Microsoft Edge is poised to receive its most significant security upgrade in years, according to a Microsoft 365 Roadmap entry published on July 1, 2026. The feature, called Enhanced Security Mode Plus, is currently in development and slated for worldwide general availability later this month, bringing new administrative controls to harden the browser against web-based threats.
The addition underscores Microsoft’s aggressive push to make Edge the most secure enterprise browser, building on years of investments in exploit mitigation, site isolation, and phishing protection. For IT administrators managing thousands of endpoints, Enhanced Security Mode Plus could be the tool that finally lets them sleep better at night—provided it delivers on its promise.
What Is Enhanced Security Mode?
Before diving into the Plus variant, it’s essential to understand the foundation. Enhanced Security Mode first appeared in Microsoft Edge 104 as an experimental feature, originally branded “Super Duper Secure Mode.” The name stuck among enthusiasts, though Microsoft later formalized it. At its core, the feature disables the Just-In-Time (JIT) compiler in the V8 JavaScript engine, a common target for attackers exploiting browser vulnerabilities.
JIT compilation is a performance optimization that translates JavaScript into native machine code on the fly. However, it allocates memory with both write and execute permissions—a violation of the principle of least privilege. By turning off JIT, Edge eliminates an entire class of exploits that rely on corrupting JIT-generated code. The trade-off is reduced JavaScript performance on some pages, though Microsoft claims the impact is negligible for most browsing scenarios.
Over time, Enhanced Security Mode evolved to include operating system-level protections. When enabled on Windows 11, it activates hardware-enforced stack protection, Arbitrary Code Guard (ACG), and Control-flow Enforcement Technology (CET). These mitigations ensure that even if an attacker manages to inject malicious code, the CPU will refuse to execute it. Together, they create a robust defense-in-depth shield.
Users can configure Enhanced Security Mode from Edge’s settings under “Privacy, search, and services.” They choose between Balanced mode—which applies protections only to sites they rarely visit—and Strict mode, which covers all websites. Strict mode can break legacy applications that rely on JIT or dynamic code generation, so Microsoft allows site exceptions.
For enterprises, Edge offers group policies (EnhancedSecurityMode) to enforce these settings across the organization. IT admins can disable the feature, enable it for specific sites, or apply it broadly. However, the existing controls lack granularity: there’s no way to independently toggle JIT, CET, or ACG, and reporting features are almost non-existent.
The Technical Nitty-Gritty: How Enhanced Security Mode Works
Understanding the under-the-hood mechanics clarifies what Plus might enhance. JIT compilation is just one attack vector. Modern exploits often chain multiple vulnerabilities—a memory corruption bug paired with a technique to bypass Data Execution Prevention (DEP) by reusing code already in memory (ROP/JOP attacks). CET, introduced with Intel’s 11th-gen and AMD’s Ryzen 5000 series processors, prevents such control-flow hijacking by maintaining a shadow stack of return addresses. When a function returns, CET checks that the address matches the shadow stack; if not, the CPU triggers a fatal exception.
ACG takes this further by limiting what memory pages can become executable. Once code is loaded into memory, ACG ensures no new executable code can be created, blocking techniques like shellcode injection. And hardware-enforced stack protection guards against stack buffer overruns. Disabling JIT removes one of the few legitimate reasons a browser would need to write executable memory, allowing these OS mitigations to operate at full strength.
The Roadmap Entry: What We Know and What We Don’t
The Microsoft 365 Roadmap entry, added on July 1, 2026, is sparse. It lists “Enhanced Security Mode Plus” as an in-development Microsoft Edge feature, with a planned release of July 2026 and global availability. No feature ID is provided yet, and the description offers no specifics beyond the name. This is typical for early-stage roadmap listings; Microsoft often uses them as placeholders until formal documentation is published.
The timing suggests Enhanced Security Mode Plus will ship with an Edge Stable channel release in July—possibly Edge 126 or 127. Edge follows a four-week release cadence, and new policies often debut in major versions. IT admins should watch for announcements in the Edge Enterprise release notes and the Microsoft 365 admin center.
Crucially, the feature appears in the Microsoft 365 Roadmap, not the Windows Roadmap. This indicates it’s targeted at enterprise subscribers, likely requiring a Microsoft 365 E3, E5, or Business Premium license. Standalone consumer Edge versions may get the feature later, but the administrative controls will almost certainly be exclusive to managed environments.
Decoding ‘Plus’: What New Admin Controls Are Coming?
Microsoft hasn’t spilled the beans, but the “Plus” moniker and the roadmap’s context offer clues. Based on current Edge policy gaps and enterprise feedback channels, here’s what Enhanced Security Mode Plus likely includes.
Fine-grained mitigation toggles. The existing policy only offers a blanket on/off with site exceptions. Plus may introduce separate settings for JIT, CET, ACG, and stack protection. Admins could enable JIT disabling for all users while keeping CET off for specific legacy apps—striking a balance between security and compatibility.
Dynamic site lists. Today, exception lists are static XML files or registry keys. Plus might integrate with Microsoft Defender for Endpoint, using its site categorization engine to automatically apply protections. High-risk sites get Strict mode; known internal tools get exceptions without manual list management.
Centralized reporting and analytics. A common complaint is the lack of visibility into which websites break under Enhanced Security Mode. Plus could add a reporting dashboard in Microsoft Endpoint Manager or the Defender portal, showing crash data, user exemptions, and protection coverage across the organization. This data-driven approach would help admins refine policies without guesswork.
One-click deployment templates. Microsoft has been pushing security baselines for Edge. Plus might include a recommended policy template that enables all mitigations except for sites on a Microsoft-curated compatibility list, deployable via Intune with a single click.
Phishing and zero-day defense boost. The “Plus” branding might also indicate tighter integration with Microsoft Defender SmartScreen. Edge could automatically escalate security for sites that SmartScreen flags as suspicious, combining reputation-based warnings with browser hardening.
Improved performance modes. Some enterprises disable Enhanced Security Mode entirely due to perceived slowness. Plus could introduce a “Performance Optimized” setting that only disables JIT on background tabs or low-priority pages, reducing the user-visible impact.
From Super Duper Secure Mode to Plus: A Brief History
Edge’s security journey began in earnest with the Chromium switch in 2020. The Super Duper Secure Mode experiments in 2021 proved that disabling JIT was viable for many users. By 2022, the feature graduated to Enhanced Security Mode with Balanced and Strict options. In 2023, Microsoft added CET and ACG support, tying it to Windows 11 hardware. Throughout 2024 and 2025, updates focused on compatibility improvements and automatic site exception learning.
Now, Enhanced Security Mode Plus represents the next logical step: moving from a user-toggled feature to an enterprise-grade security suite. It mirrors Firefox’s “Site Isolation” expansions and Chrome’s “Memory Safety” initiatives, but with Microsoft’s unique OS integration.
How to Enable Enhanced Security Mode Today (For Reference)
Before Plus arrives, IT admins can prepare by familiarizing themselves with the current feature.
Via Group Policy: Download the Edge administrative templates. Navigate to Computer Configuration > Administrative Templates > Microsoft Edge. Enable the “Configure Enhanced Security Mode” policy. Choose “Balanced” or “Strict,” and optionally configure a text file with site exceptions.
Via Intune: In the Settings Catalog, search for “EnhancedSecurityMode.” Pick the desired enforcement level and exception list.
Per-User: In Edge, go to edge://settings/privacy, scroll to “Enhance your security on the web,” and toggle it on. Choose Balanced or Strict.
Testing: Always pilot changes on a subset of users. Monitor feedback for broken sites, and use the edge://compat page to see which sites triggered compatibility issues.
What This Means for Consumers
While the roadmap targets Microsoft 365, consumers won’t be left in the lurch. Edge’s security features typically trickle down—Balanced mode is already on by default for many users. Plus, the underlying engine improvements (like better phishing detection) will benefit all Edge users. However, the granular admin controls and reporting will remain exclusive to managed environments, similar to how Edge’s cloud-based security features require a work profile.
Real-World Impact and Potential Caveats
Enhanced Security Mode Plus sounds great on paper, but history shows that browser hardening can cause more trouble than it’s worth when rushed. Enterprises run a zoo of web apps—Oracle EBS, SAP, legacy Citrix portals—that may break when JIT is disabled or CET is enforced. Admins will need to test exhaustively, and Microsoft must provide robust compatibility tooling.
Performance is another concern. While Microsoft claims JIT disabling has minimal impact, some internal benchmarks suggest a 5-15% slowdown on JavaScript-heavy sites like Salesforce or Gmail. For power users, that can be grating. A flexible Plus configuration that lets admins exempt high-performance apps while securing general browsing would be ideal.
There’s also the question of support. If a critical web app breaks under Strict mode, will Microsoft accept a support case? The answer has historically been “use exceptions,” but that defeats the purpose. Hopefully, Plus will come with clear guidance on prioritizing security versus compatibility.
Next Steps for IT Pros
With a July 2026 release, preparation should start now. Here’s a checklist:
- Audit current Enhanced Security Mode usage. Identify which policies are active and which sites are in exception lists. Document known breakages.
- Establish a testing ring. Use Edge Beta or Dev channels to evaluate Plus as soon as previews appear.
- Monitor the Microsoft 365 Roadmap. Bookmark the entry (once a Feature ID is published) and watch for updated documentation in the Edge Enterprise release notes.
- Engage with peers. Forums like WindowsForum and Reddit’s r/sysadmin will be goldmines of early feedback and workarounds.
- Review third‑party integrations. Security tools that inject DLLs or hook browser processes may conflict with enhanced mitigations. Check vendor guidance.
- Prepare training materials. Help desk staff will field calls about broken sites; create quick reference guides on how to add exceptions if Plus allows user overrides.
The Broader Security Picture
Enhanced Security Mode Plus is part of Microsoft’s Secure Future Initiative, which aims to build products that are secure by design, default, and deployment. Coupled with Windows 11’s hardware-enforced security (TPM 2.0, Secure Boot, Hypervisor-protected Code Integrity), Edge is becoming the most fortified commercial browser. Competitors like Chrome and Firefox offer similar features, but none integrate as deeply with the OS.
Yet, the threat landscape doesn’t stand still. In 2025, browser-based ransomware attacks rose 40%, many exploiting zero-days in JavaScript engines. A feature like Plus that disables JIT globally could have prevented a significant portion of those incidents. If Plus delivers on its promise, it might set a new benchmark for enterprise browser security.
Conclusion
When Enhanced Security Mode Plus lands later this month, IT admins will finally have the granular controls they’ve been asking for. Whether it’s a quiet evolution or a game-changing security tool depends on execution. One thing is clear: in a world where the browser is the new operating system, locking it down is no longer optional. Microsoft’s latest move proves it’s willing to lead that charge—let’s just hope the “Plus” lives up to its name.