Month: March 2021

Microsoft Edge in Citrix – Revamped

Microsoft Edge in Citrix – Revamped

During Citrix Summit back in January 2020, I posted my first article about the Microsoft Edge browser based on the Chromium Project. At that time I had used the BETA edition of Microsoft Edge for quite some time and I was thrilled to see it enter the stable release channel.
The stable release of Microsoft Edge was in my opinion huge and it still is because with Microsoft Edge we get a modern and secure browser which is supported in both Windows 10 (v1709 and later) and the Windows Server operating systems (2008 R2, 2012, 2012 R2, 2016 and 2019). In the coming Windows Server 2022, the Microsoft Edge browser is of course built-in.

This article will serve as a condensed version of my previous articles about Microsoft Edge which you can find here:
Microsoft Edge in Citrix
Microsoft Edge Group Policy Configuration
The curious case of the pinned Microsoft Edge shortcut
How to get rid of Internet Explorer
However this article will have some bits of new content, specifically around the Sleeping Tabs and Password Monitor features.

I’ll focus on how to install and configure Edge, there are some pitfalls there to be aware of.
The configuration of Microsoft Edge can be done via AD group policies or Microsoft Endpoint Manager (InTune), in this article I’ll focus on how to configure Microsoft Edge via AD group policies.
Key features like Enterprise Sync, Internet Explorer mode, Tracking Prevention, Sleeping Tabs and the new Password Monitor feature, are all providing a great deal of value when using Microsoft Edge in a shared environment.

Installing Microsoft Edge

Obviously the first you’ll have to do is to get the Microsoft Edge setup file. I always get the enterprise MSI file:

Select the latest stable release, at the time of writing this is v89.0.774.45 and make sure to also grab the latest Administrative Templates for Microsoft Edge using the “Get policy files” link.

Release cadence and channel overview

Microsoft Edge is on a fairly rapid release cycle. Approximately every 6 weeks a new major version of Microsoft Edge is released. Also be aware that security and quality updates are released as needed within that 6 week period, meaning that you may get multiple security and quality updates between the release of major updates.
As mentioned Microsoft Edge is currently on version 89.0.774.45. The next major release is going to be version 90.x and is scheduled to reach the stable channel some time during the second week of April 2021.

More information about the release schedule can be found here, and the release channels here.

Create an evergreen Microsoft Edge deployment

If you don’t want to make frequent visits to the Microsoft Edge download site, or you want a more automated process for retrieving the latest Microsoft Edge setup MSI and administrative templates, I highly recommend the Evergreen PowerShell module by Aaron Parker, Bronson Mangan and Trond Eric Haarvarstein. One of the advantages besides always installing the latest Microsoft Edge release, is that with the Evergreen module, you don’t have to maintain a local software repository saving both space and management time in the long run.

Here is a screen recording of how to use the Evergreen module to install Microsoft Edge:

The script used in the screen recording is available in my Evergreen-Software-Install Github repo.

If you prefer a manual approach or just don’t want to use the Evergreen module, feel free to use this script instead:

# Deploy Microsoft Edge
Write-Host "Installing Microsoft Edge" -ForegroundColor Cyan
Write-Host ""
Start-Process -FilePath .\MicrosoftEdgeEnterpriseX64.msi -Wait -ArgumentList "REBOOT=ReallySuppress /qn DONOTCREATEDESKTOPSHORTCUT=true DONOTCREATETASKBARSHORTCUT=true"

# Microsoft Edge post deployment tasks
Write-Host "Applying Microsoft Edge post setup customizations" -ForegroundColor Cyan

# Disable Microsoft Edge auto update
If (!(Test-Path -Path HKLM:SOFTWARE\Policies\Microsoft\EdgeUpdate))
New-Item -Path HKLM:SOFTWARE\Policies\Microsoft\EdgeUpdate
New-ItemProperty -Path HKLM:SOFTWARE\Policies\Microsoft\EdgeUpdate -Name UpdateDefault -Value 0 -PropertyType DWORD
Set-ItemProperty -Path HKLM:SOFTWARE\Policies\Microsoft\EdgeUpdate -Name UpdateDefault -Value 0

# Disable Microsoft Edge scheduled tasks
Get-ScheduledTask -TaskName MicrosoftEdgeUpdate* | Disable-ScheduledTask | Out-Null

# Configure Microsoft Edge update service to manual startup
Set-Service -Name edgeupdate -StartupType Manual

# Execute the Microsoft Edge browser replacement task to make sure that the legacy Microsoft Edge browser is tucked away
# This is only needed on Windows 10 versions where Microsoft Edge is not included in the OS.
Start-Process -FilePath "${env:ProgramFiles(x86)}\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" -Wait -ArgumentList "/browserreplacement"

Don’t disable the Microsoft Edge update services. If you do users might get an error in the “About Microsoft Edge” page in Settings.

Configuring Microsoft Edge

With Microsoft Edge installed, we now have to configure the browser. Internet browsers are among the most frequently used applications, which means that we have to make it as secure as possible without affecting the user experience.

Microsoft has helped us out a bit with securing the Microsoft Edge browser, they have a security baseline configuration available, which provides us with a range of different pre-configured security related policies.

At the time of writing Microsoft Edge is in version 89.x, however Microsoft has not updated the v88.x security baseline to v89.x, because there has been no changes in the security configuration between v88.x and v89. Changes in the version 88.x baseline compared to the previous baseline, can be found on the Microsoft Tech Community site for Security Baselines.

If there are any changes to the security baseline configuration, Microsoft will release a new security baseline configuration matching the major version of Microsoft Edge currently available, so make sure to get and test, the latest security baseline configuration.

The security baseline is, as the name says a baseline, it’s not the entire Microsoft Edge configuration. We would in most cases need additional configuration on top of the security baseline configuration, at least that’s my recommendation.

So here’s what I usually do.

I create a GPO for the security baseline settings, let’s say it’s for v89.x. The reason for this is that when Microsoft releases a new security baseline configuration for v90.x, I can import the new v90.x settings to a new GPO, do some testing, and then release the v90.x into production when I am ready, disabling the v89.x GPO of course.
This approach ensures you’ll always have the latest recommended security baseline settings for Microsoft Edge.

Any additional configuration settings, I’ll configure in another GPO, to separate “my own” Microsoft Edge configuration settings from the security baseline settings. With this approach you’ll have to to configure the correct GPO link order, applying the security baseline configuration GPO before the additional settings GPO.

GPO Configuration

GPO link ordering

As I mentioned the GPO link order is important. In this example I have 4 GPOs assigned to a OU, the amount of GPOs doesn’t really matter, as long as you make sure the link order is configured to apply the security baseline configuration GPO before the additional configuration GPO.

Security Baseline Configuration GPO

I’ll provide a couple of screenshots of the current v89.x security baseline GPO, however remember that this is the v89.x security baseline configuration. Future security baseline configurations may contain additional settings.

Computer Configuration
User Configuration

The are no user configuration policies configured in the security baseline configuration provided by Microsoft.

Additional Configurations GPO

This is the GPO which should have the additional configuration settings that you want to apply “on top” of the security baseline configuration settings. Remember that the configured GPO link ordering enables us to either add additional configuration or counter any configuration settings coming from the security baseline configuration GPO.
The combined configuration of the security baseline configuration GPO and the additional configuration GPO, will be the one being applied to Microsoft Edge, when the computer starts up and when the user logs on.

Keep in mind this configuration is my take on what can/should be configured, it is NOT the universal truth, be critical and adjust the configuration to suit your environment and/or needs.

Computer Configuration
User Configuration

I apologize for the barely readable screenshots. I wanted to get both the policy and the comment in one shot. Hopefully you are using a browser, with a zoom feature.

I will go through specific Microsoft Edge features below, and any eventual group policy settings that goes with the feature.

Microsoft Edge key features configuration

Microsoft Edge Sync

The Microsoft Edge Sync feature is synchronizing your favorites, history, passwords and other browser data across your devices. This means that a user’s favorites will be available in both a Citrix Session and in Windows 10. This means that we no longer need to configure favorites folder redirection.

The feature is available with Azure AD Premium (P1 or P2), and a handful of other subscriptions.

The sync feature is configured with these policies:

Internet Explorer Mode

Internet Explorer Mode (IE Mode) is a unique feature in Microsoft Edge. It can help transition from Internet Explorer to Microsoft Edge by allowing certain URLs to run in either IE Mode in a tab within Microsoft Edge or in a stand alone Internet Explorer window.

Here are a couple of small screen recordings of IE Mode in action, and how it can be used to enable java or flash base sites in Microsoft Edge, or force certain URLs to open in a stand alone Internet Explorer window and also restrict which URLs are allowed in Internet Explorer.

IE Mode with Java and Adobe Flash
IE Mode with both embedded tabs and IE stand alone windows
IE Mode is configured to send all sites not included in the site list back to Microsoft Edge

The IE Mode feature is configured with these policies:

Enterprise Site List Manager

The URLs for IE Mode are configured in an XML file via the Microsoft Enterprise Site List manager tool. With Microsoft Edge v89.x this tool is built in, however you have to enable it via GPO, it is also still available as a separate download. The XML file should be stored in a central file share or on a central web server.
During the first launch of Microsoft Edge the XML file is copied to the user’s windows profile and from there the XML file is parsed to determine which URLs are configured for IE Mode. During any future logons the XML file is parsed and the version of the file is compared to the one in the central location, if the version numbers does not match Microsoft Edge copies the new XML file to the user’s profile and parses the new file.

Here are a few screenshots of the, now old, Enterprise Site List Manager:

In this screenshot the XML file is called Sites.xml, you can call it whatever you want, as long as you specify the XML file location, so Microsoft Edge and Internet Explore knows where to look for it.

If enabled, the built-in Enterprise Site List Manager can be access via the edge://compat command:

The policy needed to enable the built-in Enterprise Site List Manager:

Tracking Prevention

The Tracking Prevention feature blocks trackers and adds which usually improves the site load time and general performance. In a terminal server based setup, this feature can help save huge amounts of CPU resources in Microsoft Edge, because Tracking Prevention block adds and most videos on almost all sites. If a site is not working properly and Tracking Prevention is suspected, you are able to configure a whitelist of sites where Tracking Prevention shouldn’t be active, this list can be configured both via GPO and manually by the user.

Here is a small screen recording of Tracking Prevention in effect. Notice the huge amount of CPU usage when accessing and browsing the site, and then the drop in CPU usage when Tracking Prevention is enabled. This is with one user only, imagine how this would look with 10 users accessing this site.

Tracking Prevention can of course also be configured via GPO:

Sleeping Tabs

Sleeping Tabs is a fairly new feature, it was released as a BETA feature in v88, where you had to enable it via the edge://flags as an experimental feature.

In Microsoft Edge v89 Sleeping Tabs is no longer considered a BETA feature. It’s now a stable feature and it’s enabled by default.
Sleeping Tabs suspends an inactive tab after a certain period of time, default is 2 hours, conserving both memory and CPU resources.

The Sleeping Tabs feature can be configured via GPO:

Do not use The Great Suspender extension

Previously I have recommended the extension called The Great Suspender, to suspend inactive sites.

I do no longer recommend installing this extension!

Reports came out during February 2021, that the extension had a new owner which changed a few things, which eventually ended up with the extension being blocked in the Chrome web shop. The extension is no longer blocked though, however based on what’s currently going on at The Great Suspender Github page, I can no longer recommend this extension and I urgently advise you to switch to Sleeping Tabs, which offers configuration and manageability via group policy, something The Great Suspender extension does not.

Password Monitor

This feature is is still rolling out, at the time of writing I have no way of showing off the feature in Microsoft Edge. However Microsoft has released some information about the feature here and here. Password Monitor is a new feature, which checks any passwords saved in the browser against a cloud database of known leaked passwords. If you are have a password that is no longer safe, Microsoft Edge will notify you and recommend to change the unsafe password.

The Password Monitor feature can be enabled via GPO:

Profile Exclusions

Once Microsoft Edge has been configured, most of the configuration is stored in the user’s profile here – AppData\Local\Microsoft\Edge\User Data.

In a shared environment, like terminal server based or VDI based setups, there are some folders in the User Data folder which can grow large in size. The content of these folders is mostly cached information, and it usually doesn’t make much sense to store cached information in the profile.

I usually exclude these folders:

AppData\Local\Microsoft\Edge\User Data\Default\Cache
AppData\Local\Microsoft\Edge\User Data\Default\Code Cache
AppData\Local\Microsoft\Edge\User Data\Default\Media Cache
AppData\Local\Microsoft\Edge\User Data\Default\JumpListIconsMostVisited
AppData\Local\Microsoft\Edge\User Data\Default\JumpListIconsRecentClosed
AppData\Local\Microsoft\Edge\User Data\Default\Service Worker

As mentioned earlier, this is not the universal truth! When implementing this list of folders, do some proper testing before releasing it into production. Also be aware that there might be additional folders to exclude, based on the usage and configuration of Microsoft Edge.

This concludes the article. As always feel free to contact me on Twitter or in the World of EUC Slack channel if you have any comments or questions.