Category: Edge

Microsoft Edge in Citrix – Revamped

Microsoft Edge in Citrix – Revamped

During Citrix Summit back in January 2020, I posted my first article about the Microsoft Edge browser based on the Chromium Project. At that time I had used the BETA edition of Microsoft Edge for quite some time and I was thrilled to see it enter the stable release channel.
The stable release of Microsoft Edge was in my opinion huge and it still is because with Microsoft Edge we get a modern and secure browser which is supported in both Windows 10 (v1709 and later) and the Windows Server operating systems (2008 R2, 2012, 2012 R2, 2016 and 2019). In the coming Windows Server 2022, the Microsoft Edge browser is of course built-in.

This article will serve as a condensed version of my previous articles about Microsoft Edge which you can find here:
Microsoft Edge in Citrix
Microsoft Edge Group Policy Configuration
The curious case of the pinned Microsoft Edge shortcut
How to get rid of Internet Explorer
However this article will have some bits of new content, specifically around the Sleeping Tabs and Password Monitor features.

I’ll focus on how to install and configure Edge, there are some pitfalls there to be aware of.
The configuration of Microsoft Edge can be done via AD group policies or Microsoft Endpoint Manager (InTune), in this article I’ll focus on how to configure Microsoft Edge via AD group policies.
Key features like Enterprise Sync, Internet Explorer mode, Tracking Prevention, Sleeping Tabs and the new Password Monitor feature, are all providing a great deal of value when using Microsoft Edge in a shared environment.

Installing Microsoft Edge

Obviously the first you’ll have to do is to get the Microsoft Edge setup file. I always get the enterprise MSI file:

Select the latest stable release, at the time of writing this is v89.0.774.45 and make sure to also grab the latest Administrative Templates for Microsoft Edge using the “Get policy files” link.

Release cadence and channel overview

Microsoft Edge is on a fairly rapid release cycle. Approximately every 6 weeks a new major version of Microsoft Edge is released. Also be aware that security and quality updates are released as needed within that 6 week period, meaning that you may get multiple security and quality updates between the release of major updates.
As mentioned Microsoft Edge is currently on version 89.0.774.45. The next major release is going to be version 90.x and is scheduled to reach the stable channel some time during the second week of April 2021.

More information about the release schedule can be found here, and the release channels here.

Create an evergreen Microsoft Edge deployment

If you don’t want to make frequent visits to the Microsoft Edge download site, or you want a more automated process for retrieving the latest Microsoft Edge setup MSI and administrative templates, I highly recommend the Evergreen PowerShell module by Aaron Parker, Bronson Mangan and Trond Eric Haarvarstein. One of the advantages besides always installing the latest Microsoft Edge release, is that with the Evergreen module, you don’t have to maintain a local software repository saving both space and management time in the long run.

Here is a screen recording of how to use the Evergreen module to install Microsoft Edge:

The script used in the screen recording is available in my Evergreen-Software-Install Github repo.

If you prefer a manual approach or just don’t want to use the Evergreen module, feel free to use this script instead:

# Deploy Microsoft Edge
Write-Host "Installing Microsoft Edge" -ForegroundColor Cyan
Write-Host ""
Start-Process -FilePath .\MicrosoftEdgeEnterpriseX64.msi -Wait -ArgumentList "REBOOT=ReallySuppress /qn DONOTCREATEDESKTOPSHORTCUT=true DONOTCREATETASKBARSHORTCUT=true"

# Microsoft Edge post deployment tasks
Write-Host "Applying Microsoft Edge post setup customizations" -ForegroundColor Cyan

# Disable Microsoft Edge auto update
If (!(Test-Path -Path HKLM:SOFTWARE\Policies\Microsoft\EdgeUpdate))
New-Item -Path HKLM:SOFTWARE\Policies\Microsoft\EdgeUpdate
New-ItemProperty -Path HKLM:SOFTWARE\Policies\Microsoft\EdgeUpdate -Name UpdateDefault -Value 0 -PropertyType DWORD
Set-ItemProperty -Path HKLM:SOFTWARE\Policies\Microsoft\EdgeUpdate -Name UpdateDefault -Value 0

# Disable Microsoft Edge scheduled tasks
Get-ScheduledTask -TaskName MicrosoftEdgeUpdate* | Disable-ScheduledTask | Out-Null

# Configure Microsoft Edge update service to manual startup
Set-Service -Name edgeupdate -StartupType Manual

# Execute the Microsoft Edge browser replacement task to make sure that the legacy Microsoft Edge browser is tucked away
# This is only needed on Windows 10 versions where Microsoft Edge is not included in the OS.
Start-Process -FilePath "${env:ProgramFiles(x86)}\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" -Wait -ArgumentList "/browserreplacement"

Don’t disable the Microsoft Edge update services. If you do users might get an error in the “About Microsoft Edge” page in Settings.

Configuring Microsoft Edge

With Microsoft Edge installed, we now have to configure the browser. Internet browsers are among the most frequently used applications, which means that we have to make it as secure as possible without affecting the user experience.

Microsoft has helped us out a bit with securing the Microsoft Edge browser, they have a security baseline configuration available, which provides us with a range of different pre-configured security related policies.

At the time of writing Microsoft Edge is in version 89.x, however Microsoft has not updated the v88.x security baseline to v89.x, because there has been no changes in the security configuration between v88.x and v89. Changes in the version 88.x baseline compared to the previous baseline, can be found on the Microsoft Tech Community site for Security Baselines.

If there are any changes to the security baseline configuration, Microsoft will release a new security baseline configuration matching the major version of Microsoft Edge currently available, so make sure to get and test, the latest security baseline configuration.

The security baseline is, as the name says a baseline, it’s not the entire Microsoft Edge configuration. We would in most cases need additional configuration on top of the security baseline configuration, at least that’s my recommendation.

So here’s what I usually do.

I create a GPO for the security baseline settings, let’s say it’s for v89.x. The reason for this is that when Microsoft releases a new security baseline configuration for v90.x, I can import the new v90.x settings to a new GPO, do some testing, and then release the v90.x into production when I am ready, disabling the v89.x GPO of course.
This approach ensures you’ll always have the latest recommended security baseline settings for Microsoft Edge.

Any additional configuration settings, I’ll configure in another GPO, to separate “my own” Microsoft Edge configuration settings from the security baseline settings. With this approach you’ll have to to configure the correct GPO link order, applying the security baseline configuration GPO before the additional settings GPO.

GPO Configuration

GPO link ordering

As I mentioned the GPO link order is important. In this example I have 4 GPOs assigned to a OU, the amount of GPOs doesn’t really matter, as long as you make sure the link order is configured to apply the security baseline configuration GPO before the additional configuration GPO.

Security Baseline Configuration GPO

I’ll provide a couple of screenshots of the current v89.x security baseline GPO, however remember that this is the v89.x security baseline configuration. Future security baseline configurations may contain additional settings.

Computer Configuration
User Configuration

The are no user configuration policies configured in the security baseline configuration provided by Microsoft.

Additional Configurations GPO

This is the GPO which should have the additional configuration settings that you want to apply “on top” of the security baseline configuration settings. Remember that the configured GPO link ordering enables us to either add additional configuration or counter any configuration settings coming from the security baseline configuration GPO.
The combined configuration of the security baseline configuration GPO and the additional configuration GPO, will be the one being applied to Microsoft Edge, when the computer starts up and when the user logs on.

Keep in mind this configuration is my take on what can/should be configured, it is NOT the universal truth, be critical and adjust the configuration to suit your environment and/or needs.

Computer Configuration
User Configuration

I apologize for the barely readable screenshots. I wanted to get both the policy and the comment in one shot. Hopefully you are using a browser, with a zoom feature.

I will go through specific Microsoft Edge features below, and any eventual group policy settings that goes with the feature.

Microsoft Edge key features configuration

Microsoft Edge Sync

The Microsoft Edge Sync feature is synchronizing your favorites, history, passwords and other browser data across your devices. This means that a user’s favorites will be available in both a Citrix Session and in Windows 10. This means that we no longer need to configure favorites folder redirection.

The feature is available with Azure AD Premium (P1 or P2), and a handful of other subscriptions.

The sync feature is configured with these policies:

Internet Explorer Mode

Internet Explorer Mode (IE Mode) is a unique feature in Microsoft Edge. It can help transition from Internet Explorer to Microsoft Edge by allowing certain URLs to run in either IE Mode in a tab within Microsoft Edge or in a stand alone Internet Explorer window.

Here are a couple of small screen recordings of IE Mode in action, and how it can be used to enable java or flash base sites in Microsoft Edge, or force certain URLs to open in a stand alone Internet Explorer window and also restrict which URLs are allowed in Internet Explorer.

IE Mode with Java and Adobe Flash
IE Mode with both embedded tabs and IE stand alone windows
IE Mode is configured to send all sites not included in the site list back to Microsoft Edge

The IE Mode feature is configured with these policies:

Enterprise Site List Manager

The URLs for IE Mode are configured in an XML file via the Microsoft Enterprise Site List manager tool. With Microsoft Edge v89.x this tool is built in, however you have to enable it via GPO, it is also still available as a separate download. The XML file should be stored in a central file share or on a central web server.
During the first launch of Microsoft Edge the XML file is copied to the user’s windows profile and from there the XML file is parsed to determine which URLs are configured for IE Mode. During any future logons the XML file is parsed and the version of the file is compared to the one in the central location, if the version numbers does not match Microsoft Edge copies the new XML file to the user’s profile and parses the new file.

Here are a few screenshots of the, now old, Enterprise Site List Manager:

In this screenshot the XML file is called Sites.xml, you can call it whatever you want, as long as you specify the XML file location, so Microsoft Edge and Internet Explore knows where to look for it.

If enabled, the built-in Enterprise Site List Manager can be access via the edge://compat command:

The policy needed to enable the built-in Enterprise Site List Manager:

Tracking Prevention

The Tracking Prevention feature blocks trackers and adds which usually improves the site load time and general performance. In a terminal server based setup, this feature can help save huge amounts of CPU resources in Microsoft Edge, because Tracking Prevention block adds and most videos on almost all sites. If a site is not working properly and Tracking Prevention is suspected, you are able to configure a whitelist of sites where Tracking Prevention shouldn’t be active, this list can be configured both via GPO and manually by the user.

Here is a small screen recording of Tracking Prevention in effect. Notice the huge amount of CPU usage when accessing and browsing the site, and then the drop in CPU usage when Tracking Prevention is enabled. This is with one user only, imagine how this would look with 10 users accessing this site.

Tracking Prevention can of course also be configured via GPO:

Sleeping Tabs

Sleeping Tabs is a fairly new feature, it was released as a BETA feature in v88, where you had to enable it via the edge://flags as an experimental feature.

In Microsoft Edge v89 Sleeping Tabs is no longer considered a BETA feature. It’s now a stable feature and it’s enabled by default.
Sleeping Tabs suspends an inactive tab after a certain period of time, default is 2 hours, conserving both memory and CPU resources.

The Sleeping Tabs feature can be configured via GPO:

Do not use The Great Suspender extension

Previously I have recommended the extension called The Great Suspender, to suspend inactive sites.

I do no longer recommend installing this extension!

Reports came out during February 2021, that the extension had a new owner which changed a few things, which eventually ended up with the extension being blocked in the Chrome web shop. The extension is no longer blocked though, however based on what’s currently going on at The Great Suspender Github page, I can no longer recommend this extension and I urgently advise you to switch to Sleeping Tabs, which offers configuration and manageability via group policy, something The Great Suspender extension does not.

Password Monitor

This feature is is still rolling out, at the time of writing I have no way of showing off the feature in Microsoft Edge. However Microsoft has released some information about the feature here and here. Password Monitor is a new feature, which checks any passwords saved in the browser against a cloud database of known leaked passwords. If you are have a password that is no longer safe, Microsoft Edge will notify you and recommend to change the unsafe password.

The Password Monitor feature can be enabled via GPO:

Profile Exclusions

Once Microsoft Edge has been configured, most of the configuration is stored in the user’s profile here – AppData\Local\Microsoft\Edge\User Data.

In a shared environment, like terminal server based or VDI based setups, there are some folders in the User Data folder which can grow large in size. The content of these folders is mostly cached information, and it usually doesn’t make much sense to store cached information in the profile.

I usually exclude these folders:

AppData\Local\Microsoft\Edge\User Data\Default\Cache
AppData\Local\Microsoft\Edge\User Data\Default\Code Cache
AppData\Local\Microsoft\Edge\User Data\Default\Media Cache
AppData\Local\Microsoft\Edge\User Data\Default\JumpListIconsMostVisited
AppData\Local\Microsoft\Edge\User Data\Default\JumpListIconsRecentClosed
AppData\Local\Microsoft\Edge\User Data\Default\Service Worker

As mentioned earlier, this is not the universal truth! When implementing this list of folders, do some proper testing before releasing it into production. Also be aware that there might be additional folders to exclude, based on the usage and configuration of Microsoft Edge.

This concludes the article. As always feel free to contact me on Twitter or in the World of EUC Slack channel if you have any comments or questions.

Folder Redirection a thing of the past

Folder Redirection a thing of the past

Are you still using folder redirection and do you still rely on it, to provide a decent logon performance? Then this article is probably for you.

This article has been in my head for a quite some time. A while ago I was on an assignment at a customer I hadn’t done any previous work for. The customer was using Citrix Profile Management with a couple of folder redirections, including folder redirection of AppData.

It’s still not uncommon for me to come across setups with Citrix Profile Management and folder redirection of the documents and desktop folders, occasionally I also see the start menu and favorites folders being redirected. However I haven’t seen redirection of the AppData folder for the better part of 10 years now, and there seems to be a general consensus in the EUC world, that redirection of the AppData folder is a no-go as it can lead to a variety of different application related issues. If you are still redirecting AppData, please stop, there are alternatives to both Citrix Profile Management AND folder redirection available.

With FSLogix Profile Container now being the de facto solution for profile management, there really is no need to do any kind of folder redirection anymore. With that said, I do recognize that redirecting the documents folder and maybe the desktop folder as well, may in some circumstances still be relevant, mainly in scenarios where we need to be able to backup files/folders in the Documents and/or Desktop folders.

Today we have the technology to lay the last remnants of folder redirection to rest. With the new Microsoft Edge browser and Microsoft OneDrive, we are able to provide a modern way of redirecting the documents, desktop and favorites folders.

I have written a couple of articles about the new Microsoft Edge browser, which you can find here and here. These articles lay the ground work for the Microsoft Edge deployment and configuration and really should be the baseline for any Microsoft Edge deployment.

Hybrid Azure AD Join

To provide the best solution, when signing in to Edge and OneDrive I recommend configuring hybrid Azure AD join. This configuration provides seamless sign-in to both Edge and OneDrive. Microsoft has a decent article about how to configure hybrid Azure AD join.

Microsoft Edge Enterprise Sync

The Enterprise Sync feature in Microsoft Edge enables synchronization of favorites, passwords, extensions etc. to the Azure cloud, which enables you to roam most of the Edge configuration between different devices. The Enterprise Sync feature requires an Azure AD Premium subscription.

Manual configuration

The manual configuration approach is fairly easy. Log on with your Azure AD credentials (usually your email address) by clicking the “Not syncing” button in the top right corner:

You will have to go through a small wizard

Move the little slider to “Yes” and click Confirm.

Once logged on, you should see the “Sync is on” message:

And the final verification that sync is configured:

As you can see it’s not yet possible to synchronize the history and open tabs browser data.

Automatic configuration

Even though the manual configuration of the sync feature is fairly simple, we don’t want each and everyone of our users to go through this process. The sync feature can be enabled and enforced via group policy. The enforcement prevents the user from inadvertently disabling the sync feature.

Group Policy settings

These group policy settings enables and enforces the sync feature:

The “Browser sign-in settings” enforces the sign-in process, suppressing the sync wizard.

The “Configure whether a user always has a default profile automatically signed in with their work or school account” enables auto sign-in, with a Work profile, using the Azure AD account.

The “Force synchronization of browser data and do not show the sync consent prompt” partly does what it says. It enables and enforces the sync feature and the user will not be able to disable it. However the “do not show the sync consent prompt” is not working in Edge v85.x, as you will see in the screen recording below. This means that the user will have to click the “Sync” button, to enable the sync feature.

With the upcoming v86.x version, which is currently released in the BETA channel and, according to Microsoft, due to hit the stable channel within the coming week, it’s possible to suppress the consent box . This will enable and enforce the sync feature without bothering the user at all.

Microsoft OneDrive Known Folder Move

The Known Folder Move (KFM) feature in OneDrive has been around for a while and I am seeing more and more customers implementing it in production.
KFM redirects, the documents, desktop and pictures folders to your OneDrive for Business account, which makes it easy to access your data when moving between different devices. OneDrive is available in a wide range of different subscriptions, however I usually see it delivered with via a subscription that can be activated in a shared computer setup, like the Microsoft 365 E3 or E5 subscriptions.

Manual Configuration

Like the Enterprise Sync in Edge, we can also configure KFM manually. This configuration is also driven by a wizard so it’s easy to set up.

Click sign in and provide valid OneDrive credentials.

A few clicks later, the wizard has setup the OneDrive client. Right click the little blue cloud in the tray area and click Settings.

Go to the Backup tab (no this isn’t very intuitive) and click managed backup.

Once you click Start Backup, the Desktop, Documents and Pictures folders will be redirected to OneDrive.

As with the Enterprise Sync feature, we really don’t want to leave the configuration of KFM to the user.

A word of advice. If you have folder redirection already configured, you will have to disable it. The traditional folder redirection policies and OneDrive KFM cannot coexist.

Automatic Configuration

The OneDrive configuration and the KFM feature can both be configured and enforced via Group Policy configuration. The most important part of the group policy configuration is the OneDrive (Azure AD) tenant ID, this has to be specified in the OneDrive configuation GPO.

There are a few different ways to obtain the tenant ID. One way is to configure OneDrive, manually, on a computer and get the ID from the registry in HKEY_CURRENT_USER.

The value “ConfiguredTenantId” contains the OneDrive (Azure AD) tenant ID.

If you have access to the Azure portal and Azure AD, this is probably the easiest way to obtain the tenant ID, at least it beats manually configuring the OneDrive client.

With the tenant ID you are now ready to configure the OneDrive and KFM configuration GPO.

I usually configure one GPO with both the computer configuration policies and user configuration policies, it’s basically up to you how to configure that part, however both configuration types are needed to provide a seamless configuration of OneDrive and the KFM feature.

To manage OneDrive via group policy, you’ll have to get the ADMX and ADML files. The ADMX and ADML files are located in the %LOCALAPPDATA%\Microsoft\OneDrive\CurrentBuildNumber\adm folder on any computer with OneDrive installed.
More information about OneDrive group policy configuration can be found in this guide by Microsoft.

Computer Configuration

This configuration will setup both the OneDrive client and the KFM feature. It will also activate the Files On-Demand feature which let’s the user decide which files/folder should be synced to the local OneDrive cache and it also prevents the OneDrive client from doing a complete sync of the online OneDrive content.

When using group policy, the configuration of the OneDrive client with the specified tenant ID will be enforced. That will prevent the user from removing the OneDrive client configuration.

User Configuration

In here the OneDrive tutorial is suppressed and more importantly, the OneDrive folder location is enforced and the user is prevented from changing that location. The %USERPROFILE%\OneDrive – tenantname is the default location for the OneDrive folder, I usually recommend not changing this location, however it is possible to have the OneDrive folder at another location, do NOT put in on a network drive!

Here is a screen recording showing the automatic configuration of the OneDrive client and Known Folder Move feature.

OneDrive pro tip

This is a strange one. When I started with the OneDrive testing and configuration, I was using the manual configuration approach, to get the feel of how to configure OneDrive. When I had the basic OneDrive configuration mastered, I looked into the KFM feature and this is where it gets strange. I noticed the “Backup” tab was missing, and at first I thought I had configured something to remove the tab, however I experienced the same behavior with no group policy configuration applied.

It turns out if the URL is blocked on the network, the KFM feature is not available. In my setup, the URL was blocked by my Pi-Hole, as soon as I configured the URL to be in the whitelisted URLs the KFM feature magically appeared.

So, armed with Microsoft Edge Enterprise Sync and Microsoft OneDrive Known Folder Move, you can leave the last remnants of folder redirection in the past and move forward with more modern ways of syncing user data, files and folders.

This concludes the article. As always feel free to contact me on Twitter or in the World of EUC Slack channel if you have any comments or questions.

How to get rid of Internet Explorer

How to get rid of Internet Explorer

The time is right. Internet Explorer has had a very, very good run and it has been a good browser. For years it was the only Microsoft supported browser in a Windows Server operating system, even when Edge (the 1st) was released we still had to make due with Internet Explorer in Windows Server operating systems.
It’s now time to look in a different direction. A direction where we have a fully supported and modern browser with the new Edge browser based on the Chromium project. This browser is also available and supported in a Windows Server operating system.

During the last 6 months I have written a couple of articles about how to install and configure the new Edge browser, I have even penned an article about how to remove the pesky pinned takbar shortcut, which is created during the first launch of Edge.

In my article about how to configure Edge via group policy, I finish off by showing that it is possible to run sites with java content in Edge, something we historically had to use Internet Explorer to do. This is no longer the case, or technically it is, but we can now use “emulated IE” tabs, called IE Mode, within the Edge browser, so we don’t have to leave the browser when accessing legacy sites.

A couple of days ago I was helping a customer, and I noticed that he had Edge running, but Internet Explorer was also running in the same session. So we had a short conversation about IE Mode, he knew about it and what the possibilities were with sites with java content. It turned out he was accessing a Hitachi storage web based configuration site, which needed Adobe Flash Player. Seriously Hitachi, you need Adobe Flash in 2020? In all fairness I have to mention that I don’t know if my customer is on an older model of a Hitachi storage box, which for some reason can’t be updated.
Nonetheless we are also able to use IE Mode with sites with Flash based content.

Be aware that Adobe has announced that the 31st of december 2020 is the End of Life (EOL) for Flash Player.

This means that you should probably start looking at alternatives to whatever sites you are using, if Flash is still a requirement.

What is IE mode

IE Mode is a feature that allows us to specify that certain URLs should open in an “emulated IE” tab within the Edge browser. This is great because the user will never have to leave the primary browser, which is of course Edge, to access legacy sites or sites with legacy content (Java and Flash), everything is kept within the Edge browser window.
We can also open the specified sites outside the Edge browser in a standalone Internet Explorer browser, and not in an IE Mode tab in Edge. We might not get rid of Internet Explorer, but with IE Mode we can limit the use of Internet Explorer to a certain selection of URLs.

Java and Flash in IE mode tabs

I have included a screen recording of Java and Flash content running in IE Mode tabs within Edge:

Standalone Internet Explorer

Here we see the and URLs both open in a standalone Internet Explorer. We also see that the site opens in IE Mode, we can have both configurations at the same time, so it’s not one or the other.

By now you might be wondering, what is stopping us from keep using the Internet Explorer window, which Edge conveniently launched for us? By default, nothing. We are able to use Internet Explorer all day long, we don’t want that, we want to get rid of Internet Explorer or at least limit the use of it.

Configure IE Mode

Let’s have a look at how to configure IE Mode, and how to prevent us from keep using Internet Explorer, if we are using standalone Internet Explorer windows. In this article I have configured IE Mode via traditional group policies. It is also possible to configure IE Mode via Microsoft InTune, this is not in scope here though.

Group Policy Configuration

The configuration of IE Mode is really easy, it’s basically 4 policies and you’re done.

With the policy configuration for Edge we have specified that we want to use Internet Explorer Mode (IE Mode) and we are also supplying a specific XML file using the Enterprise Mode Site List feature.
For Internet Explorer we have configured the “Send all sites not included in the Enterprise Site List to Microsoft Edge” and we are also, again, supplying the Enterprise Mode Site List.

Configuring the “Send all sites not included in the Enterprise Site List to Microsoft Edge” policy prevents the use of Internet Explorer all day long. If we are trying to access sites not specified in the Enterprise Mode Site List, we are directed back into the Edge browser. This is a very good way of limiting the use of Internet Explorer.

Enterprise Mode Site List

So, how do we create this so called Enterprise Mode Site List?
I would recommend the free tool by Microsoft called “Enterprise Mode Site List Manager”.

The Enterprise Mode Site List Manager can be found in Microsoft’s Download Center here:

The download provides you with a EMIESiteListManager.msi file. Go through the setup process:

Once installed you should have shortcuts to the Enterprise Mode Site List Manager on both the desktop and in the start menu.

When lauching the Enteprise Mode Site List Manager for the first time, it provides you with a blank site list configuration:

Here you will have to add the URLs for either IE Mode and/or standalone Internet Explorer.

Click Add:

  1. Specify in the URL, without http/https.
  2. Select Open In IE11
  3. If you want the URL to open in a standalone Internet Explorer, click the “Standalone IE:” check box
  4. If you check the “Allow Redirect” box, if there is a server-side redirected URL, it will have the same browser configuration applied.
  5. Leave the Compat Mode dropdown box at the default configuration

When you have the needed URLs configured, you will end up with something looking like this:

These are the URLs demonstrated in the screen recordings earlier. Notice the “Standalone IE” is true for and, these URLs will open in standalone Internet Explorer windows, any other URLs will open in IE Mode within the Edge browser window.

To save the current list of URLs to an XML file go to File and select Save to XML:

Provide a name, in this example, for lack of creativity, I call it Sites.xml:

Once the XML file has been saved, be aware that a version number is assigned, you can find the version number here:

Or you can crack open the XML file and find it here:

The Sites.xml should be made available from a central location. Microsoft recommends to publish it via a web server, this is due to performance reasons. I usually makes it available via the NETLOGON share, as regular users cannot write/modify files and folders in that location.

When the user logs on, the Sites.xml is copied to the user’s profile, we’ll see where in a moment, the version of the Sites.xml is important, as the one in the user’s profile is compared to the one in the central location.

The downside by publishing is via NETLOGON or another file share, is that the file is copied to the user’s profile before a version comparison is made. If you have hundreds or thousands of URLs, it’s performs better via HTTP/HTTPS, as IE Mode can read the version number before copying the file.

If you need to make changes to an existing Sites.xml file, remember to also export the URL list configured.

The exported Sites.emie2 is needed for future changes as it keeps the version information.

So, import the Sites.emie2, make whatever changes necessary and then click Save to XML and save and overwrite the Sites.xml in the central location:

As you can see we are now on version 2 of the XML file.

The 65 seconds delay

The version comparison has a timeout of 65 seconds. This means that Edge and IE Mode does nothing with the Sites.xml until after 65 seconds after Edge is launched. At that time the Sites.xml in the central location and the one in the profile are compared and if a Sites.xml with a higher version exists in the central location, it’s copied and enumerated. This means that for 65 seconds after launching Edge, IE Mode is basically not in effect, which means that any sites that are configured to open in an IE mode tab or a standalone Internet Explorer are treated as any other sites, and will open in Edge.

I have worked with a lot of customers which wanted their intranet site as default startup page. If that intranet site is now configured to open in an IE Mode tab, because of the 65 seconds delay, that will not happen.

Luckily for us Microsoft introduced a new feature in Edge v84.0.522.40, which was released a couple of weeks ago, that enables us to prevent navigation in Edge if the Sites.xml does not exist in the user’s profile.
If a Sites.xml file exists, there is no longer a wait for the central Sites.xml and local Sites.xml to be compared, the local Sites.xml file will be used and any changes in the central Sites.xml file will be copied in the background. The feature can be enable via the Require that the Enterprise Mode Site List is available before tab navigation policy:

Here we see the new feature in effect. If we immediately after logon launch Edge, and type, Edge stalls until the Sites.xml is enumerated, as mentioned a great feature if you have an intranet site or a similar legacy site configure as a startup site. Unfortunately this new feature, doesn’t work with sites configured to open in a standalone Internet Explorer.

Keep in mind that Microsoft does not recommend enabling this feature, unless there is a specific need for it, as you can see it can/will slow down Edge in certain scenarios.

Now that we have the Sites.xml file and the 65 seconds delay covered, let’s see what happens on the client side.

IE Mode in effect

As mentioned, during logon the Sites.xml is copied to the user’s profile. The Sites.xml is copied to %LocalAppData%\Microsoft\Edge\User Data\Emiesitelist.xml and not Sitex.xml, a bit confusing:

If we open the EmieSitelist.xml with Notepad, we can see that the contents are the same as in the Sites.xml file:

Notice we are now using the version 2 of the Sites.xml, the one we created earlier.

This means that the latest addition to the Sites.xml file,, open in IE Mode within the Edge browser, as you have seen earlier.

The website is still opening in IE Mode tab within the Edge browser, so did both the Java test page and Adobe Flash test page.
The and websites still open in a standalone Internet Explorer, but because of the “Send all sites not included in the Enterprise Site List to Microsoft Edge” policy we now also see that I am not allowed to use Internet Explorer to access, that request is redirected back into the Edge browser.
There is a small delay on, this is because of the Browser Content Redirection extension in Edge.

Troubleshooting IE Mode

The 65 seconds delay

When testing IE Mode the first thing that is almost always is reported back to me is, “IE Mode is not working!”. And it almost always turns out that the customer forgot about the 65 seconds timeout and being a bit more patient usually does the trick. If the Require that the Enterprise Mode Site List is available before tab navigation policy is configured that is probably not the case.

Also make sure that the Enterprise Mode Site list path and name is properly configured in the Configure the Enterprise Mode Site List policy.

Microsoft Edge policies

If you are experiencing IE Mode doesn’t work, make sure to check that Edge actually receives the IE Mode policies and a valid site list.
To verify the policies applied to Edge, you can enter edge://policy in the address bar:

If you don’t see the “InternetExplorerIntegrationLevel” and the “InternetExplorerIntegrationSiteList” values in this list, you can click the “Reload Policies” button, if that doesn’t help, you will probably have to check your GPO configuration.

Microsoft Edge Compatibility

If you are experiencing sites not opening i IE Mode or in a standalone Internet Explore, but you expect them to. You can verify which site list version is currently used and which sites are on the site list. This can be done by entering edge://compat in the address bar:

Now there should be no excuses for not getting rid of Internet Explorer, or at least limit the use of it.

This concludes the article. As always feel free to contact me on Twitter or in the World of EUC Slack channel if you have any comments or questions.

The curious case of the pinned Microsoft Edge shortcut

The curious case of the pinned Microsoft Edge shortcut

I really love the new Microsoft Edge browser! Most of all because we now have a modern browser which is supported by Microsoft in a server operating system, but also because we are now able to integrate our Microsoft Azure AD/Office 365 account with Edge, which among other things enables favorites and password sync.

UPDATE – 06-06-2020 (June 6th 2020): I did not do proper testing during my last update, rather embarrassing. This means, that you will still get a pinned taskbar Edge shortcut. It looks like Microsoft implemented a partial fix, which doesn’t pin Edge to the taskbar of the account installing Edge. Any other accounts logging in, will still get the pinned Edge shortcut on the taskbar. I uploaded a new screen recording, recorded on a non-domain joined Windows Server 2019 with the latest CU installed and using the latest version of Edge.
Solutions in this article are still valid!

UPDATE – 04-06-2020 (June 4th 2020): As of 83.0.478.44 stable Microsoft has now fixed the install/configuration process, so a pinned shortcut is no longer created. I have tested this in both Windows Server 2019 and Windows 10. However in Windows 10, if the legacy Edge browser is pinned to the taskbar before deploying the new Edge browser, it will be replaced with a shortcut to the new Edge browser.

It’s been a few months since my very first article on the Microsoft Edge browser, written during Citrix Summit 2020. As you’ll probably notice, this article is focused mainly on how to install Edge in a Citrix setup.

I have penned an additional Edge article where I focus on how to secure the browser using the Microsoft Security baseline GPO settings.

As you can see I have spent a great deal of time with Edge, and it has of course also become my first choice of internet browser. The are so many scenarios where Edge fits right in, so I also spend a great deal of time telling customers and colleagues about the fantastic use cases where Edge might provide new or better functionality or solve an issue in a Citrix VAD setup.

However as much as I like Edge, I have found that Edge is now doing stuff it shouldn’t be doing. To be specific, when launching Edge for the first time in Windows Server 2016/2019 (probably also 2012 R2) a pinned taskbar shortcut is created, for no apparent reason. It is well known that when installing Edge on an up to date Windows 10 machine, the so called “legacy Edge browser” is replaced, Microsoft published an article around the same time as the first stable release of Edge. This means that any legacy Edge browser shortcuts, are replaced with shortcuts to the new Edge app, however we do not have the legacy Edge browser in a server operating system. I have also seen that evene if I don’t have a pinned “legacy Edge” shortcut in the taskbar, a pinned shortcut to the new Edge browser i still created, not OK!

I have created a small screen recording to shown what is going on. To rule out any domain related configuration like group policy, scripts etc. I have conducted the test on a non-domain joined Windows Server 2019 with the latest cumulative update. I am of course installing the latest Microsoft Edge stable release. does not endorse this recording or this blog, I simply forgot to register the application 🙂

UPDATE – 06-06-2020: New screen recording uploaded showing the pinned Edge shortcut still appears with the latest Edge build v83.0.478.45

How is the pinned shortcut created?

During the installation of Edge an Active Setup registry key is created which launches a setup.exe file with a specific set of parameters.

This particular Active Setup is created during setup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}

From what I can see in Process Monitor, the setup.exe process actually doesn’t do very much, but it does create a registry value in HKCU\Software\Microsoft\Edge (even in a server OS) called TaskBarAutoPin.

The first time Edge is launched, and this value data is “1”, a pinned taskbar shortcut is created, and the value is deleted.

How to get rid of the pinned shortcut?

I started looking into the documentation a The Chromium Projects website, and I found an article describing how to create a master_preference file. I have used master_preferences before in Google Chrome and also with the earlier releases of Edge, to remove the Edge shortcut on the desktop. In the documentation a “do_not_create_taskbar_shortcut” setting is mentioned, however it only works in Windows 8 and older, which I confirmed to be true, it does not work in either Windows 10 or Windows Server 2019.

With the Edge stable version 81.0.416.32 , Microsoft introduced an MSI command line parameter the “DONOTCREATEDESKTOPSHORTCUT=TRUE” which does indeed work, it prevents the desktop shortcut from being created. Hoping that Microsoft had built in a “secret” command line parameter I had to try “DONOTCREATETASKBARSHORTCUT=TRUE”, unfortunately it did not work.

I reached out to a former colleague of mine who is now a program manager at Microsoft. We discussed this issue for quite some time, and it basically ended up with him recommending me to submit a so called Microsoft Edge User Voice where I should describe the issue. Someone had beat me to it, a User Voice for the issue had already been submitted here. Please cast your vote, we need to make Microsoft aware of this issue and hopefully make them change this unusual behavior of creating pinned taskbar shortcuts. Or at least give us a way to prevent the pinned taskbar shortcut from appearing, in both Windows Server and Windows 10.

I am a tenacious guy, so I managed to find 4 different ways to get rid of the pinned taskbar shortcut, take that Microsoft! Credit goes out to Trentent Tye, James Rankin and Nathan Sperry for providing inspiration and/Or information to a couple of the solutions described.

Solution 1:

Using one of my favorite applications, Citrix Workspace Environment Management, we are able to remove all pinned shortcuts in the taskbar during logon by simply checking a box:

This will delete the shortcut during logon, it works and it is a non-destructive way of removing the shortcut. It’s was not quite what I was looking for though, I wanted to flat out prevent the shortcut from ever appearing, this procedure also removes any other pinned shortcuts, that might not be desirable.

Solution 2:

Another favorite of mine is FSLogix. The App Masking feature in FSLogix can be used for a variety of different things, but in this particular case it can be used to hide the entire Active Setup registry key created by the Edge setup, so the setup.exe process is never even launched.

I have created a very simple hiding rule which hides the Edge Active Setup key. This procedure is non-destructive which means it doesn’t delete anything, so if something breaks you can remove the hiding rule and the Edge Active Setup key is back in business.

I have created a hiding rule via the FSLogix Rule Editor:

Create a new blank hiding rule

Provide the hiding rule with a name and click the New Rule button:

In the object name box put in the full key path to the Edge Active Setup key and specify that it is a Directory/Registry in object type and click OK.

Lastly we need to specify which users/groups this hiding rule is applied to. I have specified that Everyone should have this rule applied, but if you want to be a bit more granular in your approach, you might want to select one or more AD groups instead.
To configure the user/group assignment, right click the name of the hiding rule and select Manage Assignments:

Here you will be able to enable the Everyone group and specify other groups this rule should apply to.

Click OK. Your hiding rule is now ready.

The only thing left to do is to copy the hiding rules files to the C:\Program Files\FSLogix\Apps\Rules folder:

The Edge Active Setup key is now hidden for all users logging on to the server, hence it will not run the setup.exe process and we will not get the pinned taskbar icon, happy days!

Solution 3:

Really simple solution. Delete the Edge Active setup registry key entirely. This can of course be done manually via regedit or via PowerShell::
Remove-Item -Path “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}” -Force

This is a destructive solution, so if anything breaks, you will have to have some way back to the original state. You can incorporate this solution is a part of the Edge setup process.

Solution 4:

Also a fairly simple solution. Delete the TaskbarAutoPin value in registry. Again this can be done manually via regedit or via PowerShell:
Remove-ItemProperty -Path “HKCU:\Software\Microsoft\Edge” -Name “TaskbarAutoPin” -Force

However I will of course recommend using Citrix WEM to delete the TaskbarAutoPin value via a registry action:

Like solution 3, this is also a destructive solution, so if needed you will also have to have a way back if things go sideways.

So there you have it, leave it to a Citrix-guy to fix Microsoft’s mess. I do hope that Microsoft will provide us with a better and/or simpler solution to prevent the pinned taskbar shortcut from being created. In the meantime we now have a couple of different workarounds to remove the shortcut.