How to Harden Microsoft Edge: Disable Secure DNS and Enhance Browser Security

To protect your network and enhance security, it’s crucial to lock down your browser’s settings, particularly on Microsoft Edge, which may expose your organization to unnecessary risks if not properly configured.

One of the most effective ways to harden Edge is by controlling browser behavior through Group Policy settings. This includes disabling features like Secure DNS (DNS-over-HTTPS or DoH), which can bypass your network’s DNS configurations and potentially lead to data leaks or unauthorized access.

Additionally, restricting built-in DNS clients and extensions can prevent unauthorized communication and reduce attack surfaces. This guide provides step-by-step instructions on how to leverage Edge policy templates to implement these configurations, ensuring a more secure browsing environment.

Download Templates

• Download the latest Edge policy templates from Download Edge for Business (microsoft.com)
  • You can click “Download Windows 64-bit Policy”
  • Extract the CAB file, and then the ZIP contents

Add the administrative template to an individual computer

1. On the target computer, open MicrosoftEdgePolicyTemplates and go to windows > admx.
2. Copy the msedge.admx file to your Policy Definition template folder. (Example: C:\Windows\PolicyDefinitions)
3. In the admx folder, open the appropriate language folder. For example, if you’re in the U.S., open the en-US folder.
4. Copy the msedge.adml file to the matching language folder in your Policy Definition folder. (Example: C:\Windows\PolicyDefinitions\en-US)
5. To confirm the files loaded correctly, open Local Group Policy Editor directly (Windows key + R and enter gpedit.msc) or open MMC and load the Local Group Policy Editor snap-in. If an error occurs, it’s usually because the files are in an incorrect location.

Disabling DNS over HTTPS (DoH) in Microsoft Edge

1. Open Group Policy Editor:
   • Press Win + R, type gpedit.msc, and press Enter.
2. Navigate to Microsoft Edge Policies:
   • In the Group Policy Editor, navigate to Computer Configuration > Administrative Templates > Microsoft Edge.
3. Configure DnsOverHttpsMode:
   • Find the policy named Control the mode of DNS-over-HTTPS.
   • Double-click on it to edit the policy settings.
   • Set the policy to Enabled. This might seem counterintuitive, but setting it to Enabled allows you to specify the mode.
   • In the options, set the mode to Off to disable DNS over HTTPS.
   • Click Apply, then OK.

Disabling the Built-in DNS Client in Microsoft Edge

1. Still within the Group Policy Editor and under Microsoft Edge policies:
   • Look for a policy named Use built-in DNS client.
   • Double-click on it to edit the policy settings.
   • Set the policy to Disabled. This action will disable the built-in DNS client in Microsoft Edge.
   • Click Apply, then OK.

Disabling Extensions in Microsoft Edge

1. Open Group Policy Editor:
   • Press Win + R, type gpedit.msc, and press Enter.
2. Navigate to Microsoft Edge Policies:
   • In the Group Policy Editor, navigate to Computer Configuration > Administrative Templates > Microsoft Edge > Extensions.
3. Configure the Extension Policy:
   • Find the policy named Control which extensions cannot be installed.
   • Double-click on it to edit the policy settings.
   • Set the policy to Enabled.
   • In the options section, you can specify a list of extensions that are allowed by entering their extension IDs. To disable all extensions, set an option to *.
   • Click Apply, then OK.

Test your policies

On a target client device, open Microsoft Edge and go to edge://policy to see all policies that are applied. If you applied policy settings on the local computer, policies should appear immediately. You might need to close and reopen Microsoft Edge if it was open while you were configuring policy settings.