• Block 3rd party cookies - Recommendatory policy

• Set Edge to use system's DNS over HTTPS

• Enable Encrypted Client Hello

• Disable Basic HTTP authentication scheme

• Allow devices using this hardening category to receive new features and experimentations like normal devices

• Enforce the audio process to run sandboxed

• Sets the share additional operating system region setting to never - Recommendatory policy

• Disables the following weak Cipher Suites

  • Site 1 to test TLS in your browser

  • Site 2 to test TLS in your browser

• Policy that automatically denies the window management permission to sites by default. This limits the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.

• Policy that will prevent websites from even requesting access to the local connected USB devices.

• Policy that will disable dynamic code in Edge browser which is a security feature that prevents the browser process from creating dynamic code. The default value of this policy is not explicitly defined, it could be enabled or could be disabled. Setting it explicitly to enabled via this policy ensures that no dynamic code is created by the browser process.

  • Please view this related conversation about this security measure: https://github.com/HotCakeX/Harden-Windows-Security/issues/1160

• Enables Enhanced security mode in Microsoft Edge mitigates memory-related vulnerabilities by disabling just-in-time (JIT) JavaScript compilation and enabling additional operating system protections for the browser.

• Prevents websites from accessing information about locally installed fonts.

• Makes sure that only Microsoft signed binaries are allowed to load in the Edge process by enabling Code Integrity for Edge.

• Restricts CPU core sharing for renderer process. Helps mitigate side-channel cross-process memory attacks by isolating the renderer process to a dedicated CPU core, preventing other processes from being scheduled on the same core.

• Launches Renderer processes into an App Container for more security benefits.

• Microsoft Edge will prefer the algorithms required for the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) for TLS 1.3 and QUIC connections.

• Configures Microsoft Edge to prefer ciphers required for compliance with the Commercial National Security Algorithm Suite versions 1.0 and 2.0 (CNSA 1.0 and 2.0). Only affects TLS 1.3 and QUIC.

• CSP

TLS_RSA_WITH_AES_256_CBC_SHA  Reason: NO Perfect Forward Secrecy, CBC, SHA1
TLS_RSA_WITH_AES_128_CBC_SHA  Reason: NO Perfect Forward Secrecy, CBC, SHA1
TLS_RSA_WITH_AES_128_GCM_SHA256  Reason: NO Perfect Forward Secrecy
TLS_RSA_WITH_AES_256_GCM_SHA384  Reason: NO Perfect Forward Secrecy
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA  Reason: CBC, SHA1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  Reason: CBC, SHA1

Due to security reasons, many policies cannot be used when you are signed into Edge browser using personal Microsoft account. This app does not use any of those policies. When those policies are applied, they are ignored by the browser and edge://policy/ shows an error for them.

• You can view all of the policies being applied to your Edge browser by visiting this page: edge://policy/
• You can find all of the available internal Edge pages in here: edge://about/

• Useful links:
  • Microsoft Edge stable channel change log
  • Microsoft Edge Security updates change log
  • Microsoft Edge Beta channel change log
  • Microsoft Edge Mobile stable channel change log
  • Edge Insider for Beta/Dev/Canary channels
  • Microsoft Edge Security baselines work without ingesting ADMX policy files first.
    • You can apply them via the Harden System Security app.