Harden Microsoft Edge — Disable Secure DNS & Enforce Policies

Step 1: Why You Need to Harden Microsoft Edge

Microsoft Edge includes a built-in Secure DNS (DNS-over-HTTPS) feature that can bypass your network's DNS configuration. When enabled, Edge sends DNS queries directly to a DoH provider (such as Cloudflare or Google), completely circumventing CleanBrowsing's content filtering.

To ensure CleanBrowsing works reliably, you need to either disable Edge's Secure DNS or configure it to use CleanBrowsing's own DoH endpoint.

Step 2: Download Edge Administrative Templates

Microsoft provides Group Policy administrative templates (ADMX/ADML files) for managing Edge settings across your organization.

1. Visit the Microsoft Edge for Business download page
2. Download the Policy Files package (CAB format)
3. Extract the CAB file, then extract the inner ZIP file to access the ADMX/ADML files

Step 3: Install ADMX Templates

Copy the policy template files to the appropriate Windows directories:

:: Copy the ADMX file
copy msedge.admx C:\Windows\PolicyDefinitions\

:: Copy the language file (English US example)
copy msedge.adml C:\Windows\PolicyDefinitions\en-US\

After copying, open the Group Policy Editor to verify the templates are loaded:

1. Press Win + R, type gpedit.msc, and press Enter
2. Navigate to Computer Configuration → Administrative Templates
3. You should now see a Microsoft Edge section

Step 4: Disable DNS-over-HTTPS (DoH)

In the Group Policy Editor:

1. Navigate to Computer Configuration → Administrative Templates → Microsoft Edge
2. Find the policy "Control the mode of DNS-over-HTTPS"
3. Set it to Enabled
4. Set the mode parameter to Off

This prevents Edge from using encrypted DNS, ensuring all DNS queries go through your configured system DNS (CleanBrowsing).

Alternative: Force CleanBrowsing DoH

Instead of disabling DoH entirely, you can force Edge to use CleanBrowsing's DoH endpoint:

1. Set "Control the mode of DNS-over-HTTPS" to Enabled with mode set to Secure
2. Set "Specify URI template of desired DNS-over-HTTPS resolver" to:
   https://doh.cleanbrowsing.org/doh/family-filter

Available CleanBrowsing DoH endpoints:

• Family Filter: https://doh.cleanbrowsing.org/doh/family-filter
• Adult Filter: https://doh.cleanbrowsing.org/doh/adult-filter
• Security Filter: https://doh.cleanbrowsing.org/doh/security-filter

Step 5: Disable the Built-in DNS Client

Edge includes its own DNS client that can operate independently of the system DNS resolver. To disable it:

1. In the Group Policy Editor, navigate to Computer Configuration → Administrative Templates → Microsoft Edge
2. Find "Use built-in DNS client"
3. Set it to Disabled

This forces Edge to use the operating system's DNS resolver, which respects your CleanBrowsing DNS configuration.

Step 6: Restrict Extensions

Browser extensions can include VPN or proxy functionality that bypasses DNS filtering. To restrict extensions:

1. Navigate to Computer Configuration → Administrative Templates → Microsoft Edge → Extensions
2. Enable "Control which extensions cannot be installed"
3. Enter * to block all extensions by default

To allow specific trusted extensions, use the "Configure extension installation allow list" policy and add the extension IDs you want to permit.

Step 7: Registry Method (Alternative)

If you prefer using the Windows Registry directly instead of Group Policy, save the following as a .reg file and import it:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge]
"DnsOverHttpsMode"="off"
"BuiltInDnsClientEnabled"=dword:00000000
"ForceGoogleSafeSearch"=dword:00000001
"ForceYouTubeRestrict"=dword:00000002

To apply via command line, run in an elevated Command Prompt:

reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v DnsOverHttpsMode /t REG_SZ /d "off" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v BuiltInDnsClientEnabled /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v ForceGoogleSafeSearch /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v ForceYouTubeRestrict /t REG_DWORD /d 2 /f

Step 8: Verify Policies Are Applied

After applying your changes, verify they are in effect:

1. Close and reopen Microsoft Edge
2. Navigate to edge://policy in the address bar
3. Confirm that your policies appear in the list with the correct values
4. Run nslookup -type=txt debug.cleanbrowsing.org in Command Prompt to verify DNS is resolving through CleanBrowsing

If policies do not appear immediately, click "Reload policies" on the edge://policy page or restart the computer.