Microsoft Edge Group Policy Configuration
Some weeks ago i published an article about how to get started with the new Microsoft Edge browser in Citrix. In the article you got at glimpse of my take on how to configure a couple of GPOs with some configuration for the Microsoft Edge browser.
In this article I’ll drill down and go through some of the settings and what my recommendations are. I am mostly focused on the security side but I will also cover the Microsoft Edge IE Mode feature, which will help you with legacy sites that may only work in Internet Explorer and we’ll also have a look at how to set the default search engine.
Before going any further, please be aware that I assume you have some experience with Group Policy Objects and how they work, also there is information in my previous article you might find useful.
The internet can be a dangerous place, and thus we need to make sure that one of the primary applications used for accessing the internet is as secure as possible. To help us achieve that, Microsoft has provided us with some recommended security baseline settings. A short article by Aaron Margosis at Microsoft telling a bit about the security baseline settings can be found here:
The article contains a link to the Security Compliance Toolkit where you will find the Security Baseline Settings GPO for Microsoft Edge.
Security Compliance Toolkit:
https://www.microsoft.com/en-us/download/details.aspx?id=55319
On the site click the download button and select the Microsoft Edge v79-zip file and click next:
The contents of the ZIP file:
The folder names are self explanatory in regards of contents. The folder we need here, is the GPO folder as it contains the actual GPO we want to import to Active Directory. If you haven’t been doing a lot of GPO importing, there is a Baseline-ADImport.ps1 script in the Scripts folder, which may help you import the GPO to Active Directory.
If you prefer a more manual approach, this very basic guide provides the necessary information:
https://www.oreilly.com/library/view/active-directory-cookbook/0596004648/ch09s08.html
Group Policy configuration
You should now have a GPO with the latest Security Baseline settings. In my setup it looks like this:
I have imported the Security Baseline settings to a GPO called “Microsoft Edge Security Baseline Configuration and it has been linked to an OU with just one other GPO. The “Microsoft Edge Addtional Configuration” GPO additional settings that I want to apply to the Edge browser. The names here are not set in stone and are purely for reference. Use the naming convention in your own setup or whatever names that makes sense to you.
Using a separate GPO for the additional settings will keep the Security Baseline GPO “vanilla”, which means that the only settings in this GPO are the ones from the Security Baseline GPO provided by Microsoft. This is very helpful when/if Microsoft releases an update for the GPO, as you can import the updated settings to the current Security Baseline GPO, in my case the”Microsoft Edge Security Baseline Con figuration GPO”, and not have to worry about any custom settings configured getting overwritten. Needless to say, a scenario like this will of course mandate a bit of testing before released to production. Also keep in mind that the Security Baseline GPO is targeted the “Stable” release of Edge, not the BETA, DEV or Canary releases.
You will notice that the Security Baseline GPO settings from Microsoft are Computer Configuration settings only:
This is probably because Computer Configuration settings cannot, in most cases, be overridden by User Configuration settings and will therefore always apply.
This is basically what I’ll cover with the Security Baseline GPO. You will have to know the settings in this GPO and what they mean and what impact it may or may not have to your current setup. However I am configuring the Security Baseline GPO as a “mandatory” GPO configuration which should always apply, sort of laying the groundwork for the Edge policy configuration, whether the endpoint being Windows 10 or Windows Server.
The “Microsoft Edge Additional Configuration” GPO, is where I’ll configure settings which adds to the overall configuration of Edge. Which means that the settings in this GPO is combined with Security Baseline GPO, and together they serve as the complete configuration of Edge.
To achieve that, you’ll have to be aware of the link ordering of the GPOs. The Security Baseline GPO should always have a lower link order, than the additional configuration GPO, otherwise the settings in the Security Baseline GPO might not be correctly applied. In my case, as the screenshot above shows, my Security Baseline GPO has a link order of 2, and my additional configuration GPO is linked as order 1.
The link ordering is important if you want to counter a specific setting in the Security Baseline GPO, with the additional configuration GPO. As an example, let’s look at a specific feature in the browser. The Password Manager and protection feature, this feature is disabled in the Security Baseline GPO and from a security stance, that’s not a bad idea. However from a user’s point of view it might be helpful to have a password manager if he user accesses a lot of different website which require a username and password. Combined with an Azure AD login, it’s possible to backup/synchronize the password manager, so if user logs on to a new device, the password manager contents follow the user. Obviously you will have to decide, or maybe your security guys will have to decide, whether or not this feature should be enabled. If you want to counter the disabling of this feature done by the Security Baseline GPO, you can enable the feature in the additional configuration GPO which will, because of the link ordering, then take precedence.
Let’s go over the settings in the additional configuration GPO.
Computer Configuration | ||
Microsoft Edge Update/Applications/Microsoft Edge | ||
Update policy override | Enabled – Updates Disabled | As with all other apps in a non-persistent setup, we do not want any auto updating. |
Microsoft Edge/Password manager and protection | ||
Enable saving passwords to the password manager | Enabled | If you want your users to be able to save passwords to various websites in the password manager in Edge, enable this setting. |
User Configuration | ||
Microsoft Edge | ||
Automatically import another browser’s data and settings at first run | Disabled | I prefer to be in control if any imports of other browser data and settings. This disables the automatic import feature in Edge, which is triggered during first launch. |
Block access to a list of URLs | Enabled – Block Access to a list of URLs: file:///A:/ file:///B:/ file:///C:/ file:///D:/ file:///E:/ file://localhost/c$/ file://localhost/d$/ file://localhost/e$/ | Credit goes out to Dave Bretty for this one. A while back he posted an article about how to prevent local drive access via Google Chrome. The same principles goes for Edge – https://bretty.me.uk/secure-local-drive-access-on-your-euc-endpoints/ |
Configure Internet Explorer integration | Enabled – Configure Internet Explorer integration: Internet Explorer Mode | Enables the Edge IE Mode |
Configure the Enterprise Mode Site List | Enabled – Configure the Enterprise Mode Site List: URL to the sitelist.xml file | This provides the URL to the sitelist.xml file. Contains a list of URLs which should trigger IE Mode, and open in a new Internet Explorer “emulation” tab in Edge. |
Configure whether a user always has a default profile autimatically signed in with their work or shcool account | Enabled | This prevents the user from deleting the configured Edge profile, if an AAD login is associated with this profile |
Define a list of allowed URLs | Enabled – Define a list of allowed URLs: receiver://* | This can be used to pre-approve certain URLs and sort of whitelist them. In this case the receiver//* is configured, which means that Edge no longer asks about what should happen with ICA files, they are automatically launched with Citrix Workspace App/Receiver |
Enable profile creation from the Identity flyout menu or the Settings page | Disabled | Creating new profiles in the browser may pose a security risk, as the user will be able to configure non-enterprise accounts and configure synchronization account specific data, extensions etc. |
Hide the First-run experience and splash screen | Enabled | Hides or disables the first-run wizard seen during the first launch of Edge. |
Set Microsoft Edge as default browser | Enabled | Does what it says. Configures Edge as the default browser. |
Microsoft Edge/Default search provider | ||
Default search provider name | Enabled – Default search provider name: Google | Specifies a name of the default search provider. |
Default search provider search URL | Enabled – Default search provider search URL: {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}ie={inputEncoding} | Specifies the search URL for the default search provider. In this case it’s Google. |
Enable the default search provider | Enabled | It does what it says. It enables the default search provider in Edge. Doing this prevents the user from change the default search provider. |
Microsoft Edge/Extensions | ||
Allow specific extensions to be installed | Enabled – Extension ID to exempt from the block list: hdppkjifljbdpckfajcmlblbchhledln | AS per the Security Baseline GPO, all extensions are blocked. This policy provides a list of approved extensions which may be manually installed. In this case I approve the installation of the Citrix Browser Content Redirection extension |
Control which extensions are installed silently | Enabled – Extension/App IDs and update URLs to be silently installed: hdppkjifljbdpckfajcmlblbchhledln; https://clients2.google.com/service/update2/crx | In combination with the policy above, this policy can install any extensions configured. If you want to install extensions from the Google Webshop, you will have to also specify the Update URL |
Windows Components/Internet Explorer | ||
Use the Enterprise Mode IE website list | Enabled – Type the location (URL) of your Enterprise Mode IE website list: URL or UNC to your sitelist.xml file | This is the last of 3 policies to enable the IE Mode feature. Here you specify where IE should look for the sitelist.xml file |
You’ll notice that most of the settings are User Configuration settings, the main reason for this is the ability to apply AD user or AD group filters to the User Configuration part of the GPO. This is useful if I have some settings I don’t want to apply to certain user, I can so to say exclude them from the GPO and then configured set of policy settings in another GPO for these users instead.
Internet Explorer integration – IE Mode
One of the great features of Edge is Internet Explorer integration, or IE mode. IE Mode integrates with an already known feature called Enterprise Mode, which surfaced a few years ago in Internet Explorer 10.
What Edge and Enterprise Mode basically does is that based on a list of URLs in an XML file, it can determine if a specific URL should be launched in Internet Explorer and not Edge. We all know these 2 or 3 URLs that will only work in Internet Explorer, well now we can have Edge as the primary browser, and then configure Enterprise Mode to handle these 2 or 3 URLs, so that they open in Internet Explorer.
The way Microsoft has implemented this in Edge is that you can choose to either have Internet Explorer open as a separate process/window, or you can have Edge kind of “emulate” Internet Explorer in a tab within the Edge browser.
As I have mentioned in the group policy overview, you need to have an XML file where the Enterprise Mode URLs are defined. For that Microsoft has provided a tool called Enterprise Mode Site List Manager, which can be downloaded here:
https://www.microsoft.com/en-us/download/confirmation.aspx?id=49974
Once installed you will have this very basic UI:
To populate the list, go to File and click Add:
Here you will have to type in the URL, in this case www.citrix.com. You will also have to select the “Compat Mode”, this is a list of compatibility settings available in Internet Explorer, for now just select Default Mode, this is the default IE11 Mode. Click Save.
Here is my very basic list, with www.citrix.com and www.youtube.com:
Now click File and then save to XML:
Once you have the XML, you need to copy it to a location where your users have read access. I usually copy it to the NETLOGON share, as the users have read access and the XML is also distributed across multiple servers (Domain Controllers). As mentioned, make sure to configure the URL/UNC to the XML file in the “Configure the Enterprise Mode Site List” policy.
So how does it look from to user’s point of view when IE mode is active? It’s very elegant and discreet:
And within the same Edge window I can have another tab open, which is not in IE Mode:
And here I am running Java inside Edge, isn’t that beauti….wait it’s not beautiful, we all hate java, but it is possible to put those legacy java sites inside the Edge browser.
Keep in mind though, that the XML is only parsed during logon, so if you make changes when users are logged only, they will get picked up during next logon.
Remember, group policies are not bad, they are often misunderstood, but not bad.