Edge

The Current State of Edgium

“Edgium” or ‘The next version of Microsoft Edge’ is Microsoft’s rebuild of the Microsoft Edge browser, built on the open-source Chromium platform. I recently decided to start using it and see the current state of Edgium (which I’ll call it that for the rest of this post for clarification’s sake).

Microsoft Edge was met with a lot of resistance when launched – and although there were reasonable claims about it being the fastest browser around, there were a lot of features lacking and sites that wouldn’t work with it.

Here’s why Microsoft decided to abandon Edge as it is. It’s interesting to note that on mobile devices, they were already using an open-source foundation from the start, and for the desktop version there’s a focus on making sure all web standards are adopted.

You can download Microsoft Edge Beta right now and install it in parallel with the old Edge – or you can install the build that replaces old Edge direct from Microsoft here (keep in mind you can’t uninstall from this). The Beta is good if you want to have a play around before committing.

The expirience I’ve had so far is rock solid. There are some ways where it loosk and feels like Chrome, and others where it’s more Edgey. The import options (for me at least) just worked – I could import everything from browser history, favorites and saved passwords and pick which Chrome profile I wanted to import it from.

At the Edgium end, I’ve then created multiple profiles and imported each relevant profile across to match the experience I was having on Chrome. Multiple profiles is great when you’re doing things in Microsoft 365 and have multiple accounts (user and admin) and different tenants to access.

Also, Edgium fully supports Chrome extensions. Old Edge did have extensions too, but very few. Edgium will prompt, asking if you want to allow 3rd party extensions, and then you add them just like you would in Chrome:

The settings area of Edgium in my opinion, is much better than Chrome:

Google Chrome Settings Page
Microsoft Edgium Settings Page

There’s also already Group Policy ADM/ADMX files ready to use which gives IT Administrators a lot of control over the browser, which is worth putting in place and going through before you even consider piloting Edgium.

For IT Admins, also check out the security baseline you should use, currently in draft form.

Edgium also has an Internet Explorer mode, so hopefully this can end up with Edgium replacing Chrome, Internet Explorer and Old Edge with a single browser – it might take a while of course, but for a company looking to control the user experience a bit more and not manage lots of browsers, it’s looking hopeful.

At the time of writing there’s no announced release date of Edgium, but it’s expected to completely replace Edge – so it’s worth getting used to it early. I’m sure there will be some changes between here and launch, but it should all be small changes.

Personally I’ve made the move from Chrome to Edge and haven’t hit an issue yet. Old Edge is on the way out, and overall this seems to be a positive decision for all involved. Let’s see how

Chinese Characters in IE11, Edge and Windows 10

I recently worked on an issue where all Windows 10 users were seeing two strange display issues on certain websites via Internet Explorer 11 and Edge. There were two noticeable symptoms:

  • Chinese characters would show in particular locations on many websites. These were often buttons, but sometimes other symbols.
  • Buttons would be completely blank. The buttons themselves worked, which you could either use if they had a graphical representation of the button still, or you knew where to click.

This was even presenting itself in Office 365 – I couldn’t see the Notifications, Settings or Help buttons, and they would instead show as blank boxes.

This was found while piloting Windows 10 from Windows 7. The visible options in Internet Explorer seemed identical. and other browsers weren’t affected – Chrome could display these sites perfectly fine.

I worked out what the problem and fix was (jump to the end if you want that now), but here’s the story on how we got to this broken state:

As part of prepping for Windows 10, I followed Microsoft’s Security Baseline documentation which contains a handy Excel spreadsheet, with recommendations on what Group Policy settings you should use for best security practises. I followed this (I’ve linked to a newer version) and made choices based on understanding each option, and what worked for us. There were very few settings I didn’t follow exactly.

One of these settings was ‘Untrusted Font Blocking‘. The document recommended enabling this, to stop untrusted fonts being used as they’re a security risk – the loading of a font can allow elevated privileges, and has been used before. Made sense to me, so I enabled it.

This is what Group Policy says about Untrusted Font Blocking:

This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked. If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues.

Eventually with a lot of testing and googling, I tried disabling this option – and it worked. Once you know the fix to a problem, it’s really easy to work backwards to find out more about it.

It turns out that in simple terms, websites can present their own fonts to use. It may be easier to present an arrow that’s from a font, rather than making a graphic of a font. Usually the site will load the font on the fly, but blocking that means the site fails back to a ‘best match’ on the font, which seems to be a font for Chinese characters, or a font that has a blank character for the matched result. Makes sense.

Microsoft changed their mind on this recommendation, only a month ago from time of writing. That recommendation change is worth reading, as it explained why they did it, and why they’re now changing their mind. The good news is that you’re not losing security by abandoning this setting, as the way fonts are parsed has changed from kernel to sandboxed user mode.

TL;DR version:

Turn off Untrusted Font Blocking through either of these methods:

Group Policy – Disable or change to Not Configured: Computer Configuration > Policies > Administrative Templates > System > Mitigation Options > Untrusted Font Blocking

Registry Setting – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\ – QWORD MitigationOptions

  • To turn this feature on. Type 1000000000000.
  • To turn this feature off. Type 2000000000000.
  • To audit with this feature. Type 3000000000000.Important
    Your existing MitigationOptions values should be saved during your update. For example, if the current value is 1000, your updated value should be 1000000001000