1.3.3 Ensure 'Control use of insecure content exceptions' is set to 'Enabled: Do not allow any site to load mixed content'


This policy setting allows for the configuration for users to add exceptions to allow mixed content for specific sites.

The recommended state for this setting is: Enabled: Do not allow any site to load mixed content

Note: This policy can be overridden for specific URL patterns using the insecurecontentAllowedForUrls (Allow insecure content on specified sites) and insecurecontentBlockedForUrls (Block insecure content on specified sites) policies.


Allowing mixed (secure / insecure) content from a site can lead to malicious content being loaded. Mixed content occurs if the initial request is secure over HTTPS, but HTTPS and HTTP content is subsequently loaded to display the web page. HTTPS content is secure. HTTP content is insecure.


Users will not be able to add exceptions for mix content webpages.


To establish the recommended configuration via Group Policy, set the following UI path to Enabled: Do not allow any site to load mixed content:

Computer Configuration\Polices\Administrative Templates\Microsoft Edge\Content Settings\Control use of insecure content exceptions

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from: Download Microsoft Edge for Business - Microsoft.

Default Value:

Enabled. (Users will be allowed to add exceptions to allow blockable mixed content and disable autoupgrades for optionally blockable mixed content.)

See Also


Item Details


References: 800-53|SC-7(3), 800-53|SC-7(4), CSCv7|7.5

Plugin: Windows

Control ID: f1e3fc560c2f76f4f0436a6a1232b5c01b0be84f3315a8700382d5b0eea3d248