With Microsoft now releasing Microsoft Edge built on top of Chromium which is an open-source browser project together with its own enterprise security features, I see it as the main browser for enterprises moving forward. So how do we get started roll-out Edge to the enterprise?
Deployment
As part of a deployment strategy, there are multiple ways to deploy Microsoft Egde to the Enterprise depending on what kind of management tooling you have for your enterprise.
If you wish to just install it on your own computer, Edge is also available on Chocolatey. You can download Edge from here –>
NOTE: If this should be deployed you need to have the following URL’s opened for trough the firewall or proxy:
https://edgeupdates.microsoft.com/api/products?view=enterprise
http://dl.delivery.mp.microsoft.com
choco install microsoft-edge
For SCCM there is an own tab to deploy Microsoft Edge as of SCCM 1910 (https://docs.microsoft.com/en-us/configmgr/apps/deploy-use/deploy-edge)
Just ensure that you configure update management for Microsoft Edge as well if you want to update Edge as part of the release cycle.
In Intune there is an app for Edge under software deployment.
This also allows you to define what kind of release should be installed, since Edge follows the modern lifecycle deployment where you have (Stable / Beta / Developer ) release of each version.
Now by default when you install it, it comes with a desktop shortcut. You can remove this by it requires that you create an MSP transform file, you can see a seperate blog post on that here –> https://oofhours.com/2020/02/10/deploying-the-new-microsoft-edge-without-a-desktop-shortcut/
Policies
Microsoft Egde also comes with support for Policies either trough using AMDX and Group Policies or using OMA-URI settings. In order to start using policies you will need to have the following patch level available on your Windows 10 devices
NOTE: You can see the entire list with Policies here and the information and configuration options –> https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies
Windows 10, with the following minimum system requirements:
- Windows 10, version 1903 with KB4512941 and KB4517211 installed
- Windows 10, version 1809 with KB4512534 and KB4520062 installed
- Windows 10, version 1803 with KB4512509 and KB4519978 installed
- Windows 10, version 1709 with KB4516071 and KB4520006 installed
You can download the AMDX files from here –> https://www.microsoft.com/en-us/edge/business/download which then download the latest msedge.adml and msedgeupdate.adml files and (on a Domain controller,) copy them to
C:\Windows\SYSVOL\{domain-name}\Policies\PolicyDefinitions\en-US
Then you configure the Group Policies accordingly.
When it comes to Intune the predefined AMDX files are available within Device Configuration –> Administrative Templates.
Once the policies are configured you can check if the policies have applied by checking the Policy settings pane within Edge
edge://policy
Another option is to use a Master preference file. A master preferences file lets you configure default settings when Microsoft Edge is deployed. You can also use a master preferences file to apply settings on computers that aren’t managed by a device management system. These settings are applied to the user’s profile the first time the user runs the browser. After the user runs the browser, changes to the master preferences file aren’t applied. A user can change settings from the master preferences in the browser. If you want to make a setting mandatory or change a setting after the first run of the browser, you must use a policy.
Other flags that should be enabled
There is also other flags that can be enabled which leads to even better better accessibility and better browser performance –> https://www.howtogeek.com/445542/the-best-chrome-flags-to-enable-for-better-browsing/ however these flags are not available trough Policy but can be referenced as something that users can configure if wanted.
You can access the flags settings under edge://flags
One of these settings are such as Tab Groups and Global Media Controls.
Tab Groups allows you go group tabs with color and name.
Media Controls give you direct UI controls for media content.
Policies for VDI
When it comes to deployment of Microsoft Edge in Citrix / VMware or VDI based deployments there are some considerations you need to be aware of. Now instead of writing down the different aspects here, I just want to point to James Kindon’s excellent blog post https://jkindon.com/2019/09/17/deploying-brave-and-microsoft-edge-dev-browsers-in-citrix-cvad-environments/
Also you can use this for settings Edge as the default browser as well –> http://kolbi.cz/blog/2017/11/10/setdefaultbrowser-set-the-default-browser-per-user-on-windows-10-and-server-2016-build-1607/
It should be noted that currently Edge does not support RoamingProfileLocation as Google Chrome does, therefore if you have that configured against a sentral fileserver you will have issues with Edge. With Edge the only option is to move the UserDataDir (and move back the DiskCacheDir).
SSO and Azure AD
Microsoft Edge supports also SSO and FIDO authentication.
Should be noted that for Windows integration authentication, Microsoft Edge will only respond to WIA requests if the server is on the intranet. To configure which servers are enabled for integrated authentication, please see the AuthServerAllowlist policy.
To use WIA with Microsoft Edge (version 77 and later) you have to configure the AD FS property WiaSupportedUserAgents and add support for the new Microsoft Edge user agent string. We use the “Edg” token to avoid compatibility issues that may be caused by using the string “Edge”, which is used by the current version of Microsoft Edge based on EdgeHTML. The “Edg” token is also consistent with existing tokens used on iOS and Android. The following example of a UA string is for the latest Dev Channel build when this article was published:
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3951.0 Safari/537.36 Edg/80.0.334.2"
Extensions
When it comes to installing Edge Extensions this is something that you can force install using Policies. For Windows devices that aren’t joined to a Microsoft Active Directory domain, forced installation is limited to extensions available in the Microsoft Store for Edge –> https://microsoftedge.microsoft.com/addons/category/Edge-Extensions
But this is done using the policy settings ExtensionInstallForcelist
If you want to force install an addon you need to get the extensionID which can be found within the edge://extensions and then going into the extension and finding the ID.
The policy can then be pushed either using Group Policy or Intune or other managed solutions. Now you can also install regular Chrome extensions from the Google extension store as well. In order to enable this you will need to enable “allow extensions from other stores”
Then you can lnstall extensions from the Chrome store here –> https://chrome.google.com/webstore/category/extensions
Web App Shortcuts and Progressive Web Apps
Edge also supports Progressive Web Apps (PWAs), which makes it possible to install a website as a native app on Windows 10 enabling additional features, such as push notifications, background data refresh, offline support, and more.
The great part about web apps for Edge is that they literally install like normal apps, and you’ll even find them registered in the “Apps & features” settings page.
These apps can also be deployed trough Group Policy to users to that users can have their applications available as shortcuts.
Example URL:
Example Policy Content
[
{
"url": "https://www.contoso.com/maps",
"create_desktop_shortcut": true,
"default_launch_container": "window"
},
{
"url": "https://app.contoso.edu",
"default_launch_container": "tab"
}
]
Handling Updates
When it comes to handling updates this is also something that is handled trough Policy which is a bit similar to one might have seen with Windows 10 and with Office 365
As per best-pratices, this was the only thing I could find (which was from Chris Jackson from Microsoft)
And as part of ADMX files you can configure the update methods here, once installed it can do automatic updates directly from Microsoft Update.
Security Settings
Microsoft has already created a baseline security policy set which can be configured as part of SCM, you can read more about it here –>
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-chromium-based-microsoft-edge/ba-p/1111863 this is for regular configuration using group policy, but you also have the same option using Intune where you also have some security baseline.
Should be noted that the security baseline in Intune will be updated shortly to reflect the latest settings and version.
Application Guard
Application guard is a security feature built into Windows 10, which essentially can allow users to open up untrusted web pages in a secure container. When a user open an untrusted website, Microsoft Edge will open the site in an isolated Hyper-V-enabled container, which is separate from the host operating system.
This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can’t get to your enterprise data. This is only for Windows 10 devices which support running Hyper-V and is not supported on VMs and VDI environment.
| Operating system | Windows 10 Enterprise edition, version 1709 or higher Windows 10 Professional edition, version 1803 or higher Windows 10 Professional for Workstations edition, version 1803 or higher Windows 10 Professional Education edition version 1803 or higher Windows 10 Education edition, version 1903 or higher |
But this feature is extremely useful for scenarioes where malicious payload such as drive-by downloads are trying to infect the host operating system.
To install Application Guard on supported operating systems you can use the following PowerShell command
Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
Once you have it installed you have the option to start an Application Guard protected pane directly from within Edge
It should be noted that Application Guard comes with its own set of Group Policies under Computer Configuration\Administrative Templates\Network\Network Isolation
It should be noted that since this is running in an isolated container some options are not working such as downloads and such since when you close the tab all the sessions information and such as gone.
So far. Edge seems to embrace the best of both worlds, having the speed built in from Chromium together with Enterprise Management and Security features such as Application Guard and modern management support from ADMX or OMA-URI Settings.