Protect browser-based work on agency-managed Windows PCs

From SaaS apps and internal web portals to AI-powered tools, the browser is now a major workspace for many employees and contractors alike. This shift has introduced new opportunities for organizations to enable an extended workforce. At the same time, it creates new data protection complexities for IT administrators.

Securing corporate data has traditionally relied on full device management. However, when work occurs on a Windows PC that your organization doesn't own—such as a device already enrolled and managed by a contractor’s home agency—full device enrollment isn't a viable option. Organizations need a flexible way to reduce these data blind spots without taking over the device itself.

To address this, Microsoft continues to expand data protection capabilities across Microsoft Edge for Business, Microsoft Entra, Microsoft Intune, and Microsoft Purview. Recent profile and sign-in updates with Edge for Business and Entra now help organizations to secure browser-based work on Windows PCs managed by another organization. And these updates work alongside inline data loss prevention with Purview and prescriptive deployment guidance from Intune to help administrators apply protections consistently rather than configuring policies in isolation. 

Support and protection for agency-managed Windows PCs 

Edge for Business now extends Intune app protection policies (APP) to the Edge for Business work profile on Windows PCs managed by another organization. This new capability, currently in public preview, helps organizations to protect work contractors do in the browser, while respecting existing device ownership and management boundaries. This protects corporate data without requiring full device enrollment or creating conflicts with another tenant’s management. 

Figure 1 Demo showing Intune app protection policies in action within an Edge for Business work profile on a Windows PC managed by another organization.

Key capabilities include: 

• Browser-level protection through the Edge work profile: Intune APP policies can be applied directly to Edge for Business user profiles, helping to create a protected boundary for work data. Contractors can securely access corporate resources in an Edge for Business profile without enrolling the device or altering existing management.
• Tenant-scoped controls within Edge for Business: Organizations can help protect corporate data within the browser by redirecting downloads to OneDrive for Business, restricting copy and paste, and enforcing data boundaries inside the managed Edge for Business profile. 

Learn more: How to get started with agency-managed device support in Edge for Business and apply APP.  

Simplified onboarding for APP policies on Windows 

Recent Entra improvements to the Edge on Windows sign-in flow enable admins to configure the enrollment screen to create a more predictable setup and enrollment experience. These new sign-in updates help route users into Intune application protection polices, while reducing accidental full device enrollment. 

Figure 2 Microsoft Entra updated sign-in experience pop-up window. 

These Entra updates include:  

• Modernized Entra registration page for the user: An updated account registration flow provides clearer guidance during sign-in, helping users understand when they are registering an account versus enrolling a device.
• Prevention of unintended device enrollment: Administrators can enable the “Disable MDM enrollment when adding work or school account” setting to block the prompt for devince enrollment during the account registration flow. Users are directed into the intended app-protection experience without unnecessary prompts or management conflicts. 

Learn more: Read more about how to apply the updated Entra sign-in flow. 

Apply data security across browser-based work  

Microsoft Purview Data Loss Prevention (DLP) helps protect sensitive corporate data during browser-based work on Windows PCs that are managed by another organization or not enrolled at all. Purview DLP is built directly into Edge for Business and applies to the user’s work profile, so organizations can detect and control sensitive actions without requiring device onboarding into Purview or taking ownership of the device. 

Figure 3 Purview DLP: Displays a pop-up message to indicate organizational protection for a file download. 

With Purview DLP in Edge for Business, organizations can: 

• Apply inline DLP protection in the browser: Support detection and control for sensitive actions, such as uploads, downloads, copy/paste, printing, and across cloud apps accessed in the browser.
• Extend coverage to unmanaged cloud apps: Apply DLP policies to enrolled apps and extend protection to unenrolled cloud apps, helping prevent oversharing or unintended data movement during browser activity.
• Reduce data leakage without limiting productivity: Detect and prevent risky actions involving sensitive data without blocking site access or disrupting normal workflows. 

Learn more: Apply Purview Data Loss Prevention in Edge for Business to protect sensitive data during browser-based work.  

Guidance to help secure corporate data in the browser 

Microsoft published “Secure Your Corporate Data in Intune with Microsoft Edge for Business” to provide guidance on how administrators can operationalize browser-based protections across platforms. This guidance provides step-by-step configuration paths that align identity, app protection, browser configuration, and device controls into a single, structured deployment model rather than isolated policy setup. 

The guide covers: 

• Three-level security framework: Basic, Enhanced, and High protection tiers mapped to common industry standards such as NIST and DISA STIG, enabling organizations to align browser security posture with risk tolerance and user roles.
• Cross-platform policy mapping: Clear guidance on when to use app protection policies, app configuration policies, settings catalog controls, and conditional access across Windows, macOS, iOS, and Android without creating policy conflicts or double-applying browser policies.
• Sequenced configuration paths: Ordered implementation steps that show how identity enforcement, app protection, browser configuration, and device-level controls work together to form a cohesive secure enterprise browser strategy. 

Learn more: Read more on how to get started with Intune’s configuration guidance to protect browser-based work and align identity, app protection, and browser controls.  

Apply additional protections for a more consistent sign-in flow today  

Organizations do not need to treat browser-based work as an exception to endpoint protection. By combining identity routing in Entra, app-level boundaries through Intune, workspace separation in Edge for Business, and inline data governance with Purview, organizations can apply consistent controls even on Windows PCs they don’t own or manage.  

With this approach, protection moves from the device to the work context itself. Administrators can secure corporate data where work happens, while preserving productivity and respecting existing device ownership and management boundaries. 

Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune and @IntuneSuppTeam on X to continue the conversation.