The Enterprise ready browser Microsoft Edge for business – How to configure for Edge

With Microsoft now releasing Microsoft Edge built on top of Chromium which is an open-source browser project together with its own enterprise security features, I see it as the main browser for enterprises moving forward. So how do we get started roll-out Edge to the enterprise?

Deployment

As part of a deployment strategy, there are multiple ways to deploy Microsoft Egde to the Enterprise depending on what kind of management tooling you have for your enterprise.

If you wish to just install it on your own computer, Edge is also available on Chocolatey. You can download Edge from here –>

NOTE: If this should be deployed you need to have the following URL’s opened for trough the firewall or proxy:
https://edgeupdates.microsoft.com/api/products?view=enterprise
http://dl.delivery.mp.microsoft.com

choco install microsoft-edge

For SCCM there is an own tab to deploy Microsoft Edge as of SCCM 1910 (https://docs.microsoft.com/en-us/configmgr/apps/deploy-use/deploy-edge)

Microsoft Edge Management node right-click action

Just ensure that you configure update management for Microsoft Edge as well if you want to update Edge as part of the release cycle.

Select Microsoft Edge as product in software update point properties

In Intune there is an app for Edge under software deployment.

This also allows you to define what kind of release should be installed, since Edge follows the modern lifecycle deployment where you have (Stable / Beta / Developer ) release of each version.

Now by default when you install it, it comes with a desktop shortcut. You can remove this by it requires that you create an MSP transform file, you can see a seperate blog post on that here –> https://oofhours.com/2020/02/10/deploying-the-new-microsoft-edge-without-a-desktop-shortcut/

Policies

Microsoft Egde also comes with support for Policies either trough using AMDX and Group Policies or using OMA-URI settings. In order to start using policies you will need to have the following patch level available on your Windows 10 devices

NOTE: You can see the entire list with Policies here and the information and configuration options –> https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies

Windows 10, with the following minimum system requirements:

You can download the AMDX files from here –> https://www.microsoft.com/en-us/edge/business/download which then download the latest msedge.adml and msedgeupdate.adml files and (on a Domain controller,) copy them to

C:\Windows\SYSVOL\{domain-name}\Policies\PolicyDefinitions\en-US

Then you configure the Group Policies accordingly.

When it comes to Intune the predefined AMDX files are available within Device Configuration –> Administrative Templates.

Once the policies are configured you can check if the policies have applied by checking the Policy settings pane within Edge

edge://policy

Another option is to use a Master preference file. A master preferences file lets you configure default settings when Microsoft Edge is deployed. You can also use a master preferences file to apply settings on computers that aren’t managed by a device management system. These settings are applied to the user’s profile the first time the user runs the browser. After the user runs the browser, changes to the master preferences file aren’t applied. A user can change settings from the master preferences in the browser. If you want to make a setting mandatory or change a setting after the first run of the browser, you must use a policy.

I do want to warn that while the standard preferences should all work, Microsoft Edge may not fully support all the various preferences that could be set due to potential internal difference between Chromium and Microsoft Edge. In addition the names of preferences will generally contain Chromium terminology, since it is based for Chrome.

Another important aspect is to define the default search provider which is by default Bing, this can be configured using the https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#defaultsearchproviderenabled provider setting.

Other flags that should be enabled

There is also other flags that can be enabled which leads to even better better accessibility and better browser performance –> https://www.howtogeek.com/445542/the-best-chrome-flags-to-enable-for-better-browsing/ however these flags are not available trough Policy but can be referenced as something that users can configure if wanted.

You can access the flags settings under edge://flags

One of these settings are such as Tab Groups and Global Media Controls.

Tab Groups allows you go group tabs with color and name.

Media Controls give you direct UI controls for media content.

Policies for VDI

When it comes to deployment of Microsoft Edge in Citrix / VMware or VDI based deployments there are some considerations you need to be aware of. Now instead of writing down the different aspects here, I just want to point to James Kindon’s excellent blog post https://jkindon.com/2019/09/17/deploying-brave-and-microsoft-edge-dev-browsers-in-citrix-cvad-environments/ 

Also you can use this for settings Edge as the default browser as well –> http://kolbi.cz/blog/2017/11/10/setdefaultbrowser-set-the-default-browser-per-user-on-windows-10-and-server-2016-build-1607/

It should be noted that currently Edge does not support RoamingProfileLocation as Google Chrome does, therefore if you have that configured against a sentral fileserver you will have issues with Edge. With Edge the only option is to move the UserDataDir (and move back the DiskCacheDir).

SSO and Azure AD

Microsoft Edge supports also SSO and FIDO authentication.

Should be noted that for Windows integration authentication, Microsoft Edge will only respond to WIA requests if the server is on the intranet. To configure which servers are enabled for integrated authentication, please see the AuthServerAllowlist policy.

To use WIA with Microsoft Edge (version 77 and later) you have to configure the AD FS property WiaSupportedUserAgents and add support for the new Microsoft Edge user agent string. We use the “Edg” token to avoid compatibility issues that may be caused by using the string “Edge”, which is used by the current version of Microsoft Edge based on EdgeHTML. The “Edg” token is also consistent with existing tokens used on iOS and Android. The following example of a UA string is for the latest Dev Channel build when this article was published:
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3951.0 Safari/537.36 Edg/80.0.334.2"

Extensions

When it comes to installing Edge Extensions this is something that you can force install using Policies. For Windows devices that aren’t joined to a Microsoft Active Directory domain, forced installation is limited to extensions available in the Microsoft Store for Edge –> https://microsoftedge.microsoft.com/addons/category/Edge-Extensions

But this is done using the policy settings ExtensionInstallForcelist 

If you want to force install an addon you need to get the extensionID which can be found within the edge://extensions and then going into the extension and finding the ID.

The policy can then be pushed either using Group Policy or Intune or other managed solutions. Now you can also install regular Chrome extensions from the Google extension store as well. In order to enable this you will need to enable “allow extensions from other stores”

Then you can lnstall extensions from the Chrome store here –> https://chrome.google.com/webstore/category/extensions

Web App Shortcuts and Progressive Web Apps

Edge also supports Progressive Web Apps (PWAs), which makes it possible to install a website as a native app on Windows 10 enabling additional features, such as push notifications, background data refresh, offline support, and more.

The great part about web apps for Edge is that they literally install like normal apps, and you’ll even find them registered in the “Apps & features” settings page.

These apps can also be deployed trough Group Policy to users to that users can have their applications available as shortcuts.

Example URL:

Example Policy Content

[
 {
 "url": "https://www.contoso.com/maps", 
 "create_desktop_shortcut": true, 
 "default_launch_container": "window"
 }, 
 {
 "url": "https://app.contoso.edu", 
 "default_launch_container": "tab"
 }
]

Handling Updates

When it comes to handling updates this is also something that is handled trough Policy which is a bit similar to one might have seen with Windows 10 and with Office 365

As per best-pratices, this was the only thing I could find (which was from Chris Jackson from Microsoft)

And as part of ADMX files you can configure the update methods here, once installed it can do automatic updates directly from Microsoft Update.

Security Settings

Microsoft has already created a baseline security policy set which can be configured as part of SCM, you can read more about it here –>

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-chromium-based-microsoft-edge/ba-p/1111863 this is for regular configuration using group policy, but you also have the same option using Intune where you also have some security baseline.

Should be noted that the security baseline in Intune will be updated shortly to reflect the latest settings and version.

Application Guard

Application guard is a security feature built into Windows 10, which essentially can allow users to open up untrusted web pages in a secure container. When a user open an untrusted website, Microsoft Edge will open the site in an isolated Hyper-V-enabled container, which is separate from the host operating system.

Hardware isolation diagram

This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can’t get to your enterprise data. This is only for Windows 10 devices which support running Hyper-V and is not supported on VMs and VDI environment.

Operating system Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher

But this feature is extremely useful for scenarioes where malicious payload such as drive-by downloads are trying to infect the host operating system.
To install Application Guard on supported operating systems you can use the following PowerShell command

Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard

Once you have it installed you have the option to start an Application Guard protected pane directly from within Edge

It should be noted that Application Guard comes with its own set of Group Policies under Computer Configuration\Administrative Templates\Network\Network Isolation

It should be noted that since this is running in an isolated container some options are not working such as downloads and such since when you close the tab all the sessions information and such as gone.

So far. Edge seems to embrace the best of both worlds, having the speed built in from Chromium together with Enterprise Management and Security features such as Application Guard and modern management support from ADMX or OMA-URI Settings.

Leave a Reply

Scroll to Top