Let’s discuss Enforce Application Bound Encryption for MS Edge Browser to Securing Local Browser Data using Intune. Application Bound Encryption (ABE) is a security mechanism that ties the encryption keys used to protect an application’s data to the integrity and location of the application’s executable file.
Encryption keys used to secure sensitive browsing data such as cookies, cached information, and saved credentials are linked directly to the specific Microsoft Edge executable file on the user’s computer. Microsoft Intune provide the Application Bound Encryption for MS Edge Browser to protect browser Data.
Application Bound Encryption, is a key security feature designed to protect sensitive browsing data from being accessed by malicious or unauthorized applications. with this policy If an attacker manages to exploit a vulnerability to steal a user’s data files, the data remains encrypted and unusable to them, making the attack less successful.
With this policy, users will get seamless experience. The policy works in the background without any user interaction, providing a strong layer of defense against data theft without impacting the browsing experience.
Table of Contents
Enforce Application Bound Encryption for MS Edge Browser to Securing Local Browser Data using Intune
For Example, A financial institution manages thousands of laptops for its employees. They handle sensitive client data and financial information daily. The IT team uses Intune to enable the “Enable Application Bound Encryption” policy for all devices. If an employee accidentally downloads malware or falls victim to a phishing attack, this policy acts as a critical line of defense.
- Enable Component Updates in MS Edge to Enhance Browser Security using Intune
- Enable Security State Policy to Prevent Data Leakage in MS Edge Browser using Intune
- Enable Additional Search Box in MS Edge for Better Search Experience using Intune
Steps to Configure Policy
By sign in to Microsoft Intune Admin center you can easily configure this policy. Go to the Intune Admin Center portal. Go to Devices > Windows >Configuration > Create > New Policy
Profile Creation of Policy
Next steps is to Create a Profile for the policy which you want to configure. To create a profile you have to select platform and profile type. Here I selected Windows 10 and later as the Platform and Settings catalog as the profile type. Then click on the Create button.
Starting Step of Policy Creation
The below screenshot shows the Basic tab which is very necessary to create the policy. On this tab you have to add Name and Description for the selected policy. The Name is mandatory and if you like to add description you can add.
- Name – Enforce Application Bound Encryption for MS Edge Browser
- Description – This policy isused to Enforce Application Bound Encryption for MS Edge Browser
- Platform – Windows
- Click on the Next Button
Configure the Enforce Application Bound Encryption for MS Edge
The Configuration settings page is provided to select the settings to create the policy. The Settings Catalog provides a huge number of settings. To select a settings click on the +Add settings hyperlink. Then you will get Settings Picker. Choose Microsoft Edge and select Enforce Application Bound Encryption for MS Edge. Then I close the Settings Picker.
Disable Application Bound Encryption for MS Edge
This policy can be problematic in scenarios where the browser’s executable file location or integrity is not consistent. Disable is the default value of this policy and if you like to go with this value, click on the Next button.
Enable Application Bound Encryption for MS Edge
If an attacker manages to exploit a vulnerability to steal a user’s data files, the data remains encrypted and unusable to them, making the attack less successful. Here I would like to enable this policy.
Scope Tags
By using scope tags you can restrict the visiblity of Enforce Application Bound Encryption for MS Edge Settings. It is helps to organize resources as well. Here I would like to skip this section, because it is not mandatory. Click on the Next button.
Assign this Policy to Specific Groups
To assign the policy to specific groups you can use Assignment Tab. Here I click, +Add groups option under Included groups. I choose a group from the list of group and Click on the Select button. Again I click on the Select button to continue.
Final Step of Policy Creation
To complete the policy creation you can review all the policy details on the Review + create tab. It helps to avoid mistakes and successfully configure the policy. After varifying all the details click on the Create Button. After creating the policy you will get success message.
Monitoring Status
The Monitoring Status page shows whether the policy has succeeded or not. To quickly configure the policy and take advantage of the policy sync, the device on the Company Portal, Open the Intune Portal. Go to Devices > Configuration > Search for the Policy. Here, the policy shows as successful.
Client Side Verification with Event Viewer
If you get success message, that doesn’t means you will get the policy advanatges. To varify the policy successfully configured to client device check the Event Viwer.
- Open Event Viewer: Go to Start > Event Viewer.
- Navigate to Logs: In the left pane, go to Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.
- Filter for Event ID 814: This will help you quickly find the relevant logs.
| Event Viewer Details |
|---|
| MDM PolicyManager: Set policy string, Policy: (ApplicationBoundEncryptionEnabled), Area: (microsoft_edgev128.1~Policy~microsoft_edge), EnrollmentID requesting merge: (EB427D85-802F-46D9-A3E2-D5B414587F63), Current User: (Device), String: (), Enrollment Type: (0x6), Scope: (0x0). |
Removing the Assigned Group from Enforce Application Bound Encryption for MS Edge
If you want to remove the Assigned group from the policy, it is possible from Intune Portal. To do this open the Policy on Intune Portal and Edit the Assignments tab and Remove the Policy.
To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete Enforce Application Bound Encryption for MS Edge Settings
You can easily delete the Policy from Intune Portal From the Configuration section you can delete the policy. It will completely remove from the client devices.
For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Entra, Microsoft Security, Career, etc.