Guide | How To Testing Safe Edge

Andy Ful · Jul 9, 2025

Post updated in September 2025.

Testing Safe Edge

This thread is about an experimental Edge web browser setup for kids or casual users. Please test it in a Virtual Machine.
Users' feedback is welcome.

After conducting some research, I compiled a list of useful Edge Policies focused on browsing security.
Unfortunately, some useful policies are blocked for non-enterprise users. However, there is a known tweak (Fake-MDM-Provider) that enables those policies for all users:

Edge Policies for non-Domain-joined Devices – Successfully apply HomepageLocation, DefaultSearchProvider, … – Gunnar Haslinger

hitco.at

I had to add one setting (ManagedDefenderProductType=0) via Defender policies to work the tweak properly on Windows Home and Pro.

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"ManagedDefenderProductType"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF]
"EnrollmentState"=dword:00000001
"EnrollmentType"=dword:00000000
"IsFederated"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF]
"Flags"=dword:00d6fb7f
"AcctUId"="0x000000000000000000000000000000000000000000000000000000000000000000000000"
"RoamingCount"=dword:00000000
"SslClientCertReference"="MY;User;0000000000000000000000000000000000000000"
"ProtoVer"="1.2"

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge]
"AudioSandboxEnabled"=dword:00000001
"AutoplayAllowed"=dword:00000000
"BingAdsSuppression"=dword:00000001
"BrowserCodeIntegritySetting"=dword:00000001
"BrowserLegacyExtensionPointsBlockingEnabled"=dword:00000001
"ClearBrowsingDataOnExit"=dword:00000001
"BlockExternalExtensions"=dword:00000001
"ClickOnceEnabled"=dword:00000000
"ClipboardBlockedForUrls"=dword:00000001
"DefaultClipboardSetting"=dword:00000002
"DefaultCookiesSetting"=dword:00000004
"DefaultJavaScriptJitSetting"=dword:00000002
"DefaultSearchProviderEnabled"=dword:00000001
"DefaultSearchProviderName"="Google-Policy-Locked"
"DefaultSearchProviderSearchURL"="{google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}ie={inputEncoding}"
"DefaultWebUsbGuardSetting"=dword:00000002
"DnsOverHttpsMode"="automatic"
"DnsOverHttpsTemplates"="https://doh.cleanbrowsing.org/doh/security-filter{?dns}"
"DownloadRestrictions"=dword:00000001
"DynamicCodeSettings"=dword:00000001
"EnhanceSecurityMode"=dword:00000002
"HideFirstRunExperience"=dword:00000001
"HttpsUpgradesEnabled"=dword:00000001
"NetworkServiceSandboxEnabled"=dword:00000001
"PasswordDeleteOnBrowserCloseEnabled"=dword:00000001
"PreventSmartScreenPromptOverride"=dword:00000001
"PreventSmartScreenPromptOverrideForFiles"=dword:00000001
"SmartScreenEnabled"=dword:00000001
"SmartScreenPuaEnabled"=dword:00000001
"ScarewareBlockerProtectionEnabled"=dword:00000001
"QuickViewOfficeFilesEnabled"=dword:00000001
"RendererAppContainerEnabled"=dword:00000001
"SandboxExternalProtocolBlocked"=dword:00000001
"ScreenCaptureAllowed"=dword:00000000
"SitePerProcess"=dword:00000001
"TyposquattingCheckerEnabled"=dword:00000001
"WebRtcLocalhostIpHandling"="DisableNonProxiedUdp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ClipboardBlockedForUrls]
"1"="[*.]*"

# Must be edited to add required extensions
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist]
"1"="cnlefmmeadmemmdciolhbnfeacpdfbkd"
"2"="ghbmnnjooekpmoecnnnilnnbdlolhkhi"
"3"="jbkfoedolllekgbhcbcoahefnbanhhlh"
"4"="pdffkfellgipmhklpdmokmckkkfcopbh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallBlocklist]
"1"="*"

# Must be edited to add required extensions
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist]
"1"="pdffkfellgipmhklpdmokmckkkfcopbh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\RestoreOnStartupURLs]
"1"="https://www.google.com/"

# Must be edited to add required websites
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\SaveCookiesOnExit]
"1"="[*.]grammarly.com"
"2"="[*.]google.com"
"3"="[*.]msn.com"
"4"="[*.]microsoft.com"

The restrictions can be removed by deleting the Registry keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF]
and:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"ManagedDefenderProductType"=dword:00000000

Those settings prevent most application installations, so the user must use Patch My PC, UniGetUI, Ninite, or Winstall to install new applications.
Browsing data is deleted on exit, except for cookies listed in SaveCookiesOnExit and passwords saved in Edge's password manager.
The Edge extensions are in the allowlist mode, so the user cannot install new extensions except those included in the ExtensionInstallAllowlist.
The DNS Provider is set to "https://doh.cleanbrowsing.org/doh/security-filter".

After applying policies, the security settings are greyed out:

All Edge policies can be seen in Edge by using: Edge://policy
For example:

Bot · Jul 10, 2025

Thank you for this comprehensive guide on Edge Policies for browsing security. It's a great resource for users looking to enhance their privacy and security on Microsoft Edge. Remember to always back up your registry before making any changes to avoid potential issues.

Andy Ful · Jul 10, 2025

Kids Protection

When protecting kids, some policies can be stronger:

DownloadRestrictions = 2
This will allow downloading only PDF documents, TXT, and media files. MS Office documents, archives, and disk images are blocked.
MS Office documents are not downloaded but opened in Edge. They can be managed online via MS Office online applications or Google Docs.
DownloadRestrictions = 1 and Easy Application Control enabled via Administrator policy:
Similar to point 1, but MS Office documents, archives, and disk images can be downloaded to disk. After opening, the content is restricted by Easy Application Control.

Guide | How To - Easy Application Control on Windows

App Install Control - Easy Application Control on Windows Post updated/corrected in July 2025 On Windows 11, App Install Control works when SAC is in Evaluate Mode or OFF. Can be easily applied in a few seconds. Blocks files originating from the Internet Zone (files downloaded from the...

malwaretips.com
DnsOverHttpsTemplates = https://doh.cleanbrowsing.org/doh/family-filter{?dns}
The Cleanbrowsing Family filter is applied (adult content is blocked).
This template can also be set to apply other DNS providers or skipped when DNS filtering is applied via a desktop application.

rashmi · Jul 10, 2025

I apply these Edge and Chrome ADMX policies on our children's Windows 11 Pro systems.

DnsOverHttpsMode
secure = Enable DNS-over-HTTPS without insecure fallback

DnsOverHttpsTemplates
Is the config correct for multiple DoH instances? Does the order matter? Should I list my primary DoH first?
hxxps://XXXXXXXXXX.cloudflare-gateway.com/dns-query hxxps://dns.nextdns.io/XXXXXX

Andy Ful · Jul 10, 2025

rashmi said:
I apply these Edge and Chrome ADMX policies on our children's Windows 11 Pro systems.

DnsOverHttpsMode
secure = Enable DNS-over-HTTPS without insecure fallback

DnsOverHttpsTemplates
Is the config correct for multiple DoH instances? Does the order matter? Should I list my primary DoH first?
hxxps://XXXXXXXXXX.cloudflare-gateway.com/dns-query hxxps://dns.nextdns.io/XXXXXX

I did not try resolvers with accounts. But you can check it as follows:

Remove all policies (restart Edge).
Try to add hxxps://XXXXXXXXXX.cloudflare-gateway.com/dns-query via Edge settings. If it will not be rejected, then OK.
Try to add hxxps://dns.nextdns.io/XXXXXX via Edge settings. If it will not be rejected, then OK.
If all OK, try to add both resolvers separated by a space. If it will not be rejected, then you can add this to the DnsOverHttpsTemplates.

rashmi · Jul 10, 2025

I have a Cloudflare resolver with an account in Edge/Chrome policy, and it works. I'll try specifying NextDNS separated by a space.

Andy Ful · Jul 10, 2025

rashmi said:
I have a Cloudflare resolver with an account in Edge/Chrome policy, and it works. I'll try specifying NextDNS separated by a space.

Unfortunately, Edge sometimes does not reject multiple resolvers when one of them is incorrect. So, you also have to try all resolvers separately.

WhiteMouse · Jul 10, 2025

This registry hack will turn off Tamper Protection, I can change it back to "On" using Recovery Enviroment but I'm not sure if something is broken and I'm not aware of it.

rashmi · Jul 11, 2025

Andy Ful said:
Unfortunately, Edge sometimes does not reject multiple resolvers when one of them is incorrect. So, you also have to try all resolvers separately.

I'm not sure if the policy uses the specified DNS order. Cloudflare Gateway is my main DNS, and I've installed their certificate for the block screen. I've set Cloudflare Gateway in Chrome's policy and NextDNS in Edge's.

Andy Ful · Jul 11, 2025

rashmi said:
I'm not sure if the policy uses the specified DNS order.

It does. But which one is the first (left or right)?

rashmi · Jul 11, 2025

Andy Ful said:
It does. But which one is the first (left or right)?

The left would be the first, I believe. What happens when the primary DNS is back online?

Andy Ful · Jul 11, 2025

rashmi said:
The left would be the first, I believe. What happens when the primary DNS is back online?

That is why you use multiple DNS resolvers.

Andy Ful · Jul 11, 2025

rashmi said:
The left would be the first, I believe.

~~The resolver from the right is primary~~. I checked this by using TcpLogView.

Edit.
After deeper testing, it seems that any resolver can be activated sometimes, so it is hard to determine which is primary.
Keeping two different DNS resolvers might not be a bad idea.

Andy Ful · Jul 11, 2025

The test with "https://nordvpn.com/dns-leak-test/" suggests that the primary might be the first resolver from the left.

For DnsOverHttpsTemplates = "https://family.cloudflare-dns.com/dns-query https://doh.cleanbrowsing.org/doh/family-filter", it shows a DNS leak related to Cloudflare.
For DnsOverHttpsTemplates = "https://security.cloudflare-dns.com/dns-query https://doh.cleanbrowsing.org/doh/family-filter", it shows a DNS leak related to Cloudflare.

For DnsOverHttpsTemplates = "https://doh.cleanbrowsing.org/doh/family-filter{?dns} https://family.cloudflare-dns.com/dns-query", the leak test fails.

For DnsOverHttpsTemplates = "https://doh.cleanbrowsing.org/doh/security-filter{?dns} https://security.cloudflare-dns.com/dns-query", the leak test shows a DNS leak related to OVHcloud.

Cleanbrowsing uses OVHcloud for some services, for example:

46.105.222.254 - IP Info - CleanBrowsing on OVHcloud

This page provides network intelligence on IP 46.105.222.254. Find out what applications use this IP. Data also includes hostnames, domains, point-of-presence, ASN, geolocation and more.

www.netify.ai

Andy Ful · Jul 11, 2025

Free & good DOH resolvers with strong malware protection:
https://zero.dns0.eu
https://dns11.quad9.net/dns-query
https://doh.cleanbrowsing.org/doh/security-filter

If one wanted to use them all:

Code:

DnsOverHttpsTemplates = https://doh.cleanbrowsing.org/doh/security-filter https://zero.dns0.eu https://dns11.quad9.net/dns-query

With available family filter:

Code:

DnsOverHttpsTemplates = https://doh.cleanbrowsing.org/doh/family-filter https://kids.dns0.eu https://dns11.quad9.net/dns-query

TairikuOkami · Jul 11, 2025

Known DNS Providers | AdGuard DNS Knowledge Base

Here we suggest a list of trusted DNS providers. To use them, first install AdGuard Ad Blocker or AdGuard VPN on your device. Then, on the same device, click the link to a provider in this article

adguard-dns.io

Parkinsond · Jul 11, 2025

TairikuOkami said:
Known DNS Providers | AdGuard DNS Knowledge Base

Here we suggest a list of trusted DNS providers. To use them, first install AdGuard Ad Blocker or AdGuard VPN on your device. Then, on the same device, click the link to a provider in this article

adguard-dns.io

Can I trust 阿里公共DNS ?

2025-07-11 21.27.02 adguard-dns.io af322b53b2af.jpg

2025-07-11 21.27.19 alidns.com b6c40e3f75ee.jpg

Andy Ful · Jul 11, 2025

Most effective for blocking (with DOH):
https://zero.dns0.eu
https://dns11.quad9.net/dns-query
https://doh.cleanbrowsing.org/doh/security-filter

https://freedns.controld.com/p3

Public DNS malware filters tested in September 2024

How do the top public DNS resolvers that guard against malware domains fare in September 2024? We’ve put them to the test!

techblog.nexxwave.eu

rashmi · Jul 11, 2025

Andy Ful said:
~~The resolver from the right is primary~~. I checked this by using TcpLogView.

Edit.
After deeper testing, it seems that any resolver can be activated sometimes, so it is hard to determine which is primary.
Keeping two different DNS resolvers might not be a bad idea.

Chrome and Cloudflare Gateway are the main browser and DNS on our children's systems. Cloudflare in Chrome's policy and NextDNS in Edge's are the better approaches for me. I appreciate your tests, info, and your time.

Andy Ful said:
With available family filter:

Code:

DnsOverHttpsTemplates = https://doh.cleanbrowsing.org/doh/family-filter https://kids.dns0.eu https://dns11.quad9.net/dns-query

I find DNS for Family provides effective protection for kids, blocking ads, adult sites, mature-themed sites, chat sites, dating, malware, phishing, scams, drugs, gambling, and proxy sites. I don't know if it's a trusted DNS service, and it has a few (13) servers.

DNS for Family - Block porn and other adult websites easily (Supports DNS-over-HTTPS, TLS and DNSCrypt.)

Very easy & fast way to block porn websites. Currently blocking 6.3million websites and more are added daily. No social media websites blocked.

dnsforfamily.com

If adult sites are the concern of parents, then Chrome's "adult sites..." policy is exceptional at blocking them. It didn't miss a single adult site and beat Cloudflare Gateway, Control D Premium, NextDNS, and AdGuard in my test. Edge's ADMX doesn't have the "adult sites..." policy. This policy in other browsers may not work because they remove some Google features. For example, enabling it in Brave didn't block adult sites.

Parkinsond · Jul 11, 2025

Andy Ful said:
Most effective for blocking (with DOH):
https://zero.dns0.eu
https://dns11.quad9.net/dns-query
https://doh.cleanbrowsing.org/doh/security-filter

https://freedns.controld.com/p3

Public DNS malware filters tested in September 2024

How do the top public DNS resolvers that guard against malware domains fare in September 2024? We’ve put them to the test!

techblog.nexxwave.eu

View attachment 289482

New good players were added is the most recent version.

data-src-image-0df9baa5-861a-4e82-8490-a8237d6efd63.png

Public DNS malware filters to be tested in 2025

How well do the largest public DNS resolvers that protect you against malware domains perform in June 2025? We put them to the test!

techblog.nexxwave.eu

Guide | How To Testing Safe Edge

From Hard_Configurator Tools

AI Assistant

From Hard_Configurator Tools

Level 27

From Hard_Configurator Tools

Level 27

From Hard_Configurator Tools

Level 6

Level 27

From Hard_Configurator Tools

Level 27

From Hard_Configurator Tools

From Hard_Configurator Tools

From Hard_Configurator Tools

From Hard_Configurator Tools

Level 41

Level 62

From Hard_Configurator Tools

Level 27

Level 62

You may also like...