Browser

Microsoft Edge has an Identity Problem

Posted on by Adam Fowler

Right now, it appears that Microsoft Edge is trying to be everything to everyone – which sounds good, until you look at what it could turn into. For enterprise and business, it’s a constantly updated browser that receives frequent Security Baseline recommendations to keep the browser’s settings in line with Microsoft deem as best practise – just like Windows 10/11 and Office apps.

There’s even a ‘Super Duper Secure Mode‘ (which I’m surprised the Microsoft Marketing team approved the name of) which promotes using the browser in the most secure way possible.

Microsoft also provide a fairly open roadmap of upcoming features, and looking for feedback on new items. Check out this list of feedback provided to Microsoft, how long it’s been on their list for, and the status.

The browser itself supports profiles that sign into Azure AD accounts (amongst others) and sync profile data securely to the tenant that account lives in – which can include browser history, favorites, and cached passwords. I’m highlighting here how much trust is put into what Microsoft holds on their business users.

This is the Microsoft I’m a fan of. It’s also why we have openly found out about a new feature currently in canary and dev builds called ‘Buy now, pay later‘. And, it’s also why I’m so disappointed to see this feature, as it flies in the face of what it seems Microsoft is trying to achieve with this trusted, natively embedded in the OS, browser. You can see the angry comments on the TechCommunity post above.

I’d already tweeted my disappointment:

Which lead to a journalist asking for my views for this article:

https://portswigger.net/daily-swig/microsoft-pushes-ahead-with-controversial-buy-now-pay-later-feature-for-edge-browser

I’ll try not to repeat what I wrote there, but it sets a precedent of a slippery slope on where the browser ends and third party features start. Microsoft who have become one of the more ‘woke‘ (which I use as a compliment, not an insult) IT companies, should they really be encouraging ‘buy now, pay later‘ to encourage people borrowing money to buy things online?

What I’m really hoping to see is the retraction of this feature, and it’s why I say Microsoft Edge has an identity problem. It can’t be both a consumer and a business/enterprise solution at the same time, if this is the path Microsoft is taking aspects of the browser down. Do we need to have a consumer SKU and an enterprise SKU of the browser? Different installers?

For the particular feature in question, there doesn’t appear to be a way to turn it off specifically. You CAN turn off ‘Save and fill payment info’ which I expect would disable the Zip pay option, but that’s a handy feature you’re removing from users.

Having Candy Crush baked into Windows 10 Home is questionable, but in Windows 10 Enterprise it’s ridiculous (which thankfully it isn’t). However, it’s in Windows 10 Pro

Am I being too harsh? So many online stores have the Zip pay option on their own store, along with Paypal payment plan options, so does it matter if Edge does it natively too? In my personal opinion it still does matter, because it’s a line that shouldn’t be crossed at all; advertising and the promotion of third party services for profit, native to the trusted browser. If the desktop wallpaper in Windows 10 was changing to promote anything outside of Microsoft services, people would be outraged.

I also expect Microsoft has a reasonable agreement lined up with Zip, which would make reversing this decision harder (or costlier), which will mean they won’t give it up quickly. Historically we have seen Microsoft change direction based on waves of negative feedback – which is awesome – but I’m really unsure if that will be enough this time.

Microsoft needs to decide what Microsoft Edge is. Is it a trusted platform, or is it a vehicle to increase revenue directly through partnerships, making money off the user? If it’s both, then it needs to have a high level switch to allow users and companies to turn off the money making side – especially when we’re already paying for the OS, and the browser is bundled with that.

Edit: I believe this feature will only turn up if you’re signed into the browser’s profile with a Microsoft account – so less of an impact on business users, but the general points still stand. I’ve seen this profile detection behaviour recently, where advertising fo the Microsoft Start app only popped up when I was logged in with a consumer profile, potentially triggered by one of Microsoft’s home pages – having the same home page in an AAD account profile didn’t show:

Set Microsoft Edge as Default Browser One Time

Posted on by Adam Fowler

The New Microsoft Edge browser is great and everyone should use it :) Especially if you’re still on Internet Explorer, you can make Edge use IE mode for the sites you have that still require IE, without having to actually use IE.

I had a scenario where I wanted Internet Explorer users to be changed to Microsoft Edge. Previously, we’d had business requirements to set IE as the default – but now that’s no longer required, I wanted to flip their default. At the same time, I didn’t want to change Google Chrome default browser users as they’d already made that choice, and didn’t want to shove a similar Chromium browser down their throats.

As per Microsoft’s doco https://docs.microsoft.com/en-us/deployedge/edge-default-browser you can use an XML file with default associations, and use Group Policy to point to that XML. It doesn’t stop users from changing the associations, but it does reset the associations each time the user logs in – so not ideal if you want to set a default, but also allow flexibility.

I worked out how to do this based on current default browser and using GPO still, so here’s what I did:

As per the doco above, create an XML file that sets Microsoft Edge as the default application for certain protocols: 

<?xml version="1.0" encoding="UTF-8"?>
<DefaultAssociations> 
  <Association ApplicationName="Microsoft Edge" ProgId="MSEdgeHTM" Identifier=".html"/>
  <Association ApplicationName="Microsoft Edge" ProgId="MSEdgeHTM" Identifier=".htm"/>
  <Association ApplicationName="Microsoft Edge" ProgId="MSEdgeHTM" Identifier="http"/>
  <Association ApplicationName="Microsoft Edge" ProgId="MSEdgeHTM" Identifier="https"/>  
  <Association ApplicationName="Microsoft Edge" ProgId="MSEdgePDF" Identifier=".pdf"/>
</DefaultAssociations>

Note that .PDF is included, so if you’d rather not default .PDF files to Microsoft Edge, remove that line from the code.

The Group Policy in the doco to set this XML is called Set a default associations configuration file – and all it’s doing is populating a registry key. Instead of using the Group Policy setting, create a registry setting to apply a value to:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
DefaultAssociationsConfiguration - REG_SZ - Path to XML e.g. \\dfs\share\defaultapplication.xml

The Group Policy registry setting will look like this:

We only want this registry setting to apply when the default browser is IE, and not apply any other time. We can use two options to do this – Remove this item when it is no longer applied, and Item-level targeting:

“Remove this item when it is no longer applied” will remove the registry setting when the item-level targeting condition is no longer true, which will stop the default browser applying again and again once the default browser isn’t IE.

“Item-level Targeting” is where we’ll check another registry value to see if IE is the default browser.

This is checking the registry key path Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

and the Value name ProgId

and the Value Data IE.HTTP

Only when all this is true, will the XML reg key apply. Next time someone logs on, the default program associations file will be read and apply the new browser default. Then, next time Group Policy evaluates, the registry setting will be out of scope and removed, so the default program assocations file registry setting will be removed.

For reference, Chrome will be the value ChromeHTML and Edge will be MSEdgeHTM.

This method worked quite well and gave me what I was after – a one time change from Internet Explorer to Microsoft Edge, without bothering Chrome and Firefox users.

Note that this will also keep kicking in if the user changes their browser default back to Internet Explorer, which might be what you want – but if not, you’d need to add another Item-level target using a flag file or registry setting to mark that the default browser has already been applied once.