@Johannes Goerlich Hello!  Yes, based upon the documentation for the DefaultJavaScriptJitSetting policy it does say "Disabling the JavaScript JIT may allow Microsoft Edge to render web content in a more secure configuration."

https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#defaultjavascriptjitsetting

-Kelly

@Johannes Goerlich Setting the EnhanceSecurityMode policy to Strict mode or setting the DefaultJavaScriptJitSetting policy to BlockJavaScriptJit will have the same effect by changing the Enhance your security on the web setting (edge://settings/privacy) to Strict.   

-Kelly

@Kelly_Y
I just saw that in the documentation for the security modes at https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-browse-safer that besides JIT also other features are mentioned as part of the modes: "These protections include Hardware-enforced Stack Protection [CET] and Arbitrary Code Guard (ACG)."

At https://microsoftedge.github.io/edgevr/posts/Introducing-Enhanced-Security-for-Microsoft-Edge/ it also reads, for example, as "By applying these protections, we can provide defense in depth that spans beyond JIT attacks."

For the SDSM (https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/)
back then it was said "Currently, SDSM disables JIT (TurboFan/Sparkplug) and enables CET." But there where no details about ACG. Not sure if ACG was already a thing.

This makes me still wondering if setting DefaultJavaScriptJitSetting policy to BlockJavaScriptJit has also an impact on CET and ACG as well as other features like CFG (which would be very confusing to me). 

Behind the question mark next to the Enhance your security on the web security setting the following ist stated:

"The additional protection includes Windows operating system mitigation such as Hardware Enforced Stack Protection, Arbitrary Code Guard (ACG) and Control Flow Guard (CFG)."

So my conclusion would be:

The EnhanceSecurityMode controls on Windows devices - in addition to JavaScript with JIT - the Hardware Enforced Stack Protection, ACG and CFG.

Furthermore, it seems the EnhanceSecurityMode takes the site-engagement (at least in balanced mode) into consideration (with exceptions made in EnhanceSecurityModeBypassListDomains),

Best,

Joe

@Johannes Goerlich Hi!  Just wanted to let you know that in Microsoft Edge v104 there has been improvements to enhanced security mode.  There is now Basic, Balanced and Strict mode.  The documentation has been updated here: Browse more safely with Microsoft Edge | Microsoft Docs.  Thanks! 

-Kelly

Thanks for catching up, Kelly! This updated documentation confirms my understanding. The improvements to have a third mode are very usefull. And from the linked sources i read that an emulated ACG for Linux and Mac is on track.

btw. a good read on Hardware-Enforced Stack Protection can be found at https://techcommunity.microsoft.com/t5/windows-kernel-internals-blog/understanding-hardware-enforced...

BR,
Joe