Microsoft has unveiled a sweeping set of security controls for Edge for Business, aiming to give IT administrators more powerful tools to protect enterprise data and users. The most eye-catching addition is a new on-device AI engine that detects and blocks scareware—those alarmist pop-ups designed to panic users into calling fake tech support lines or installing malware. Running locally without sending browsing data to the cloud, the machine learning model analyzes page content and behavior in real time, much like how Windows Defender SmartScreen already repels phishing sites. This is the first time Microsoft has baked a dedicated scareware defense directly into the browser for commercial customers.

Alongside the AI scareware fight, Microsoft is rolling out tight integration with Microsoft Purview Data Loss Prevention (DLP). Edge for Business can now apply the same sensitive-data policies that govern email, documents, and cloud apps directly to browser actions—blocking copy-paste of credit card numbers into web forms, preventing file uploads that contain intellectual property, and logging all such attempts in unified audit logs. This means a policy written once in the Microsoft Purview compliance portal now reaches into the browser without extra agents or extensions.

Stricter extension governance is another pillar of the update. IT can now enforce an allow-list that covers not just extensions from the Edge and Chrome Web Stores, but also sideloaded plugins, privately hosted add-ons, and even internal enterprise extensions. Controls extend to blocking extensions from specific domains, mandating minimum versions, and remotely disabling unauthorized add-ons that have already been installed. The granularity is designed to thwart the kind of supply-chain attack where a once-trusted extension goes rogue after an update.

To lock down access for external workers, Microsoft is adding what it calls “contractor domain” controls. Admins can now define a list of domains that guest accounts, vendor logins, or temporary workers are allowed to visit. When a contractor signs into a Windows device with their own Entra ID, Edge automatically restricts browsing to the approved list—essential for kiosk machines, call centers, and third-party service desks where users shouldn’t roam freely on the web.

All these capabilities are integrated into the Edge management experience that commercial admins already know, appearing as new toggles in Microsoft Intune, Group Policy, and the Edge management service. Microsoft says the features will roll out gradually to tenants with applicable Microsoft 365 E3/E5 and Microsoft Edge Business subscriptions, and no edge preview flags are required.

The local AI model for scareware grew out of Microsoft’s research on detecting tech-support scams, which still account for billions in losses each year. By running the logic on-device, the feature respects privacy and works even when the user is not signed in to a Microsoft account—critical for shared or kiosk-type PCs. Early telemetry suggests the model catches previously unseen scareware domains within milliseconds of a page rendering, without slowing down page loads.

The Purview DLP integration deepens existing browser protection. Previously, organizations could use Microsoft Endpoint DLP to watch file paths and cloud apps, but browser-borne leaks—like pasting sensitive text into a ChatGPT prompt or uploading a spreadsheet to a random file-sharing site—often escaped detection. Now, with Edge extensions automatically enrolled into Purview policies, every paste, print, URL navigation, and file upload gets inspected against the company’s classification rules. Alerts surface in Microsoft Defender XDR, giving security operations teams a single pane of glass to investigate insider risk.

This move puts Edge for Business in a unique position among enterprise browsers. Google has been building DLP features for Chrome, but the tight coupling of Purview signals from Office, Outlook, SharePoint, and Windows within the compliance engine gives Microsoft an integrated data-classification pipeline that competitors can’t easily replicate. For heavily regulated industries like finance, healthcare, and government, that end-to-end visibility is a compliance differentiator.

Extension governance, meanwhile, has become a focal point for browser security after several high-profile incidents in the past two years where malicious browser plugins harvested credentials or exfiltrated company data. The new controls let enterprises implement a zero-trust approach to extensions: if an extension isn’t on the approved list, it can’t run—period. Even better, the policy engine supports wildcards and version ranges, so IT can allow, say, all versions of a password manager above 2.0 that come from a specific store ID, while blocking older, vulnerable builds.

A subtle but important addition is the ability to tie extension policies to security baselines from the Microsoft security defaults framework. So when admins deploy the “Enterprise Secure” baseline through Intune, they’ll get recommended extension settings that align with industry best practices, reducing the chance of misconfiguration. That same baseline also toggles the new scareware blocker and warns about mismatched DLP scopes, guiding IT toward a hardened posture without manual research.

For contractors, the domain-allowance feature solves a long-standing headache. Before, locking down a shared device meant either building a whitelist in a proxy server or relying on restrictive Group Policy objects that applied to all users. Now, the policy is user-aware and follows the contractor identity. When the contractor logs out, the device returns to normal policies for full-time employees. This makes shared-device scenarios in warehouses, POS terminals, and clinical stations far simpler to manage.

Implementing these features doesn’t require a massive infrastructure overhaul. Microsoft is delivering them through the same Edge version that receives monthly Stable Channel updates, so companies already managing Edge via Intune will see the new options appear in the Settings Catalog and Administrative Templates as they update ADMX files. For organizations still on a slower release cadence, the features are backward-compatible down to Windows 10 21H2 and Server 2019, ensuring broad coverage.

The security stack works even when users take their laptops home or to a coffee shop. Edge’s built-in secure DNS, TLS 1.3 enforcement, and phishing scrutiny combine with the new on-device AI to provide consistent protection outside the corporate network. IT can configure these features so they’re non-removable, even on personal devices enrolled in BYOD programs, though full DLP enforcement typically requires a work profile.

From an admin perspective, the rollout is designed to be incremental. Microsoft is releasing the scareware blocker as a preview option first, with general availability expected within the next few months. Purview DLP integration is already live for tenants that have the required licenses, and the extension and contractor controls are reaching the Current Channel starting this week. Redmond is promising a steady drip of security posture reports in the Microsoft 365 admin center so that IT can measure adoption and impact over time.

An important caveat is that most of these features demand the Edge for Business experience—the version that separates work and personal browsing. Organizations that haven’t yet made the switch will need to flip users from the consumer Edge to Edge for Business, which is a straightforward policy push but may require communication to end users about the new profile icon and window branding.

Overall, the updates cement Edge for Business as more than just a Chrome derivative. Microsoft is layering intelligence that only a platform vendor with Windows, Microsoft 365, and Azure can offer—on-device AI that’s tuned to a constantly updated threat feed, DLP that speaks the same classification language as the rest of the suite, and a management plane that spans identity, device, and browser. For enterprises tired of bolting on third-party security agents that break every other browser update, this native approach could reduce both cost and complexity.

Looking ahead, Microsoft hinted at future capabilities such as real-time browsing telemetry that feeds into Microsoft Sentinel for custom hunting queries, and tighter integration with Microsoft Defender for Endpoint to quarantine devices that repeatedly trigger DLP alerts. The on-device AI model might also expand to detect other forms of social engineering, like fake invoice emails displayed as PDFs within the browser’s built-in viewer. As browser-based attacks continue to evolve, Microsoft’s strategy is to make the browser an intelligent security sensor rather than just a rendering engine—and today’s release shows they’re serious about that vision.