Microsoft Edge

Microsoft Edge has an Identity Problem

Posted on by Adam Fowler

Right now, it appears that Microsoft Edge is trying to be everything to everyone – which sounds good, until you look at what it could turn into. For enterprise and business, it’s a constantly updated browser that receives frequent Security Baseline recommendations to keep the browser’s settings in line with Microsoft deem as best practise – just like Windows 10/11 and Office apps.

There’s even a ‘Super Duper Secure Mode‘ (which I’m surprised the Microsoft Marketing team approved the name of) which promotes using the browser in the most secure way possible.

Microsoft also provide a fairly open roadmap of upcoming features, and looking for feedback on new items. Check out this list of feedback provided to Microsoft, how long it’s been on their list for, and the status.

The browser itself supports profiles that sign into Azure AD accounts (amongst others) and sync profile data securely to the tenant that account lives in – which can include browser history, favorites, and cached passwords. I’m highlighting here how much trust is put into what Microsoft holds on their business users.

This is the Microsoft I’m a fan of. It’s also why we have openly found out about a new feature currently in canary and dev builds called ‘Buy now, pay later‘. And, it’s also why I’m so disappointed to see this feature, as it flies in the face of what it seems Microsoft is trying to achieve with this trusted, natively embedded in the OS, browser. You can see the angry comments on the TechCommunity post above.

I’d already tweeted my disappointment:

Which lead to a journalist asking for my views for this article:

https://portswigger.net/daily-swig/microsoft-pushes-ahead-with-controversial-buy-now-pay-later-feature-for-edge-browser

I’ll try not to repeat what I wrote there, but it sets a precedent of a slippery slope on where the browser ends and third party features start. Microsoft who have become one of the more ‘woke‘ (which I use as a compliment, not an insult) IT companies, should they really be encouraging ‘buy now, pay later‘ to encourage people borrowing money to buy things online?

What I’m really hoping to see is the retraction of this feature, and it’s why I say Microsoft Edge has an identity problem. It can’t be both a consumer and a business/enterprise solution at the same time, if this is the path Microsoft is taking aspects of the browser down. Do we need to have a consumer SKU and an enterprise SKU of the browser? Different installers?

For the particular feature in question, there doesn’t appear to be a way to turn it off specifically. You CAN turn off ‘Save and fill payment info’ which I expect would disable the Zip pay option, but that’s a handy feature you’re removing from users.

Having Candy Crush baked into Windows 10 Home is questionable, but in Windows 10 Enterprise it’s ridiculous (which thankfully it isn’t). However, it’s in Windows 10 Pro

Am I being too harsh? So many online stores have the Zip pay option on their own store, along with Paypal payment plan options, so does it matter if Edge does it natively too? In my personal opinion it still does matter, because it’s a line that shouldn’t be crossed at all; advertising and the promotion of third party services for profit, native to the trusted browser. If the desktop wallpaper in Windows 10 was changing to promote anything outside of Microsoft services, people would be outraged.

I also expect Microsoft has a reasonable agreement lined up with Zip, which would make reversing this decision harder (or costlier), which will mean they won’t give it up quickly. Historically we have seen Microsoft change direction based on waves of negative feedback – which is awesome – but I’m really unsure if that will be enough this time.

Microsoft needs to decide what Microsoft Edge is. Is it a trusted platform, or is it a vehicle to increase revenue directly through partnerships, making money off the user? If it’s both, then it needs to have a high level switch to allow users and companies to turn off the money making side – especially when we’re already paying for the OS, and the browser is bundled with that.

Edit: I believe this feature will only turn up if you’re signed into the browser’s profile with a Microsoft account – so less of an impact on business users, but the general points still stand. I’ve seen this profile detection behaviour recently, where advertising fo the Microsoft Start app only popped up when I was logged in with a consumer profile, potentially triggered by one of Microsoft’s home pages – having the same home page in an AAD account profile didn’t show:

App & Browser Control Warning in Windows 10 2004

Posted on by Adam Fowler
The setting to block potentially unwanted apps is turned off. Your device may be vulnerable

After upgrading to Windows 10 2004, I noticed an alert in Windows Defender. It was alerting that something needed to be turned on, and I wondered what as I needed to do this in Group Policy for the entire organisation.

Clicking the area around the ‘turn on’ button takes you to the App & browser control – containing another ‘Turn on’.

Go into the ‘Reputation-based protection settings’ link and there’s more info:

Aha! an option that’s not on – Block downloads. This is actually a Microsoft Edge setting which you can toggle, and will at the same time tick ‘Block downloads’:

I couldn’t find where this was set in Group Policy, so used Procmon to work out what was changing with that toggle. I ended up working out it was in the registery: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\SmartScreenPuaEnabled and setting the default value to 1:

Great, now I knew what was changing, I could work backwards. Using GPSearch I looked for “SmartScreenPuaEnabled” and came back with

Configure Microsoft Defender SmartScreen to block potentially unwanted apps – User Configuration\Administrative Templates\Microsoft Edge\SmartScreen settings\

I didn’t have this Group Policy setting, so checked I had the latest ADMX files loaded for Windows 10 2004 – which I did, and they include templates for the Chromium based Microsoft Edge.

What I then discovered (or remembered!) was that there were separate ADMX files to get for Microsoft Edge, updated with each release. Downloading and loading these into my central repository brought in the “Configure Microsoft Defender SmartScreen to block potentially unwanted apps” setting I wanted. Enabling that, running a gpupdate set the value to what I wanted, and cleared the Microsoft Defender alert.

Long story short – if you’re still using Group Policy like me, you may want to get into the habit of updating your ADMX files for Microsoft Edge more frequently than your Windows 10 builds – Microsoft releases major versions of Edge every 6 weeks.

How To Update Microsoft Edge

Posted on by Adam Fowler

How To Check For Updates on Microsoft Edge

  1. Click the Ellipsis (…) in the top right corner
  2. Under ‘Help and Feedback’ click ‘About Microsoft Edge’
  3. The page that shows up will tell you if you’re on the latest version, or give you an update link to click on.

Applies To: Windows 10, Windows 8.1, Windows 8, Windows 7

Microsoft Edge (Chromium version) should just update by itself. If there’s an update ready to go, you may see an arrow over the top right hand corner ellipsis, which just means you need to restart the browser when you want the update to apply.

New versions (known as builds) are released frequently – on a 6 week cycle for features, and security updates as required.

If you’re still on the old Microsoft Edge (known as Microsoft Edge Legacy), then check Windows Update as this will automatically upgrade you to the new Edge.

How To Set Up Enterprise Mode for Microsoft Edge

Posted on by Adam Fowler

AKA How to force certain websites when opened in Edge, to instead open in Internet Explorer.

Update 15th June 2022:
Note that there’s another way to now do this, using Enterprise Site List Manager which is an in-browser version of the standalone Enterprise Mode Site List Manager tool. Check it out using edge://compat/SiteListManager and here’s the official documentation:
https://docs.microsoft.com/en-us/deployedge/edge-ie-mode-site-list-manager
To access this via the Microsoft 365 admin center: Settings – Microsoft 365 admin center

Update 17th January 2020:
The New Edge is out, and there’s 1 extra Group Policy to do: Enable ‘Configure Internet Explorer integration’ and set it to ‘Internet Explorer Mode’ to open inside Edge as IE, or ‘Internet Explorer 11’ to open sites seperately in IE11 . The rest of this article still applies and is needed to make this work. Official documentation on docs.microsoft.com

Original Post:

Microsoft Edge is undergoing a big change with the underlying platform being migrated to Chromium – things will change with that (along with a new Internet Explorer mode) but that doesn’t help right now.

Many companies have certain websites they need to use that either require Internet Explorer, or work best in Internet Explorer. This isn’t about what browser is ‘best’, but some solutions were designed with only Internet Explorer in use.

Getting users to use the right website in the right scenario can be a pain, and every user seems to have their own opinion on what browser they prefer to use. Microsoft Edge has a great solution for this – Enterprise Mode. There was also an Enterprise Mode in Internet Explorer that worked in a similar way too, where you could force certain sites to run as a certain version of IE for compatibility reasons.

This is quite easy to set up, but I’ve found the existing documentation rather confusing to follow and doesn’t give an end to end explanation – or documentation is rather outdated and was written when the feature first came out, with a lot of options changing since then.

Step 1Enterprise Mode Site List Manager

Download Enterprise Mode Site List Manager (schema v.2) and install it. This is the program you’ll use to manage the sites you want to force to use IE rather than Edge:

Enterprise Mode Site List Manager will start off blank. Click the ‘Add’ button on the bottom, type in the URL of the site you want to use (don’t worry about http or https if you want to catch both). You then tell it what to do with that URL – Open in IE, Edge, or do nothing. Since we’re opening everything in Edge except what we want in this list, open in IE11 is the option we want, and leave it at the default IE8 Enterprise Mode (or change this if you need a different compatibility mode).

There’s two parts to maintaining a list – Exporting/Importing lists, and Saving as XML:

Once you have a record to test, go to File > Export. This will save your details into an .emie2 file, and put that somewhere central and safe. The idea is that you’ll need to import that file list to make a change, then export again. If you don’t do this, you won’t have a way for others to get the list of sites and make changes by importing that file at a later date. It has in-built version control (this is important, more later), in the screenshot above you can see it’s version 5.

Then, you can save your URL to an XML file. This is what Edge will read when it launches. Either save this file centrally where everyone can read it (no write access required, just read), or copy it to everyone’s computer locally via GPO. Personally I’ve just put it in a central location.

Step 2 – Configure Group Policy or Intune

I’m using Group Policy, but the Microsoft Documentation mentions Intune is supported too – we’re only changing registry settings, so that makes sense.

Turning on Enterprise Mode can be done at either the Computer or User level, and is under > Policies > Administrative Templates > Windows Components > Microsoft Edge > Configure the Enterprise Mode Site List.

Enable this setting, and in the options enter the path of where your XML is – e.g. \\server\sharename\edge.xml – or C:\Data\edgesettings.xml. Although the Group Policy says URL, it’ll accept UNC paths or drives.

If you’ve used a Computer Configuration setting, gpupdate then reboot (or reboot twice). To tell if the setting has applied, check the value of the registry setting:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode 

or 

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode

SiteList = The path you entered in the Group Policy setting.

If you’re see that, great! Group Policy is working. One caveat if you have System Center Configuration Manager (ConfigMgr) – it can potentially use this setting also as per this technet thread which is exactly what I had. I was testing a user policy, but this was configured at both the user and computer levels so my user setting was being ignored. I’m not sure if this is still used, but worth being aware of.

Version control is also recorded in the registry. It lives under:

HKEY_CURRENT_USER\Software\Microsoft\MicrosoftEdge\Main\EnterpriseMode

CurrentVersion = 5

regardless of the SiteList being under Computer or User. There’s a few catches with this – first, it’ll only show up after Edge is launched, and you wait ~65 seconds. It’ll show the same version as what’s contained in the XML, which was the version we saw in Enterprise Mode Site List Manager.

If you have the ConfigMgr setting, or have ever had Enterprise Mode for Edge enabled in your environment, then the version might already exist and be higher than what you’ve tried to deploy. On my PC, I saw version 28000 something – that’s a lot of versions.

You’ll need to either delete that value for everyone to start back at 0, then after Edge is launched per user, it’ll update to whatever your XML file contains, or update the version in Enterprise Mode Site List Manager to a higher number than whatever’s out there in your environment.

To change the version in Enterprise Mode Site List Manager, on the computer with it installed navigate to

C:\Users\your username\AppData\Roaming\EMIESiteListManager\ – in that path should be a file called SiteList.xml.

That file should have the first line as <site-list version=”5″> or whatever the current version is, and you can just change that ‘5’ to whatever number you want. Open Enterprise Mode Site List Manager and you’ll see that updated version number, which will then get written +1 to the XML file next time you save it out.

That’s really it – it’s simple, but there are a few catches I ran into when testing. Once this is in place, if a user goes to a site that you’ve listed in the XML, a new window opens in IE and goes to that site instead. It’ll also support subsites, so you don’t need to sent traffic for an entire domain like adamfowlerit.com there, it could be adamfowlerit.com/news and only hits to that subdomain will be triggered.

There’s a few other Group Policy settings around this such as forcing all intranet sites to go to IE, you’ll need to work out what’s best for your environment.