 8, and 10).
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ImportSearchEngine
GP name: Allow importing of search engine settings
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Allows users to import Startup settings from another browser into Microsoft Edge.
If you enable this policy, the Startup settings are always imported.
If you disable this policy, startup settings aren't imported at first run or at manual import.
If you don't configure this policy, startup settings are imported at first run, and users can choose whether to import this data manually by selecting browser settings option during later browsing sessions.
You can set this policy as a recommendation. This means that Microsoft Edge will import startup settings on first run, but users can select or clear **browser settings** option during manual import.
**Note**: This policy currently manages importing from Microsoft Edge Legacy and Google Chrome (on Windows 7, 8, and 10) browsers.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ImportStartupPageSettings
GP name: Allow importing of startup page settings
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Microsoft Edge uses the in-app support feature (enabled by default) to allow users to contact our support agents directly from the browser. Also, by default, users can't disable (turn off) the in-app support feature.
If you enable this policy or don't configure it, users can invoke in-app support.
If you disable this policy, users can't invoke in-app support.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: InAppSupportEnabled
GP name: In-app support Enabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Specifies whether the user can open pages in InPrivate mode in Microsoft Edge.
If you don't configure this policy or set it to 'Enabled', users can open pages in InPrivate mode.
Set this policy to 'Disabled' to stop users from using InPrivate mode.
Set this policy to 'Forced' to always use InPrivate mode.
The InPrivateModeUrlAllowlist policy takes precedence over this policy and can allow specific URLs to open in InPrivate mode.
If this policy disables InPrivate mode and an allowlist is configured, InPrivate mode is permitted only for URLs that match entries in the allowlist. All other URLs are blocked from opening in InPrivate mode.
Policy options mapping:
* Enabled (0) = InPrivate mode available
* Disabled (1) = InPrivate mode disabled
* Forced (2) = InPrivate mode forced
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: InPrivateModeAvailability
GP name: Configure InPrivate mode availability
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
If both this policy and InPrivateModeUrlBlocklist are configured, the allowlist takes precedence. URLs that match a pattern on this allowlist are allowed. URLs that match the blocklist but not this allowlist are blocked. URLs that match neither list fall back to URLBlocklist and URLAllowlist.
If this policy is configured and InPrivateModeUrlBlocklist is not configured, only the URLs specified in this allowlist can be opened in InPrivate mode. All other URLs are blocked.
If InPrivateModeAvailability is set to disallow (value 1) but this policy is configured, InPrivate mode is available only for URLs that match the allowlist.
This policy controls which URLs are blocked from loading in InPrivate mode in Microsoft Edge.
Administrators can specify a list of URL patterns that are blocked when users browse in InPrivate mode. For information about the supported URL pattern format, see https://go.microsoft.com/fwlink/?linkid=2095322.
If both InPrivateModeUrlBlocklist and InPrivateModeUrlAllowlist are configured, the allowlist takes precedence. - URLs that match the allowlist are allowed. - URLs that match the blocklist but not the allowlist are blocked. - URLs that match neither list follow the behavior defined by the general URLBlocklist and URLAllowlist policies.
If InPrivateModeUrlAllowlist is configured and this policy is not configured, only URLs on the allowlist can be opened in InPrivate mode.
DEPRECATED: This policy is deprecated. It is currently supported but will become obsolete in a future release.
Supported versions:
On Windows and macOS since 86 or later
Description
This policy controls the handling of insecure forms (forms submitted over HTTP) embedded in secure (HTTPS) sites in the browser. If you enable this policy or don't set it, a full page warning is shown when an insecure form is submitted. Additionally, a warning bubble is shown next to the form fields when they're focused, and autofill will be disabled for those forms. If you disable this policy, warnings won't be shown for insecure forms, and autofill works normally.
This policy may be removed as soon as Edge 132. The feature is enabled by default since Edge 131.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: InsecureFormsWarningsEnabled
GP name: Enable warnings for insecure forms (deprecated)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
When enabled, the IntensiveWakeUpThrottling feature causes Javascript timers in background tabs to be aggressively throttled and coalesced, running no more than once per minute after a page was backgrounded for 5 minutes or more.
This feature is a web standards compliant feature, but it may break functionality on some websites by causing certain actions to be delayed by up to a minute. However, it results in significant CPU and battery savings when enabled. For more information, see https://bit.ly/30b1XR4.
If you enable this policy, the feature is force enabled, and users can't override this setting. If you disable this policy, the feature is force disabled, and users can't override this setting. If you don't configure this policy, the feature is controlled by its own internal logic. Users can manually configure this setting.
The policy is applied per renderer process, with the most recent value of the policy setting in force when a renderer process starts. A full restart is required to ensure that all the loaded tabs receive a consistent policy setting. It's harmless for processes to be running with different values of this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: IntensiveWakeUpThrottlingEnabled
GP name: Control the IntensiveWakeUpThrottling feature
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Always use the OS capture engine to avoid issues with capturing Internet Explorer mode tabs
Supported versions:
On Windows since 106 or later
Description
Configure this policy to control whether Microsoft Edge will use the "OS capture engine" or the "Browser capture engine" when capturing browser windows in the same process using the screen-share APIs.
You should configure this policy if you want to capture the contents of Internet Explorer mode tabs. However, enabling this policy may negatively impact performance when capturing browser windows in the same process.
This policy only affects window capture, not tab capture. The contents of Internet Explorer mode tabs won't be captured when you choose to capture only a single tab, even if you configure this policy.
If you enable this policy, Microsoft Edge always uses the OS capture engine for window capture. Internet Explorer mode tabs will have their contents captured.
If you disable or don't configure this policy, Microsoft Edge uses the Browser capture engine for browser windows in the same process. Internet Explorer mode tabs in these windows won't have their contents captured.
Wait for Internet Explorer mode tabs to completely unload before ending the browser session
Supported versions:
On Windows since 105 or later
Description
This policy causes Microsoft Edge to continue running until all Internet Explorer tabs have completely finished unloading. This allows Internet Explorer plugins like ActiveX controls to perform other critical work even after the browser has been closed. However, this can cause stability and performance issues, and Microsoft Edge processes may remain active in the background with no visible windows if the webpage or plugin prevents Internet Explorer from unloading. This policy should only be used if your organization depends on a plugin that requires this behavior.
If you enable this policy, Microsoft Edge always waits for Internet Explorer mode tabs to fully unload before ending the browser session.
If you disable or don't configure this policy, Microsoft Edge won't always wait for Internet Explorer mode tabs to fully unload before ending the browser session.
Configure reporting of potentially misconfigured neutral site URLs to the M365 Admin Center Site Lists app
Supported versions:
On Windows since 99 or later
Description
This setting lets you enable reporting of sites that need to be configured as a neutral site on the Enterprise Mode Site List. The user must be signed in to Microsoft Edge with a valid work or school account for reports to be sent, and the user's account tenant must match the tenant specified by the policy.
If you configure this policy, Microsoft Edge sends a report to the Microsoft 365 Admin Center Site Lists app when a navigation appears stuck redirecting back and forth between the Microsoft Edge and Internet Explorer (IE) engines several times. This indicates that redirection to an authentication server is switching engines, which repeatedly fails in a loop. The report shows the URL of the site that's the redirect target, minus any query string or fragment. The user's identity isn't reported.
For this reporting to work correctly, you must have successfully visited the Microsoft Edge Site Lists app in the Microsoft 365 Admin Center at least once. This activates a per-tenant storage account used to store these reports. Microsoft Edge still attempts to send reports if this step hasn't been completed. However, the reports aren't stored in the Site Lists app.
The Microsoft Edge Site Lists setting in the Microsoft 365 Admin Center allows you to host your site list(s) in a compliant cloud location and manage the contents of your site list(s) through the built-in experience. This setting allows you to specify which site list within the Microsoft 365 Admin Center is to be deploy to your users. The user must be signed in to Microsoft Edge with a valid work or school account. Otherwise, Microsoft Edge doesn't download the site list from the cloud location.
If you configure this policy, Microsoft Edge uses the specified site list. When enabled, you can enter the identifier of the site list that you created and published to the cloud in M365 Admin Center.
This setting takes precedence over the InternetExplorerIntegrationSiteList policy of Microsoft Edge as well as Internet Explorer's site list setting (Use the Enterprise mode IE website list). If you disable or don't configure this policy, Microsoft Edge will use the InternetExplorerIntegrationSiteList policy instead.
Configure reporting of IE Mode user list entries to the M365 Admin Center Site Lists app
Supported versions:
On Windows since 99 or later
Description
This setting lets you enable reporting of sites that Microsoft Edge users add to their local IE Mode site list. The user must be signed in to Microsoft Edge with a valid work or school account for reports to be sent, and the user's account tenant must match the tenant that the policy specifies.
If you configure this policy, Microsoft Edge sends a report to the Microsoft 365 Admin Center Site Lists app when a user adds a site to their local IE mode site list. The report shows the URL of the site the user added, minus any query string or fragment. The user's identity isn't reported.
For this reporting to work correctly, you must successfully visit the Microsoft Edge Site Lists app in the Microsoft 365 Admin Center at least once. This visit activates a per-tenant storage account used to store these reports. Microsoft Edge still attempts to send reports if this step isn't completed. However, the reports aren't stored in the Site Lists app.
Configure enhanced hang detection for Internet Explorer mode
Supported versions:
On Windows since 84 or later
Description
Enhanced hang detection is a more granular approach to detecting hung webpages in Internet Explorer mode than what standalone Internet Explorer uses. When a hung webpage is detected, the browser applies a mitigation to prevent the rest of the browser from hanging.
This setting allows you to configure the use of enhanced hang detection in case you run into incompatible issues with any of your websites. We recommend disabling this policy only if you see notifications such as "(website) is not responding" in Internet Explorer mode but not in standalone Internet Explorer.
Allow launching of local files in Internet Explorer mode
Supported versions:
On Windows since 88 or later
Description
This policy controls the availability of the --ie-mode-file-url command line argument used to launch Microsoft Edge with a local file specified on the command line into Internet Explorer mode.
If this policy is set to "true", or don't configure it, the user is allowed to use the --ie-mode-file-url command line argument for launching local files in Internet Explorer mode.
If this policy is set to "false", the user isn't allowed to use the --ie-mode-file-url command line argument for launching local files in Internet Explorer mode.
When a file:// URL is requested to launch in Internet Explorer mode, the file extension of the URL must be present in this list for the URL to be allowed to launch in Internet Explorer mode. A URL that's blocked from opening in Internet Explorer mode is instead opened in Microsoft Edge mode.
If you set this policy to the special value "*" or don't configure it, all file extensions are allowed.
If you enable this policy, the 'Open link in new Internet Explorer mode tab' context menu item is available for file:// links.
If you disable or don't configure this policy, the context menu item won't be added.
If the InternetExplorerIntegrationReloadInIEModeAllowed policy allows users to reload sites in Internet Explorer mode, then the 'Open link in new Internet Explorer mode tab' context menu item is available for all links, except links to sites explicitly configured by the site list to use Microsoft Edge mode. In this case, if you enable this policy, the context menu item is available for file:// links even for sites configured to use Microsoft Edge mode. If you disable or don't configure this policy, the policy has no effect.
Allow local MHTML files to open automatically in Internet Explorer mode
Supported versions:
On Windows since 107 or later
Description
This policy controls whether local mht or mhtml files launched from the command line open automatically in Internet Explorer mode based on the file content without specifying the --ie-mode-file-url command line.
If you enable or don't configure this policy, local mht or mhtml files launch in Microsoft Edge or Internet Explorer mode. Then, you can view these files in the best way.
If you disable this policy, local mht or mhtml files launch in Microsoft Edge.
If you use the --ie-mode-file-url command line argument for launching local mht or mhtml files, it takes precedence over how you configured this policy.
Specify the number of days that a site remains on the local IE mode site list
Supported versions:
On Windows since 92 or later
Description
If the InternetExplorerIntegrationReloadInIEModeAllowed policy is enabled or not configured, users will be able to tell Microsoft Edge to load specific pages in Internet Explorer mode for a limited number of days.
You can use this setting to determine how many days that configuration is remembered in the browser. After this period has elapsed, the individual page will no longer automatically load in IE mode.
If you disable or don't configure this policy, the default value of 30 days is used.
If you enable this policy, you must enter the number of days for which the sites are retained on the user's local site list in Microsoft Edge. The value can be from 0 to 90 days.
Allow unconfigured sites to be reloaded in Internet Explorer mode
Supported versions:
On Windows since 92 or later
Description
This policy allows users to reload unconfigured sites (ones that aren't configured in the Enterprise Mode Site List) in Internet Explorer mode when browsing in Microsoft Edge, and a site requires Internet Explorer for compatibility.
After a site is reloaded in Internet Explorer mode, "in-page" navigation stays in Internet Explorer mode (for example, a link, script, or form on the page, or a server-side redirect from another "in-page" navigation). Users can choose to exit from Internet Explorer mode, or Microsoft Edge automatically exits from Internet Explorer mode when a navigation that isn't "in-page" occurs (for example, using the address bar, the back button, or a favorite link).
Users can also optionally tell Microsoft Edge to use Internet Explorer mode for the site in the future. This choice is remembered for a length of time managed by the InternetExplorerIntegrationLocalSiteListExpirationDays policy.
Configure how frequently the Enterprise Mode Site List is refreshed
Supported versions:
On Windows since 93 or later
Description
This setting lets you specify a custom refresh interval for the Enterprise Mode Site List. The refresh interval is specified in minutes. The minimum refresh interval is 30 minutes.
If you configure this policy, Microsoft Edge attempts to retrieve an updated version of the configured Enterprise Mode Site List using the specified refresh interval.
If you disable or don't configure this policy, Microsoft Edge uses a default refresh interval, it's 10080 minutes (7 days) starting from version 110 or later, 120 minutes from version 93 to 110, and 30 minutes before version 93.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: InternetExplorerIntegrationSiteListRefreshInterval
GP name: Configure how frequently the Enterprise Mode Site List is refreshed
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Specify how "in-page" navigations to unconfigured sites behave when started from Internet Explorer mode pages
Supported versions:
On Windows since 81 or later
Description
An "in-page" navigation is started from a link, a script, or a form on the current page. It can also be a server-side redirect of a previous "in-page" navigation attempt. Conversely, a user can start a navigation that isn't "in-page" and that's independent of the current page in several ways by using the browser controls, for example, using the address bar, the back button, or a favorite link.
This setting lets you specify whether navigations from pages loaded in Internet Explorer mode to unconfigured sites (that aren't configured in the Enterprise Mode Site List) switch back to Microsoft Edge or remain in Internet Explorer mode.
If you disable or don't configure this policy, only sites configured to open in Internet Explorer mode open in that mode. Any site not configured to open in Internet Explorer mode is redirected back to Microsoft Edge.
If you set this policy to 'Default', only sites configured to open in Internet Explorer mode open in that mode. Any site not configured to open in Internet Explorer mode is redirected back to Microsoft Edge.
If you set this policy to 'AutomaticNavigationsOnly', you get the default experience except that all automatic navigations (such as 302 redirects) to unconfigured sites are kept in Internet Explorer mode.
If you set this policy to 'AllInPageNavigations', all navigations from pages loaded in IE mode to unconfigured sites are kept in Internet Explorer mode (Least Recommended).
If the InternetExplorerIntegrationReloadInIEModeAllowed policy allows users to reload sites in Internet Explorer mode, then all in-page navigations from unconfigured sites that users have chosen to reload in Internet Explorer mode are kept in Internet Explorer mode, regardless of how this policy is configured.
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 94.
Supported versions:
On Windows since 86, until 94
Description
This policy is obsolete because it has been superseded by an improved feature. It doesn't work in Microsoft Edge after version 94. To allow users to open applications in Internet Explorer mode, use the InternetExplorerIntegrationReloadInIEModeAllowed policy instead. Alternatively, users can still use the --ie-mode-test flag.
This policy allows users to test applications in Internet Explorer mode by opening an Internet Explorer mode tab in Microsoft Edge.
Users can do so from within the "More tools" menu by selecting 'Open sites in Internet Explorer mode'.
Additionally, users can test their applications in a modern browser without removing applications from the site list using the option 'Open sites in Edge mode'.
If you enable this policy, the option 'Open sites in Internet Explorer mode' is visible under "More tools". Users can view their sites in Internet Explorer mode on this tab. Another option 'Open sites in Edge mode' is also visible under "More tools" to help testing sites in a modern browser without removing them from the site list. If the InternetExplorerIntegrationReloadInIEModeAllowed policy is enabled, it takes precedence and these options will not be visible under "More tools".
If you disable or don't configure this policy, users can't see the options 'Open in Internet Explorer mode' and 'Open in Edge mode' under "More tools" menu. However, users can configure these options with the --ie-mode-test flag.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: InternetExplorerIntegrationTestingAllowed
GP name: Allow Internet Explorer mode testing (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Configure the pixel adjustment between window.open heights sourced from IE mode pages vs. Edge mode pages
Supported versions:
On Windows since 95 or later
Description
This setting lets you specify a custom adjustment to the height of popup windows generated via window.open from the Internet Explorer mode site.
If you configure this policy, Microsoft Edge will add the adjustment value to the height, in pixels. The exact difference depends on the UI configuration of both IE and Edge, but a typical difference is 5.
If you disable or don't configure this policy, Microsoft Edge will treat IE mode window.open the same as Edge mode window.open in window height calculations.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: InternetExplorerIntegrationWindowOpenHeightAdjustment
GP name: Configure the pixel adjustment between window.open heights sourced from IE mode pages vs. Edge mode pages
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Configure the pixel adjustment between window.open widths sourced from IE mode pages vs. Edge mode pages
Supported versions:
On Windows since 95 or later
Description
This setting lets you specify a custom adjustment to the width of popup windows generated via window.open from the Internet Explorer mode site.
If you configure this policy, Microsoft Edge will add the adjustment value to the width, in pixels. The exact difference depends on the UI configuration of both IE and Edge, but a typical difference is 4.
If you disable or don't configure this policy, Microsoft Edge will treat IE mode window.open the same as Edge mode window.open in window width calculations.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: InternetExplorerIntegrationWindowOpenWidthAdjustment
GP name: Configure the pixel adjustment between window.open widths sourced from IE mode pages vs. Edge mode pages
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Automatically open downloaded MHT or MHTML files from the web in Internet Explorer mode
Supported versions:
On Windows since 117 or later
Description
This policy controls whether MHT or MHTML files that are downloaded from the web are automatically opened in Internet Explorer mode.
If you enable this policy, the MHT or MHTML files that are downloaded from the web can be opened in both Microsoft Edge and Internet Explorer mode to provide the best user experience.
If you disable or don't configure this policy, MHT or MHTML files that are downloaded from the web won't automatically open in Internet Explorer mode.
This policy enables 'Save page as' functionality in Internet Explorer mode. Users can use this option to save the current page in the browser. When a user reopens a saved page, it's loaded in the default browser.
If you enable this policy, the "Save page as" option is clickable in "More tools".
If you disable or don't configure this policy, users can't select the "Save page as" option in "More tools".
Note: To make the "Ctrl+S" shortcut work, users must enable the Internet Explorer policy, namely 'Enable extended hot key in Internet Explorer mode'.
Allow sites configured for Internet Explorer mode to open in Microsoft Edge
Supported versions:
On Windows since 97 or later
Description
This policy lets sites configured to open in Internet Explorer mode to be opened by Microsoft Edge for testing on a modern browser without removing them from the site list.
Users can configure this setting in the "More tools" menu by selecting 'Open sites in Microsoft Edge'.
If you enable this policy, the option to 'Open sites in Microsoft Edge' will be visible under "More tools". Users use this option to test IE mode sites on a modern browser.
If you disable or don't configure this policy, users can't see the option 'Open in Microsoft Edge' under the "More tools" menu. However, users can access this menu option with the --ie-mode-test flag.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: InternetExplorerModeTabInEdgeModeAllowed
GP name: Allow sites configured for Internet Explorer mode to open in Microsoft Edge
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Show the Reload in Internet Explorer mode button in the toolbar
Supported versions:
On Windows since 96 or later
Description
Set this policy to show the Reload in Internet Explorer mode button in the toolbar. Users can hide the button in the toolbar through edge://settings/appearance. The button is only shown on the toolbar when the InternetExplorerIntegrationReloadInIEModeAllowed policy is enabled or if the user chose to enable "Allow sites to be reloaded in Internet Explorer mode".
If you enable this policy, the Reload in Internet mode button is pinned to the toolbar.
If you disable or don't configure this policy, the Reload in Internet Explorer mode button isn't shown in the toolbar by default. Users can toggle the Show Internet Explorer mode button in edge://settings/appearance.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: InternetExplorerModeToolbarButtonEnabled
GP name: Show the Reload in Internet Explorer mode button in the toolbar
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Display zoom in IE Mode tabs with DPI Scale included like it is in Internet Explorer
Supported versions:
On Windows since 103 or later
Description
Lets you display zoom in IE Mode tabs similar to how it was displayed in Internet Explorer, where the DPI scale of the display is factored in.
For example, if you have a page zoomed to 200% on a 100 DPI scale display and you change the display to 150 DPI, Microsoft Edge would still display the zoom as 200%. However, Internet Explorer factors in the DPI scale and displays 300%.
If you enable this policy, zoom values will be displayed with the DPI scale included for IE Mode tabs.
If you disable or don't configure this policy, zoom values will be displayed without DPI scale included for IE Mode tabs
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: InternetExplorerZoomDisplay
GP name: Display zoom in IE Mode tabs with DPI Scale included like it is in Internet Explorer
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
This policy configures behavior for intranet redirection via DNS interception checks. The checks attempt to discover whether the browser is behind a proxy that redirects unknown host names.
If this policy isn't configured, the browser uses the default behavior of DNS interception checks and intranet redirect suggestions. In M88, they're enabled by default but will be disabled by default in the future release.
DNSInterceptionChecksEnabled is a related policy that might also disable DNS interception checks. However, this policy is a more flexible version which might separately control intranet redirection infobars and might be expanded in the future. If either DNSInterceptionChecksEnabled or this policy make a request to disable interception checks, the checks will be disabled. If DNS interception checks are disabled by this policy but GoToIntranetSiteForSingleWordEntryInAddressBar is enabled, single word queries still result in intranet navigations.
Policy options mapping:
* Default (0) = Use default browser behavior.
* DisableInterceptionChecksDisableInfobar (1) = Disable DNS interception checks and did-you-mean "http://intranetsite/" infobars.
By default, Microsoft Edge isolates pages from each Site into its own process. This policy enables more granular isolation based on Origin rather than Site. For example, specifying https://subdomain.contoso.com/ causes pages from https://subdomain.contoso.com/ to be isolated in a different process than pages from other Origins within the https://contoso.com/ Site.
If you enable this policy, each of the named origins in a comma-separated list runs in its own process.
If you disable or don't configure this policy, pages are isolated on a per-Site basis.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: IsolateOrigins
GP name: Enable site isolation for specific origins
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allow users to turn the Live captions feature on or off.
Live captions is an accessibility feature that converts speech from the audio that plays in Microsoft Edge into text and shows this text in a separate window. The entire process happens on the device and no audio or caption text ever leaves the device.
Note: This feature isn't generally available. Clients that have the ExperimentationAndConfigurationServiceControl policy set to 'FullMode' receive the feature before broad availability. Broad availability is announced via Microsoft Edge release notes.
If you enable or don't configure this policy, users can turn on this feature or turn it off at edge://settings/accessibility.
If you disable this policy, users can't turn on this accessibility feature. If speech recognition files were downloaded previously, they will be deleted from the device in 30 days. We recommend avoiding this option unless it's needed in your environment.
If users choose to turn on Live captions, speech recognition files (approximately 100 megabytes) are downloaded to the device on first run and then periodically to improve performance and accuracy. These files will be deleted after 30 days.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: LiveCaptionsAllowed
GP name: Live captions allowed
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allows users to translate videos to different languages.
Supported versions:
On Windows since 141 or later
Description
This policy configures the on-device real-time video translation feature in Microsoft Edge. With this feature, users can watch videos translated into their selected language in real time.
When a user selects the Translate icon and chooses a source (video language) and target language (translated language), translation components are downloaded on first use (approximately 200 MB per language pair).
These components may be updated periodically to improve performance and translation quality. Translation is performed locally on the user’s device and no data is sent outside of the device. The feature is available only for non-DRM videos, on supported high-end devices, with select language pairs, and in select regions. For more details, see https://www.microsoft.com/en-us/edge/features/real-time-video-translation.
If you enable or don’t configure this policy, the on-device real-time video translation feature is enabled and users will see the Translate button when hovering over videos.
If you disable this policy, the on-device real-time video translation feature is disabled and the Translate button won’t be shown.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: LiveVideoTranslationEnabled
GP name: Allows users to translate videos to different languages.
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Enable Windows to search local Microsoft Edge browsing data
Supported versions:
On Windows since 93 or later
Description
Enables Windows to index Microsoft Edge browsing data stored locally on the user's device and allows users to find and launch previously stored browsing data directly from Windows features such as the search box on the taskbar in Windows.
If you enable this policy or don't configure it, Microsoft Edge publishes local browsing data to the Windows Indexer.
If you disable this policy, Microsoft Edge won't share data to the Windows Indexer.
Note that if you disable this policy, Microsoft Edge removes the data shared with Windows on the device and stops sharing any new browsing data.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: LocalBrowserDataShareEnabled
GP name: Enable Windows to search local Microsoft Edge browsing data
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Allow suggestions from suggestion providers on the device (local providers), for example, Favorites and Browsing History, in Microsoft Edge's Address Bar and Auto-Suggest List.
If you enable this policy, suggestions from local providers are used.
If you disable this policy, suggestions from local providers are never used. Local history and local favorites suggestions won't appear.
If you don't configure this policy, suggestions from local providers are allowed but the user can change that using the settings toggle.
Some features may not be available if a policy to disable this feature has been applied. For example, Browsing History suggestions will not be available if you enable the SavingBrowserHistoryDisabled policy.
This policy requires a browser restart to finish applying.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: LocalProvidersEnabled
GP name: Allow suggestions from local providers
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Automatically open Copilot side pane with contextual insights for links opened from Outlook
Supported versions:
On Windows and macOS since 148 or later
Description
This policy controls whether Microsoft Edge automatically opens the Microsoft Copilot side pane when users open web links from Outlook emails sent from the same tenant.
Starting in Microsoft Edge version 148, when users open eligible links from Outlook emails sent from the same tenant, Microsoft Edge automatically opens the Copilot side pane with contextual insights. Copilot can use the originating Outlook email as context to surface relevant insights and suggested next steps alongside the web content.
If you enable this policy or don't configure it, the Copilot side pane opens automatically when users open links from Outlook emails sent from the same tenant.
If you disable this policy, the Copilot side pane doesn't open automatically when users open links from Outlook emails sent from the same tenant.
This feature applies only to links opened from Outlook emails sent from the same tenant and requires Microsoft Copilot to be available for the user in Microsoft Edge.
This feature is disabled if the CopilotPageContext policy or the EdgeEntraCopilotPageContext policy is disabled, regardless of this policy's configuration. Copilot requires access to page content to provide contextual insights.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: M365LinksAutoOpenCopilotEnabled
GP name: Automatically open Copilot side pane with contextual insights for links opened from Outlook
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Always use Microsoft AutoUpdate as the updater for Microsoft Edge (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 139.
Supported versions:
On macOS since 93, until 139
Description
From Microsoft Edge version 140, this policy is obsolete because Microsoft Edge now uses EdgeUpdater for browser updates. Updates are no longer delivered through Microsoft AutoUpdate.
This policy determines which updater is used to update Microsoft Edge.
If you enable this policy, Microsoft Edge only uses Microsoft AutoUpdate for updates.
If you disable or don't configure this policy, Microsoft Edge is updated using EdgeUpdater.
Note: This policy is no longer applicable starting with Microsoft Edge version 140.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Allow single sign-on for Microsoft personal sites using this profile
Supported versions:
On Windows and macOS since 93 or later
Description
'Allow single sign-on for Microsoft personal sites using this profile' option allows non-MSA profiles to be able to use single sign-on for Microsoft sites using MSA credentials present on the machine. This option shows up for end-users as a toggle in Settings -> Profiles -> Profile Preferences for non-MSA profiles only.
If you disable this policy, non-MSA profiles can't use single sign-on for Microsoft sites using MSA credentials present on the machine.
If you enable this policy or don't configure it, users can use the Settings option to ensure non-MSA profiles are able to use single sign-on for Microsoft sites using MSA credentials present on the machine provided only a single MSA account exists on the machine.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: MSAWebSiteSSOUsingThisProfileAllowed
GP name: Allow single sign-on for Microsoft personal sites using this profile
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Sets managed configuration values for websites to specific origins
Supported versions:
On Windows and macOS since 90 or later
Description
Setting this policy defines the return value of Managed Configuration API for given origin.
Managed Configuration API is a key-value configuration that can be accessed via navigator.device.getManagedConfiguration() javascript call. This API is only available to origins, which correspond to force-installed web applications via WebAppInstallForceList.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Dictionary
Windows information and settings
Group Policy (ADMX) info
GP unique name: ManagedConfigurationPerOrigin
GP name: Sets managed configuration values for websites to specific origins
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
The policy creates a list of favorites. Each favorite contains the keys "name" and "url," which hold the favorite's name and its target. You can configure a subfolder by defining a favorite without an "url" key but with an extra "children" key that contains a list of favorites as defined earlier (some of which may be folders again). Microsoft Edge amends incomplete URLs as if they were submitted via the Address Bar, for example "microsoft.com" becomes "https://microsoft.com/".
These favorites are placed in a folder that can't be modified by the user (but the user can choose to hide it from the favorites bar). By default the folder name is "Managed favorites" but you can change it by adding to the list of favorites a dictionary containing the key "toplevel_name" with the desired folder name as the value.
Managed favorites aren't synced to the user account and can't be modified by extensions.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Dictionary
Windows information and settings
Group Policy (ADMX) info
GP unique name: ManagedFavorites
GP name: Configure favorites
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Lets you configure a list of up to 10 search engines, one of which must be marked as the default search engine. With Microsoft Edge version 100, you can configure up to 100 engines.
You don't need to specify the encoding. With Microsoft Edge version 80, the suggest_url and image_search_url parameters are optional. The optional parameter, image_search_post_params (consists of comma-separated name/value pairs), is available starting in Microsoft Edge version 80.
With Microsoft Edge version 83, you can enable search engine discovery with the optional allow_search_engine_discovery parameter. This parameter must be the first item in the list. If allow_search_engine_discovery isn't specified, search engine discovery is disabled by default. With Microsoft Edge version 84, you can set this policy as a recommended policy to allow search provider discovery. You don't need to add the optional allow_search_engine_discovery parameter. With Microsoft Edge version 100, setting this policy as a recommended policy also allows users to manually add new search engines from their Microsoft Edge settings.
If you enable this policy, users can't add, remove, or change any search engine in the list. Users can set their default search engine to any search engine in the list.
If you disable or don't configure this policy, users can modify the search engines list as desired.
If the DefaultSearchProviderSearchURL policy is set, this policy (ManagedSearchEngines) is ignored. The user must restart their browser to finish applying this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Dictionary
Windows information and settings
Group Policy (ADMX) info
GP unique name: ManagedSearchEngines
GP name: Manage Search Engines
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Let users snip a Math problem and get the solution with a step-by-step explanation in Microsoft Edge (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 125.
Supported versions:
On Windows and macOS since 91, until 125
Description
This policy is obsoleted because Math Solver is deprecated from Edge. This policy won't work in Microsoft Edge version 126. This policy lets you manage whether users can use the Math Solver tool in Microsoft Edge or not.
If you enable or don't configure the policy, then a user can take a snip of the Math problem and get the solution including a step-by-step explanation of the solution in a Microsoft Edge side pane.
If you disable the policy, then the Math Solver tool will be disabled and users will not be able to use it.
Note: Setting the ComponentUpdatesEnabled policy to disabled will also disable the Math Solver component.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: MathSolverEnabled
GP name: Let users snip a Math problem and get the solution with a step-by-step explanation in Microsoft Edge (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Maximum number of concurrent connections to the proxy server
Supported versions:
On Windows and macOS since 77 or later
Description
Specifies the maximum number of simultaneous connections to the proxy server.
Some proxy servers can't handle a high number of concurrent connections per client - you can solve this by setting this policy to a lower value.
The value of this policy should be lower than 100 and higher than 6. The default value is 32.
Some web apps are known to consume many connections with hanging GETs - lowering the maximum connections below 32 can lead to browser networking hangs if too many such web apps are open.
If you don't configure this policy, the default value (32) is used.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: MaxConnectionsPerProxy
GP name: Maximum number of concurrent connections to the proxy server
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
If you don't configure this policy, the default value of 32 is used.
Some web applications maintain multiple concurrent connections (for example, long-lived or hanging requests). Setting a value lower than the default may cause networking delays when many such applications are open.
Some proxy servers cannot handle a high number of concurrent connections per client. In these cases, reducing the value of this policy may improve reliability.
The supported range is 6 to 256: - Values less than 6 are treated as 6. - Values greater than 256 are treated as 256.
We recommend modifying this value only if required by your proxy server configuration or network environment.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: MaxConnectionsPerProxyForWebSocket
GP name: Maximum number of concurrent connections to the proxy server for WebSocket requests
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allow Google Cast to connect to Cast devices on all IP addresses
Supported versions:
On Windows and macOS since 77 or later
Description
Enable this policy to let Google Cast connect to Cast devices on all IP addresses, not just RFC1918/RFC4193 private addresses.
Disable this policy to restrict Google Cast to Cast devices on RFC1918/RFC4193 private addresses.
If you don't configure this policy, Google Cast connects to Cast devices on RFC1918/RFC4193 private addresses only, unless you enable the CastAllowAllIPs feature.
If the EnableMediaRouter policy is disabled, then this policy has no effect.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: MediaRouterCastAllowAllIPs
GP name: Allow Google Cast to connect to Cast devices on all IP addresses
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
This policy enables reporting of usage and crash-related data about Microsoft Edge to Microsoft.
Enable this policy to send reporting of usage and crash-related data to Microsoft. Disable this policy to not send the data to Microsoft. In both cases, users can't change or override the setting.
On Windows 10, if you don't configure this policy, Microsoft Edge defaults to the Windows diagnostic data setting. If you enable this policy, Microsoft Edge only sends usage data if the Windows Diagnostic data setting is set to Enhanced or Full. If you disable this policy, Microsoft Edge won't send usage data. Crash-related data is sent based on the Windows Diagnostic data setting. Learn more about Windows Diagnostic data settings at https://go.microsoft.com/fwlink/?linkid=2099569
On Windows 7, Windows 8, and macOS, this policy controls sending usage and crash-related data. If you don't configure this policy, Microsoft Edge defaults to the user's preference.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, Windows 10 Pro or Enterprise instances that enrolled for device management, or macOS instances that are managed via MDM or joined to a domain via MCX.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: MetricsReportingEnabled
GP name: Enable usage and crash-related data reporting (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Control whether Microsoft 365 Copilot Chat shows in the Microsoft Edge for Business toolbar
Supported versions:
On Windows and macOS since 139 or later
Description
For users in an Entra ID Microsoft Edge profile, this policy controls whether the Microsoft 365 Copilot Chat icon will be shown in the Microsoft Edge for Business toolbar for Microsoft 365 Copilot licensed and unlicensed users.
This policy only applies when users are accessing Copilot in the sidepane.
If the policy is enabled: Copilot will appear in the toolbar.
If the policy is disabled: Copilot won't appear in the toolbar.
If the policy isn't configured: Otherwise, Copilot shows in the toolbar and users may enable or disable Copilot from showing by using the Show Copilot toggle in settings.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: Microsoft365CopilotChatIconEnabled
GP name: Control whether Microsoft 365 Copilot Chat shows in the Microsoft Edge for Business toolbar
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
The Microsoft Editor service provides enhanced spell and grammar checking for editable text fields on web pages.
If you enable or don't configure this policy, Microsoft Editor spell check can be used for eligible text fields.
If you disable this policy, spell check can only be provided by local engines that use platform or Hunspell services. The results from these engines might be less informative than the results Microsoft Editor can provide.
If the SpellcheckEnabled policy is set to disabled, or the user disables spell checking in the settings page, this policy will have no effect.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: MicrosoftEditorProofingEnabled
GP name: Spell checking provided by Microsoft Editor
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Synonyms are provided when using Microsoft Editor spell checker
Supported versions:
On Windows and macOS since 105 or later
Description
The Microsoft Editor service provides enhanced spell and grammar checking for editable text fields on web pages, and synonyms can be suggested as an integrated feature.
If you enable this policy, Microsoft Editor spell checker provides synonyms for suggestions for misspelled words.
If you disable or don't configure this policy, Microsoft Editor spell checker won't provide synonyms for suggestions for misspelled words.
If the SpellcheckEnabled policy or the MicrosoftEditorProofingEnabled policy are set to disabled, or the user disables spell checking or chooses not to use Microsoft Editor spell checker in the settings page, this policy will have no effect.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: MicrosoftEditorSynonymsEnabled
GP name: Synonyms are provided when using Microsoft Editor spell checker
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allow users to access the Microsoft Office menu (deprecated)
DEPRECATED: This policy is deprecated. It is currently supported but will become obsolete in a future release.
Supported versions:
On Windows and macOS since 100 or later
Description
This policy is deprecated because the Microsoft Edge sidebar replaced it. Microsoft Office applications are now available in the sidebar, which are managed by HubsSidebarEnabled policy.
When users can access the Microsoft Office menu, they can get access to Office applications such as Microsoft Word and Microsoft Excel.
If you enable or don't configure this policy, users can open the Microsoft Office menu.
If you disable this policy, users can't access the Microsoft Office menu.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: MicrosoftOfficeMenuEnabled
GP name: Allow users to access the Microsoft Office menu (deprecated)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Determines whether the Microsoft Root Store and built-in certificate verifier will be used to verify server certificates (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 121.
Supported versions:
On Windows and macOS since 109, until 114
Description
If you enable this policy, Microsoft Edge performs verification of server certificates using the built-in certificate verifier with the Microsoft Root Store as the source of public trust.
If you disable this policy, Microsoft Edge uses the system certificate verifier and system root certificates.
If you don't configure this policy, the Microsoft Root Store or system-provided roots may be used.
This policy is planned to be removed in Microsoft Edge version 121 for Android devices when support for using the platform-supplied roots is planned to be removed.
This policy was removed in Microsoft Edge version 115 for Microsoft Windows and macOS, Microsoft Edge version 120 for Linux, and Microsoft Edge version 121 for Android when support for using the platform-supplied certificate verifier and roots was removed.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: MicrosoftRootStoreEnabled
GP name: Determines whether the Microsoft Root Store and built-in certificate verifier will be used to verify server certificates (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
This policy lets you configure the Mouse Gesture feature in Microsoft Edge.
This feature provides an easy way for users to complete tasks like scroll forward or backward, open new tab, refresh page, etc. They can finish a task by pressing and holding the mouse right button to draw certain patterns on a webpage, instead of clicking the buttons or using keyboard shortcuts.
If you enable or don't configure this policy, you can use the Mouse Gesture feature on Microsoft Edge to start using this feature.
If you disable this policy, you can't use the Mouse Gesture feature in Microsoft Edge.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: MouseGestureEnabled
GP name: Mouse Gesture Enabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Force Windows executable Native Messaging hosts to launch directly
Supported versions:
On Windows since 121 or later
Description
This policy controls whether native host executables launch directly on Windows.
If you enable this policy, Microsoft Edge is forced to launch native messaging hosts implemented as executables directly.
If you disable this policy, Microsoft Edge will launch hosts using cmd.exe as an intermediary process.
If you don't configure this policy, Microsoft Edge will decide which approach to use based on a progressive rollout from the legacy behavior to the Launch Directly behavior, guided by ecosystem compatibility.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: NativeHostsExecutablesLaunchDirectly
GP name: Force Windows executable Native Messaging hosts to launch directly
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
DEPRECATED: This policy is deprecated. It is currently supported but will become obsolete in a future release.
Supported versions:
On Windows since 84 or later
Description
This policy is deprecated, use the 'WindowOcclusionEnabled' policy instead. It won't work in Microsoft Edge version 92.
Enables native window occlusion in Microsoft Edge.
If you enable this policy, to reduce CPU and power consumption Microsoft Edge detects when a window is covered by other windows, and will suspend work painting pixels.
If you disable this policy Microsoft Edge won't detect when a window is covered by other windows.
If you don't configure this policy, occlusion detection is enabled.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: NativeWindowOcclusionEnabled
GP name: Enable Native Window Occlusion (deprecated)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Set a timeout for delay of tab navigation for the Enterprise Mode Site List
Supported versions:
On Windows since 84 or later
Description
Allows you to set a timeout, in seconds, for Microsoft Edge tabs waiting to navigate until the browser has downloaded the initial Enterprise Mode Site List.
Tabs won't wait longer than this timeout for the Enterprise Mode Site List to download. If the browser hasn't finished downloading the Enterprise Mode Site List when the timeout expires, Microsoft Edge tabs continue navigating anyway. The value of the timeout should be no greater than 20 seconds and no fewer than 1 second.
If you set the timeout in this policy to a value greater than 2 seconds, an information bar is shown to the user after 2 seconds. The information bar contains a button that allows the user to quit waiting for the Enterprise Mode Site List download to complete.
If you don't configure this policy, the default timeout of 4 seconds is used. This default is subject to change in the future.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: NavigationDelayForInitialSiteListDownloadTimeout
GP name: Set a timeout for delay of tab navigation for the Enterprise Mode Site List
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Enables network prediction and prevents users from changing this setting.
This controls DNS prefetching, TCP and SSL preconnection, and prerendering of web pages.
If you don't configure this policy, network prediction is enabled but the user can change it.
Policy options mapping:
* NetworkPredictionAlways (0) = Predict network actions on any network connection
* NetworkPredictionWifiOnly (1) = Not supported, if this value is used it will be treated as if 'Predict network actions on any network connection' (0) was set
* NetworkPredictionNever (2) = Don't predict network actions on any network connection
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: NetworkPredictionOptions
GP name: Enable network prediction
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
This policy controls whether or not the network service process runs sandboxed. If this policy is enabled, the network service process runs sandboxed. If this policy is disabled, the network service process runs unsandboxed. This leaves users open to other security risks related to running the network service unsandboxed. If this policy isn't set, the default configuration for the network sandbox will be used. This may vary depending on Microsoft Edge release, currently running field trials, and platform. This policy is intended to give enterprises flexibility to disable the network sandbox if they use third party software that interferes with the network service sandbox.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: NetworkServiceSandboxEnabled
GP name: Enable the network service sandbox
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allows enabling the feature NewBaseUrlInheritanceBehavior (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 135.
Supported versions:
On Windows and macOS since 123, until 135
Description
NewBaseUrlInheritanceBehavior is a Microsoft Edge feature that causes about:blank and about:srcdoc frames to consistently inherit their base url values via snapshots of their initiator's base url.
If you disable this policy, it prevents users or Microsoft Edge variations from enabling NewBaseUrlInheritanceBehavior, in case compatibility issues are discovered.
If you enable or don't configure this policy, it allows enabling NewBaseUrlInheritanceBehavior.
The policy became obsolete starting from Microsoft Edge version 136, but the NewBaseUrlInheritanceBehaviorAllowed feature was removed in Microsoft Edge version 123.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: NewBaseUrlInheritanceBehaviorAllowed
GP name: Allows enabling the feature NewBaseUrlInheritanceBehavior (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Microsoft Edge built-in PDF reader powered by Adobe Acrobat enabled
Supported versions:
On Windows and macOS since 111 or later
Description
The policy lets Microsoft Edge launch the new version of the built-in PDF reader that's powered by Adobe Acrobat's PDF rendering engine. The new PDF reader ensures that there's no loss of functionality and delivers an enhanced PDF experience. This experience includes richer rendering, improved performance, strong security for PDF handling, and greater accessibility.
If you enable this policy, Microsoft Edge will use the new Adobe Acrobat powered built-in PDF reader to open all PDF files.
If you disable or don't configure this policy, Microsoft Edge will use the existing PDF reader to open all PDF files.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: NewPDFReaderEnabled
GP name: Microsoft Edge built-in PDF reader powered by Adobe Acrobat enabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Configure whether a user always has a default profile automatically signed in with their work or school account
Supported versions:
On Windows since 78 or later
Description
This policy determines if a user can remove the Microsoft Edge profile automatically signed in with a user's work or school account.
If you enable this policy, a nonremovable profile is created with the user's work or school account on Windows. This profile can't be signed out or removed. The profile is nonremovable only if profile is signed-in with either on-premises account or Azure AD account that matches OS sign-in account.
If you disable or don't configure this policy, the profile automatically signs in with a user's work or school account on Windows can be signed out or removed by the user.
If you want to configure browser sign in, use the BrowserSignin policy.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, Windows 10 Pro, or Enterprise instances that enrolled for device management.
From Microsoft Edge version 89 onward, if there is an existing on-premises profile with sync disabled and machine is hybrid joined, it will auto-upgrade the on-premises profile to Azure AD profile and make it non-removable instead of creating a new non-removable Azure AD profile.
From Microsoft Edge version 93 onward, if policy ImplicitSignInEnabled is disabled, this policy doesn't take any effect.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: NonRemovableProfileEnabled
GP name: Configure whether a user always has a default profile automatically signed in with their work or school account
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Configuration policy for bulk data entry for Microsoft Edge for Business Data Loss Prevention Connectors
Supported versions:
On Windows since 137 or later
Description
List of Microsoft Edge for Business Data Loss Prevention Connectors services settings to be applied when data is entered in Microsoft Edge from the clipboard or by drag and dropping web content.
Connector Fields
1. url_list, tags, enable, disable These fields determine whether the connector sends data for analysis when content is entered on a specific page, and which tags to include in the analysis request. A tag associated with an enable pattern is included in the request if the page URL matches the pattern—unless a corresponding disable pattern also matches. Analysis is triggered if at least one tag is included in the request.
2. service_provider Identifies the analysis service provider the configuration applies to.
3. block_until_verdict If set to 1, Microsoft Edge waits for a response from the analysis service before giving the page access to the data. Any other integer value allows the page to access the data immediately.
4. default_action If set to block, Microsoft Edge denies page access to the data if an error occurs while contacting the analysis service. Any other value permits the page to access the data.
5. minimum_data_size Specifies the minimum size (in bytes) that the entered data must meet or exceed to be scanned. Default: 100 bytes if the field is not set.
Configuration policy for files attached for Microsoft Edge for Business Data Loss Prevention Connectors
Supported versions:
On Windows since 137 or later
Description
List of Microsoft Edge for Business Data Loss Prevention Connectors services settings to be applied when a file is attached to Microsoft Edge.
Connector Fields
1. url_list, tags, enable, disable These fields determine whether the connector sends data for analysis when content is entered on a specific page, and which tags to include in the analysis request. A tag associated with an enable pattern is included in the request if the page URL matches the pattern—unless a corresponding disable pattern also matches. Analysis is triggered if at least one tag is included in the request.
2. service_provider Identifies the analysis service provider the configuration applies to.
3. block_until_verdict If set to 1, Microsoft Edge waits for a response from the analysis service before giving the page access to the data. Any other integer value allows the page to access the data immediately.
4. default_action If set to block, Microsoft Edge denies page access to the data if an error occurs while contacting the analysis service. Any other value permits the page to access the data.
Configuration policy for print for Microsoft Edge for Business Data Loss Prevention Connectors
Supported versions:
On Windows since 137 or later
Description
List of Microsoft Edge for Business Data Loss Prevention Connectors services settings to be applied when a page or file is printed from Microsoft Edge.
Connector Fields
1. url_list, tags, enable, disable These fields determine whether the connector sends data for analysis when content is entered on a specific page, and which tags to include in the analysis request. A tag associated with an enable pattern is included in the request if the page URL matches the pattern—unless a corresponding disable pattern also matches. Analysis is triggered if at least one tag is included in the request.
2. service_provider Identifies the analysis service provider the configuration applies to.
3. block_until_verdict If set to 1, Microsoft Edge waits for a response from the analysis service before giving the page access to the data. Any other integer value allows the page to access the data immediately.
4. default_action If set to block, Microsoft Edge denies page access to the data if an error occurs while contacting the analysis service. Any other value permits the page to access the data.
Configuration policy for Microsoft Edge for Business Reporting Connectors
Supported versions:
On Windows since 139 or later
Description
Defines the Microsoft Edge for Business Reporting Connectors service settings that apply when a security event occurs in Microsoft Edge. These events include negative verdicts from Data Loss Prevention Connectors, password reuse, navigation to unsafe pages, and other security-sensitive actions.
The service_provider field specifies the reporting service provider. The enabled_event_names field lists the security events enabled for that provider.
Allow your organization's logo from Microsoft Entra to be overlaid on the Microsoft Edge app icon of a work or school profile
Supported versions:
On Windows and macOS since 120 or later
Description
Allows your organization's logo from Entra, if any, to be overlaid on the Microsoft Edge app icon of a profile that's signed in with an Entra ID (formerly known as Azure Active Directory) account. This requires a browser restart to take effect.
If you enable this policy, your organization's logo from Entra is used.
If you disable or don't configure this policy, your organization's logo from Entra won't be used.
Allow the use of your organization's branding assets from Microsoft Entra on the profile-related UI of a work or school profile
Supported versions:
On Windows and macOS since 119 or later
Description
Allow the use of your organization's branding assets from Entra, if any, on the profile-related UI of a profile that's signed in with an Entra ID (formerly known as Azure Active Directory) account. This requires a browser restart to take effect.
If you enable this policy, your organization's branding assets from Entra are used.
If you disable or don't configure this policy, your organization's branding assets from Entra aren't used.
The Origin-Agent-Cluster: HTTP header controls whether a document is isolated in an origin-keyed agent cluster or in a site-keyed agent cluster. This functionality has security implications because an origin-keyed agent cluster allows isolating documents by origin. The consequence of this for developers is that the document.domain accessor can no longer be set when origin-keyed agent clustering is enabled.
If you enable or don't configure this policy, documents without the Origin-Agent-Cluster: header are assigned to origin-keyed agent clustering by default. On these documents, the document.domain accessor isn't settable.
If you disable this policy, documents without the Origin-Agent-Cluster: header are assigned to site-keyed agent clusters by default. On these documents, the document.domain accessor is settable.
Enable origin-keyed process isolation for improved security
Supported versions:
On Windows and macOS since 141 or later
Description
This policy enables origin-keyed process isolation for most pages, which improves security by separating content from different origins into distinct processes. This may increase the number of processes created. Users can override this setting by using command-line flags or edge://flags to turn the feature on or off.
If you enable this policy, most origins will be isolated, even from other origins within the same site. For related configuration, see the IsolateOrigins and SitePerProcess policies.
If you disable this policy, origins will not be isolated from the rest of their site unless the origin explicitly requests isolation.
If you don’t configure this policy, the browser will decide which origins to isolate and when. By default, this feature is disabled. The default state may change in the future.
Supported features:
Can be mandatory:
No
Can be recommended:
Yes
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: OriginKeyedProcessesEnabled
GP name: Enable origin-keyed process isolation for improved security
GP path (Mandatory):
N/A
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Control where security restrictions on insecure origins apply
Supported versions:
On Windows and macOS since 77 or later
Description
Specifies a list of origins (URLs) or hostname patterns (like "*.contoso.com") for which security restrictions on insecure origins don't apply.
This policy allows you to specify permitted origins for legacy applications that cannot deploy TLS or for internal web development staging servers. It enables developers to test features requiring secure contexts without the need to configure TLS on the staging server. Patterns are only accepted for hostnames; URLs or origins with schemes must be exact matches. This policy also prevents the origin from being labeled "Not Secure" in the omnibox.
Setting a list of URLs in this policy has the same effect as setting the command-line flag '--unsafely-treat-insecure-origin-as-secure' to a comma-separated list of the same URLs. If you enable this policy, it overrides the command-line flag.
For more information on secure contexts, see https://www.w3.org/TR/secure-contexts/.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: OverrideSecurityRestrictionsOnInsecureOrigin
GP name: Control where security restrictions on insecure origins apply
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Secure mode and Certificate-based Digital Signature validation in native PDF reader
Supported versions:
On Windows and macOS since 100 or later
Description
The policy enables Digital Signature validation for PDF files in a secure environment, which shows the correct validation status of the signatures.
If you enable this policy, PDF files with Certificate-based digital signatures are opened with an option to view and verify the validity of the signatures with high security.
If you disable or don't configure this policy, the capability to view and verify the signature isn't available.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PDFSecureMode
GP name: Secure mode and Certificate-based Digital Signature validation in native PDF reader
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Lets the Microsoft Edge browser enable XFA (XML Forms Architecture) support in the native PDF reader and allows users to open XFA PDF files in the browser.
If you enable this policy, XFA support in the native PDF reader is enabled.
If you disable or don't configure this policy, Microsoft Edge won't enable XFA support in the native PDF reader.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PDFXFAEnabled
GP name: XFA support in native PDF reader enabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allow websites to query for available payment methods
Supported versions:
On Windows and macOS since 80 or later
Description
Allows you to set whether websites can check if the user has payment methods saved.
If you disable this policy, websites that use PaymentRequest.canMakePayment or PaymentRequest.hasEnrolledInstrument API will be informed that no payment methods are available.
If you enable this policy or don't set this policy, websites can check if the user has payment methods saved.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PaymentMethodQueryEnabled
GP name: Allow websites to query for available payment methods
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Determines whether the PDF viewer in Microsoft Edge uses an out-of-process iframe (OOPIF). This is the new PDF viewer architecture going forward, as it's simpler in design and makes adding new features easier. The current GuestView PDF viewer, which relies on an outdated and overly complex architecture, is being deprecated.
If you enable this policy or don't configure it, Microsoft Edge uses the OOPIF PDF viewer architecture. The default behavior will be decided by Microsoft Edge.
If you disable this policy, Microsoft Edge strictly uses the existing GuestView PDF viewer. This approach embeds a web page with its own separate frame tree into another web page.
This policy will be removed in the future, after the OOPIF PDF viewer feature has fully rolled out.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PdfViewerOutOfProcessIframeEnabled
GP name: Use out-of-process iframe PDF Viewer
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allow personalization of ads, Microsoft Edge, search, news and other Microsoft services by sending browsing history, favorites and collections, usage and other browsing data to Microsoft
Supported versions:
On Windows and macOS since 80 or later
Description
This policy prevents Microsoft from collecting a user's Microsoft Edge browsing history, favorites and collections, usage, and other browsing data to be used for personalizing advertising, search, news, Microsoft Edge, and other Microsoft services.
This setting isn't available for child accounts or enterprise accounts.
If you disable this policy, users can't change or override the setting. If this policy is enabled or not configured, Microsoft Edge defaults to the user's preference.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PersonalizationReportingEnabled
GP name: Allow personalization of ads, Microsoft Edge, search, news and other Microsoft services by sending browsing history, favorites and collections, usage and other browsing data to Microsoft
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Microsoft Edge uses the Pin to taskbar wizard to help users pin suggested sites to the taskbar. The Pin to taskbar wizard feature is enabled by default and accessible to the user through the Settings and more menu.
If you enable this policy or don't configure it, users can call the Pin to taskbar wizard from the Settings and More menu. The wizard can also be called via a protocol launch.
If you disable this policy, the Pin to taskbar wizard is disabled in the menu and cannot be called via a protocol launch.
User settings to enable or disable the Pin to taskbar wizard aren't available.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PinningWizardAllowed
GP name: Allow Pin to taskbar wizard
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Enable post-quantum key agreement for TLS (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 146.
Supported versions:
On Windows and macOS since 120, until 146
Description
This policy configures whether Microsoft Edge offers a post-quantum key agreement algorithm in TLS. This lets supporting servers protect user traffic from being decrypted by quantum computers.
If you enable or don't configure this policy, Microsoft Edge offers a post-quantum key agreement in TLS connections. TLS connections are protected from quantum computers when communicating with compatible servers.
If you disable this policy, Microsoft Edge won't offer a post-quantum key agreement in TLS connections. User traffic is unprotected from decryption by quantum computers.
Offering a post-quantum key agreement is backwards-compatible. Existing TLS servers and networking middleware are expected to ignore the new option and continue selecting previous options.
However, devices that don't implement TLS correctly may malfunction when offered the new option. For example, they might disconnect in response to unrecognized options or the resulting larger messages. These devices aren't post-quantum-ready and will interfere with an enterprise's post-quantum transition. If this issue is encountered, administrators should contact the vendor for a fix.
This policy has been removed starting in Microsoft Edge version 147. Post-quantum key agreement is now enabled by default and cannot be disabled. Enterprises should work with device vendors to obtain fixes for proper post-quantum support.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PostQuantumKeyAgreementEnabled
GP name: Enable post-quantum key agreement for TLS (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allow SpeculationRules prefetch for ServiceWorker-controlled URLs
Supported versions:
On Windows and macOS since 138 or later
Description
Controls whether SpeculationRules prefetch requests are allowed for ServiceWorker-controlled URLs.
With Microsoft Edge version 138, prefetch requests to ServiceWorker-controlled URLs are allowed by default when the PrefetchServiceWorker feature is enabled.
If this policy is enabled or not configured, that default behavior is used.
To restore the legacy behavior from versions before 138, where prefetch requests to ServiceWorker-controlled URLs were blocked, set this policy to disabled.
This policy is intended to be temporary and will be removed in the future.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PrefetchWithServiceWorkerEnabled
GP name: Allow SpeculationRules prefetch for ServiceWorker-controlled URLs
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 90.
Supported versions:
On Windows and macOS since 77, until 90
Description
This policy is obsolete because it doesn't work independently of browser sign in. It doesn't work in Microsoft Edge after version 90. If you want to configure browser sign in, use the BrowserSignin policy.
Lets you configure whether to turn on Proactive Authentication in Microsoft Edge.
If you enable this policy, Microsoft Edge tries to seamlessly authenticate to websites and services using the account which is signed-in to the browser.
If you disable this policy, Microsoft Edge doesn't try to authenticate with websites or services using single sign-on (SSO). Authenticated experiences like the Enterprise New Tab Page won't work (for example, recent and recommended Office documents will not be available).
If you don't configure this policy, Proactive Authentication is turned on.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ProactiveAuthEnabled
GP name: Enable Proactive Authentication (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
DEPRECATED: This policy is deprecated. It is currently supported but will become obsolete in a future release.
Supported versions:
On Windows and macOS since 77 or later
Description
Control the presentation of full-tab promotional or educational content. This setting controls the presentation of welcome pages that help users sign into Microsoft Edge, choose their default browser, or learn about product features.
If you enable this policy (set it true) or don't configure it, Microsoft Edge can show full-tab content to users to provide product information.
If you disable (set to false) this policy, Microsoft Edge can't show full-tab content to users.
This is deprecated - use ShowRecommendationsEnabled instead.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PromotionalTabsEnabled
GP name: Enable full-tab promotional content (deprecated)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Set whether to ask where to save a file before downloading it.
If you enable this policy, the user is asked where to save each file before downloading; if you don't configure it, files are saved automatically to the default location, without asking the user.
If you don't configure this policy, the user will be able to change this setting.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PromptForDownloadLocation
GP name: Ask where to save downloaded files
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Prompt the user to select a certificate when multiple certificates match
Supported versions:
On Windows and macOS since 100 or later
Description
This policy controls whether the user is prompted to select a client certificate when more than one certificate matches AutoSelectCertificateForUrls. If this policy is set to True, the user is prompted to select a client certificate whenever the auto-selection policy matches multiple certificates. If this policy is set to False or not set, the user may only be prompted when no certificate matches the auto-selection.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: PromptOnMultipleMatchingCertificates
GP name: Prompt the user to select a certificate when multiple certificates match
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Enables the Microsoft Edge mini menu on websites and PDFs. The mini menu appears when users select text and provides basic actions like Copy and smart actions such as Definitions.
If you enable or don't configure this policy, selecting text on websites or PDFs shows the mini menu.
If you disable this policy, the mini menu doesn't appear when users select text on websites or PDFs.
Note: Starting in Microsoft Edge for Mac version 143, this policy is obsolete because the mini menu feature has been removed on Mac.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: QuickSearchShowMiniMenu
GP name: Enables Microsoft Edge mini menu
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Manage QuickView Office files capability in Microsoft Edge
Supported versions:
On Windows and macOS since 90 or later
Description
Allows you to set whether users can view publicly accessible Office files on the web that aren't on OneDrive or SharePoint. (For example: Word documents, PowerPoint presentations, and Excel spreadsheets)
If you enable or don't configure this policy, these files can be viewed in Microsoft Edge using Office Viewer instead of downloading the files.
If you disable this policy, these files will be downloaded to be viewed.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: QuickViewOfficeFilesEnabled
GP name: Manage QuickView Office files capability in Microsoft Edge
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Check RSA key usage for server certificates issued by local trust anchors (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 135.
Supported versions:
On Windows and macOS since 123, until 135
Description
The X.509 key usage extension declares how the key in a certificate can be used. These instructions ensure certificates aren't used in an unintended context, which protects against a class of cross-protocol attacks on HTTPS and other protocols. HTTPS clients must verify that server certificates match the connection's TLS parameters.
Starting in Microsoft Edge 124, this check is always enabled.
Microsoft Edge 123 and earlier have the following behavior:
If this policy is set to enabled, Microsoft Edge performs this key check. This helps prevent attacks where an attacker manipulates the browser into interpreting a key in ways that the certificate owner didn't intend.
If this policy is set to disabled, Microsoft Edge skips this key check-in HTTPS connections that negotiate TLS 1.2 and use an RSA certificate that chains to a local trust anchor. Examples of local trust anchors include policy-provided or user-installed root certificates. In all other cases, the check is performed independent of this policy's setting.
If this policy isn't configured, Microsoft Edge behaves as if the policy is enabled.
This policy is available for administrators to preview the behavior of a future release, which will enable this check by default. At that point, this policy will remain temporarily available for administrators that need more time to update their certificates to meet the new RSA key usage requirements.
Connections that fail this check will fail with the error ERR_SSL_KEY_USAGE_INCOMPATIBLE. Sites that fail with this error likely have a misconfigured certificate. Modern ECDHE_RSA cipher suites use the "digitalSignature" key usage option, while legacy RSA decryption cipher suites use the "keyEncipherment" key usage option. If uncertain, administrators should include both in RSA certificates meant for HTTPS.
The policy has been obsoleted starting from Microsoft Edge version 136, but the key check has been always enabled since Microsoft Edge version 124.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: RSAKeyUsageForLocalAnchorsEnabled
GP name: Check RSA key usage for server certificates issued by local trust anchors (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Enables the Read Aloud feature within Microsoft Edge. With this feature, users can listen to the content on the web page. This feature enables users to multi-task or improve their reading comprehension by hearing content at their own pace.
If you enable this policy or don't configure it, the Read Aloud option shows up in the address bar, right click context menu, more menu, on the PDF toolbar, and within Immersive Reader. If you disable this policy, users can't access the Read Aloud feature from the address bar, right click context menu, more menu, on the PDF toolbar, and within Immersive Reader.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ReadAloudEnabled
GP name: Enable Read Aloud feature in Microsoft Edge
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Prevent install of the BHO to redirect incompatible sites from Internet Explorer to Microsoft Edge
Supported versions:
On Windows since 87 or later
Description
This setting lets you specify whether to block the installation of the Browser Helper Object (BHO) that enables redirecting incompatible sites from Internet Explorer to Microsoft Edge for sites that require a modern browser.
If you enable this policy, the BHO isn't installed. If it's already installed, it will be uninstalled on the next Microsoft Edge update.
If you disable or don't configure this policy, the BHO is installed.
Redirect incompatible sites from Internet Explorer to Microsoft Edge
Supported versions:
On Windows since 87 or later
Description
This setting lets you specify whether Internet Explorer redirects navigations to sites that require a modern browser to Microsoft Edge. If you set this policy to 'Disable' ('Prevent redirection', value 0), Internet Explorer doesn't redirect any traffic to Microsoft Edge.
If you set this policy to 'Sitelist', starting with Microsoft Edge major release 87, Internet Explorer (IE) redirects sites that require a modern browser to Microsoft Edge. (Note: The Sitelist setting is 'Redirect sites based on the incompatible sites sitelist', value 1.)
When a site is redirected from Internet Explorer to Microsoft Edge, the Internet Explorer tab that started loading the site is closed if it had no prior content. Otherwise, the user is taken to a Microsoft help page that explains why the site was redirected to Microsoft Edge. When Microsoft Edge is launched to load an IE site, an information bar explains that the site works best in a modern browser.
If you want to redirect all navigations, configure the Disable Internet Explorer 11 policy, which redirects all navigations from IE11 to Microsoft Edge. It also hides the IE11 app icon from the user after the first launch.
If you don't configure this policy: - Starting with Microsoft Edge major release 87, you have the same experience as setting the policy to 'Sitelist': Internet Explorer redirects sites that require a modern browser to Microsoft Edge. - In the future, the default for your organization changes to automatically redirect all navigations. If you don't want automatic redirection, set this policy to 'Disable' or 'Sitelist'.
This policy lets you configure the Reduce IP address change notification feature in Microsoft Edge on macOS.
If you enable or don't configure this policy, the Reduce IP address change notification feature is enabled by default. This helps reduce unnecessary network change notifications when IP addresses change.
If you disable this policy, all IP address changes trigger network change notifications, regardless of the feature's status.
Configure Related Matches in Find on Page (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 134.
Supported versions:
On Windows and macOS since 99, until 134
Description
Specifies how the user receives related matches in Find on Page, which provides spellcheck, synonyms, and Q&A results in Microsoft Edge.
If you enable or don't configure this policy, users can receive related matches in Find on Page on all sites. The results are processed through a cloud service.
If you disable this policy, users can receive related matches in Find on Page on a limited set of sites. In this case, results are processed locally on the user's device.
Note: This policy is obsolete. The associated cloud service is discontinued, so the feature and policy aren't supported on any versions of Microsoft Edge.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: RelatedMatchesCloudServiceEnabled
GP name: Configure Related Matches in Find on Page (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Relaunch browser quickly when the current version is outdated
Supported versions:
On Windows and macOS since 141 or later
Description
This policy specifies the minimum release age after which relaunch notifications become more aggressive. The release age is calculated from the time the currently running version was last served to clients.
If a browser relaunch is needed to finalize a pending update and the current version has been outdated for more than the number of days specified by this setting, the RelaunchNotificationPeriod policy is overridden to 2 hours. If the RelaunchNotification policy is set to 1 ('Required'), a browser relaunch will be forced at the end of the period.
If not set, or if the release age cannot be determined, the RelaunchNotificationPeriod policy will be used for all updates.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: RelaunchFastIfOutdated
GP name: Relaunch browser quickly when the current version is outdated
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Notify a user that a browser restart is recommended or required for pending updates
Supported versions:
On Windows and macOS since 77 or later
Description
Notify users that they need to restart Microsoft Edge to apply a pending update.
If you don't configure this policy, Microsoft Edge adds a recycle icon at the far right of the top menu bar to prompt users to restart the browser to apply the update.
If you enable this policy and set it to 'Recommended', a recurring warning prompts users that a restart is recommended. Users can dismiss this warning and defer the restart.
If you set the policy to 'Required', a recurring warning prompts users that the browser will be restarted automatically as soon as a notification period passes. The default period is seven days. You can configure this period with the RelaunchNotificationPeriod policy.
The user's session is restored when the browser restarts.
Policy options mapping:
* Recommended (1) = Recommended - Show a recurring prompt to the user indicating that a restart is recommended
* Required (2) = Required - Show a recurring prompt to the user indicating that a restart is required
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: RelaunchNotification
GP name: Notify a user that a browser restart is recommended or required for pending updates
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allows you to set the time period, in milliseconds, over which users are notified that Microsoft Edge must be relaunched to apply a pending update.
Over this time period, the user will be repeatedly informed of the need for an update. In Microsoft Edge the app menu changes to indicate that a relaunch is needed once one third of the notification period passes. This notification changes color once two thirds of the notification period passes, and again once the full notification period has passed. The additional notifications enabled by the RelaunchNotification policy follow this same schedule.
If not set, the default period of 604800000 milliseconds (one week) is used.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: RelaunchNotificationPeriod
GP name: Set the time period for update notifications
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Specifies a target time window for the end of the relaunch notification period.
Users are notified of the need for a browser relaunch or device restart based on the RelaunchNotification and RelaunchNotificationPeriod policy settings. Browsers and devices are forcibly restarted at the end of the notification period when the RelaunchNotification policy is set to Required. This RelaunchWindow policy can be used to defer the end of the notification period so that it falls within a specific time window.
If you don't configure this policy, the default target time window is the whole day (that is, the end of the notification period is never deferred).
Note: Though the policy can accept multiple items in entries, all items except the first are ignored. Warning: Setting this policy can delay application of software updates.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Dictionary
Windows information and settings
Group Policy (ADMX) info
GP unique name: RelaunchWindow
GP name: Set the time interval for relaunch
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
If you enable or don't configure this policy, users may use remote debugging by specifying --remote-debug-port and --remote-debugging-pipe command line switches.
If you disable this policy, users are not allowed to use remote debugging.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: RemoteDebuggingAllowed
GP name: Allow remote debugging
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 118.
Supported versions:
On Windows since 78, until 118
Description
Setting the policy to Enabled or leaving it unset turns on Renderer Code Integrity. Setting the policy to Disabled has a detrimental effect on Microsoft Edge's security and stability as unknown and potentially hostile code can load inside Microsoft Edge's renderer processes. Only turn off the policy if there are compatibility issues with third-party software that must run inside Microsoft Edge's renderer processes.
This policy is removed in Microsoft Edge version 119 and is ignored if set.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: RendererCodeIntegrityEnabled
GP name: Enable renderer code integrity (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Specify if online OCSP/CRL checks are required for local trust anchors
Supported versions:
On Windows since 123 or later
Description
Control whether online revocation checks (OCSP/CRL checks) are required. If Microsoft Edge can't get revocation status information, these certificates are treated as revoked ("hard-fail").
If you enable this policy, Microsoft Edge always performs revocation checking for server certificates that successfully validate and are signed by locally installed CA certificates.
If you don't configure or disable this policy, then Microsoft Edge uses the existing online revocation checking settings.
Enable resolution of navigation errors using a web service
Supported versions:
On Windows and macOS since 77 or later
Description
Allow Microsoft Edge to issue a dataless connection to a web service to probe networks for connectivity in cases like hotel and airport Wi-Fi.
If you enable this policy, a web service is used for network connectivity tests.
If you disable this policy, Microsoft Edge uses native APIs to try to resolve network connectivity and navigation issues.
**Note**: Except on Windows 8 and later versions of Windows, Microsoft Edge *always* uses native APIs to resolve connectivity issues.
If you don't configure this policy, Microsoft Edge respects the user preference that's set under Services at edge://settings/privacy. Specifically, there's a **Use a web service to help resolve navigation errors** toggle, which the user can switch on or off. Be aware that if you have enabled this policy (ResolveNavigationErrorsUseWebService), the **Use a web service to help resolve navigation errors** setting is turned on, but the user can't change the setting by using the toggle. If you have disabled this policy, the **Use a web service to help resolve navigation errors** setting is turned off, and the user can't change the setting by using the toggle.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ResolveNavigationErrorsUseWebService
GP name: Enable resolution of navigation errors using a web service
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
If you enable or don't configure this policy, Microsoft Edge recovers the last state of PDF view and lands users to the section where they ended reading in the last session.
If you disable this policy, Microsoft Edge recovers the last state of PDF view and lands users at the start of the PDF file.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: RestorePdfView
GP name: Restore PDF view
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
This policy helps mitigate side-channel cross-process memory attacks by isolating the renderer process to a dedicated CPU core, preventing other processes from being scheduled on the same core. This mitigation is supported on Microsoft® Windows® 11 24H2 and later. If the operating system doesn't support the necessary scheduling features, this policy has no effect. Enabling this policy may reduce performance in demanding workloads, similar to the impact of disabling hyperthreading. For more information, refer https://learn.microsoft.com/windows/win32/api/winnt/ns-winnt-process_mitigation_side_channel_isolation_policy If you enable this policy, other processes can't be scheduled on the same CPU core as a renderer process. If you disable this policy, other processes can be scheduled on the same CPU core as a renderer process. If you don't configure this policy, other processes can be scheduled on the same core as the renderer process. Behavior can vary depending on Microsoft Edge version and platform.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: RestrictCoreSharingOnRenderer
GP name: Restrict CPU core sharing for renderer process
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Restrict which accounts can be used to sign in to Microsoft Edge
Supported versions:
On Windows and macOS since 77 or later
Description
Determines which accounts can be used to sign in to the Microsoft Edge account that's chosen during the Sync opt-in flow.
You can configure this policy to match multiple accounts using a Perl style regular expression for the pattern. If a user tries to sign in to the browser with an account whose username doesn't match this pattern, they're blocked and will get the appropriate error message. Pattern matches are case sensitive. For more information about the regular expression rules that are used, see https://go.microsoft.com/fwlink/p/?linkid=2133903.
If you don't configure this policy or leave it blank, users can use any account to sign in to Microsoft Edge.
Signed-in profiles with a username that doesn't match this pattern will be signed out after this policy is enabled.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: RestrictSigninToPattern
GP name: Restrict which accounts can be used to sign in to Microsoft Edge
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Configures the directory to use to store the roaming copy of profiles.
If you enable this policy, Microsoft Edge uses the provided directory to store a roaming copy of the profiles, as long as you've also enabled the RoamingProfileSupportEnabled policy. If you disable the RoamingProfileSupportEnabled policy or don't configure it, the value stored in this policy isn't used.
Enable using roaming copies for Microsoft Edge profile data
Supported versions:
On Windows since 85 or later
Description
Enable this policy to use roaming profiles on Windows. The settings stored in Microsoft Edge profiles (favorites and preferences) are also saved to a file stored in the Roaming user profile folder (or the location specified by the administrator through the RoamingProfileLocation policy).
If you disable this policy or don't configure it, only the regular local profiles are used.
The SyncDisabled only disables cloud synchronization and has no effect on this policy.
Extend Adobe Flash content setting to all content (obsolete)
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 88.
Supported versions:
On Windows and macOS since 77, until 88
Description
This policy doesn't work because Flash is no longer supported by Microsoft Edge.
If you enable this policy, all Adobe Flash content embedded in websites that are set to allow Adobe Flash in the content settings, either by the user or by enterprise policy, run. This includes content from other origins and/or small content.
If you disable this policy or don't configure it, Adobe Flash content from other origins (sites that aren't specified in the preceding three policies) or small content might be blocked.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: RunAllFlashInAllowMode
GP name: Extend Adobe Flash content setting to all content (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allow users to proceed from the HTTPS warning page for specific origins
Supported versions:
On Windows and macOS since 90 or later
Description
Microsoft Edge shows a warning page when users visit sites that have SSL errors.
If you enable or don't configure the SSLErrorOverrideAllowed policy, this policy does nothing.
If you disable the SSLErrorOverrideAllowed policy, configuring this policy lets you configure a list of origin patterns for sites where users can continue to click through SSL error pages. Users can't click through SSL error pages on origins that are not on this list.
If you don't configure this policy, the SSLErrorOverrideAllowed policy applies for all sites.
For detailed information about valid origin patterns, see https://go.microsoft.com/fwlink/?linkid=2095322. * is not an accepted value for this policy. This policy only matches based on origin, so any path or query in the URL pattern is ignored.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: SSLErrorOverrideAllowedForOrigins
GP name: Allow users to proceed from the HTTPS warning page for specific origins
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
OBSOLETE: This policy is obsolete and doesn't work after Microsoft Edge 97.
Supported versions:
On Windows and macOS since 77, until 97
Description
This policy was removed in Microsoft Edge 98 and is ignored if configured. Sets the minimum supported version of TLS.
If you set this policy to 'tls1.2', Microsoft Edge shows an error for TLS 1.0 and TLS 1.1, and the user won't be able to bypass the error.
If you don't configure this policy, Microsoft Edge still shows an error for TLS 1.0 and TLS 1.1 but the user will be able to bypass it.
Support for suppressing the TLS 1.0/1.1 warning was removed from Microsoft Edge starting in version 91. The 'tls1' and 'tls1.1' values are no longer supported.
Policy options mapping:
* TLSv1 (tls1) = TLS 1.0
* TLSv1.1 (tls1.1) = TLS 1.1
* TLSv1.2 (tls1.2) = TLS 1.2
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
String
Windows information and settings
Group Policy (ADMX) info
GP unique name: SSLVersionMin
GP name: Minimum TLS version enabled (obsolete)
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allow Microsoft Edge to block navigations to external protocols in a sandboxed iframe
Supported versions:
On Windows and macOS since 99 or later
Description
Microsoft Edge blocks navigations to external protocols inside a sandboxed iframe.
If you enable or don't configure this policy, Microsoft Edge blocks those navigations.
If you disable this policy, Microsoft Edge doesn't block those navigations.
This policy can be used by administrators who need more time to update their internal website affected by this new restriction. This Enterprise policy is temporary; it's intended to be removed after Microsoft Edge version 117.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: SandboxExternalProtocolBlocked
GP name: Allow Microsoft Edge to block navigations to external protocols in a sandboxed iframe
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
When this policy is enabled, the specified set of cookies is exempt from deletion when the browser closes. This policy is only effective when: - The 'Cookies and other site data' toggle is configured in Settings/Privacy and services/Clear browsing data on close or - The policy ClearBrowsingDataOnExit is enabled or - The policy DefaultCookiesSetting is set to 'Keep cookies for the duration of the session'.
You can define a list of sites, based on URL patterns, that have their cookies preserved across sessions.
Note: Users can still edit the cookie site list to add or remove URLs. However, they can't remove URLs that are added by an Admin.
If you enable this policy, the list of cookies aren't cleared when the browser closes.
If you disable or don't configure this policy, the user's personal configuration is used.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: SaveCookiesOnExit
GP name: Save cookies when Microsoft Edge closes
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
If you enable this policy, or don't configure this policy, a webpage uses screen-share APIs (for example, getDisplayMedia() or the Desktop Capture extension API) for a screen capture. If you disable this policy, calls to screen-share APIs fail. For example, if you're using a web-based online meeting, video or screen sharing won't work. However, this policy isn't considered. (and a site will be allowed to use screen-share APIs) if the site matches an origin pattern in any of the following policies: ScreenCaptureAllowedByOrigins, WindowCaptureAllowedByOrigins, TabCaptureAllowedByOrigins, SameOriginTabCaptureAllowedByOrigins.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ScreenCaptureAllowed
GP name: Allow or deny screen capture
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Enable scrolling to text specified in URL fragments
Supported versions:
On Windows and macOS since 83 or later
Description
This feature lets hyperlink and address bar URL navigations target specific text on a web page, which will be scrolled to after the web page finishes loading.
If you enable or don't configure this policy, web page scrolling to specific text fragments via a URL is enabled.
If you disable this policy, web page scrolling to specific text fragments via a URL is disabled.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: ScrollToTextFragmentEnabled
GP name: Enable scrolling to text specified in URL fragments
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Lets you filter your autosuggestions by selecting a filter from the search filters ribbon. For example, if you select the "Favorites" filter, only favorites suggestions are shown.
If you enable or don't configure this policy, the autosuggestion dropdown defaults to displaying the ribbon of available filters.
If you disable this policy, the autosuggestion dropdown can't display the ribbon of available filters.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: SearchFiltersEnabled
GP name: Search Filters Enabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Search in Sidebar allows users to open search result in sidebar (including sidebar search for Progressive Web Apps).
If you configure this policy to 'EnableSearchInSidebar' or don't configure it, Search in sidebar is enabled.
If you configure this policy to 'DisableSearchInSidebarForKidsMode', Search in sidebar is disabled when in Kids mode. Some methods that would normally invoke sidebar search will invoke a traditional search instead.
If you configure this policy to 'DisableSearchInSidebar', Search in sidebar is disabled. Some methods that would invoke sidebar search invoke a traditional search instead.
Policy options mapping:
* EnableSearchInSidebar (0) = Enable search in sidebar
* DisableSearchInSidebarForKidsMode (1) = Disable search in sidebar for Kids Mode
* DisableSearchInSidebar (2) = Disable search in sidebar
Use the preceding information when configuring this policy.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
Integer
Windows information and settings
Group Policy (ADMX) info
GP unique name: SearchInSidebarEnabled
GP name: Search in Sidebar enabled
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Enables web search suggestions in Microsoft Edge's Address Bar and Auto-Suggest List and prevents users from changing this policy.
If you enable this policy, web search suggestions are used.
If you disable this policy, web search suggestions are never used, however local history and local favorites suggestions still appear. If you disable this policy, neither the typed characters, nor the URLs visited will be included in telemetry to Microsoft.
If this policy is left not set, search suggestions are enabled but the user can change that.
Supported features:
Can be mandatory:
Yes
Can be recommended:
Yes
Dynamic Policy Refresh:
Yes
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: SearchSuggestEnabled
GP name: Enable search suggestions
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
GP path (Recommended):
Administrative Templates/Microsoft Edge - Default Settings (users can override)/
Enables the search bar. When enabled, users can use the search bar to search the web from their desktop or from an application. The search bar provides a search box, powered by Microsoft Edge default search engine, that shows web suggestions and opens all web searches in Microsoft Edge. The search bar can be launched from the "More tools" menu or jump list in Microsoft Edge.
If you enable or don't configure this policy, the following results can be seen: The search bar is automatically enabled for all profiles. The option to enable the search bar at startup is toggled on if the SearchbarIsEnabledOnStartup policy is enabled. If the SearchbarIsEnabledOnStartup is disabled or not configured, the option to enable the search bar at startup is toggled off. Users will see the menu item to launch the search bar from the Microsoft Edge "More tools" menu. Users can launch the search bar from "More tools". Users will see the menu item to launch the search bar from the Microsoft Edge jump list menu. Users can launch the search bar from the Microsoft Edge jump list menu. The search bar can be turned off by the "Quit" option in the System tray or by closing the search bar from the 3-dot menu. The search bar is restarted on system reboot if auto-start is enabled.
If you disable this policy: The search bar will be disabled for all profiles. The option to launch the search bar from Microsoft Edge "More tools" menu will be disabled. The option to launch the search bar from Microsoft Edge jump list menu will be disabled.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: SearchbarAllowed
GP name: Enable the Search bar
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Allows the Search bar to start running at Windows startup.
If you enable: The Search bar starts running at Windows startup by default. If the Search bar is disabled via SearchbarAllowed policy, this policy doesn't start the Search bar on Windows startup.
If you disable this policy: The Search bar doesn't start at Windows startup for all profiles. The option to start the search bar at Windows startup is disabled and toggled off in search bar settings.
If you don't configure the policy: The Search bar doesn't start at Windows startup for all profiles. The option to start the search bar at Windows startup is toggled off in search bar settings.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
No - Requires browser restart
Data Type:
Boolean
Windows information and settings
Group Policy (ADMX) info
GP unique name: SearchbarIsEnabledOnStartup
GP name: Allow the Search bar at Windows startup
GP path (Mandatory):
Administrative Templates/Microsoft Edge/
Websites or domains that don't need permission to use direct Security Key attestation
Supported versions:
On Windows and macOS since 77 or later
Description
Specifies the WebAuthn RP IDs that don't need explicit user permission when attestation certificates from security keys are requested. Additionally, a signal is sent to the security key indicating that it can use enterprise attestation. Without this policy, users are prompted each time a site requests attestation of security keys.
Supported features:
Can be mandatory:
Yes
Can be recommended:
No
Dynamic Policy Refresh:
Yes
Data Type:
List of strings
Windows information and settings
Group Policy (ADMX) info
GP unique name: SecurityKeyPermitAttestation
GP name: Websites or domains that don't need permission to use direct Security Key attestation
GP path (Mandatory):
Administrative Templates/Microsoft Edge/