- Recommended security settings and new group policies for Microsoft Edge (from 107 on) - Fri, Jan 27 2023
- Save and access the BitLocker recovery key in the Microsoft account - Tue, Jan 24 2023
- Reopen apps after Windows startup - Thu, Jan 19 2023
After the decline of the once-dominant Internet Explorer (IE) and the failure of Edge as a Universal Windows Platform (UWP) app, Microsoft is now making its next move into the browser market. Compared to its predecessors, the "new Edge" is based on a different concept in several respects.
This is a thorough departure from the position Microsoft has held for years. According to Microsoft, IE was (for antitrust reasons) a tightly integrated and unremovable component of the operating system. The downside of this approach has been long update cycles and finally the loss of market leadership.
Edge shipped with Windows
By decoupling it from Windows, the new Edge is still by no means a pure download option, such as for Firefox or numerous other Chromium browsers (Opera, Vivaldi, etc.). Rather, Microsoft would like to make it the standard browser of its operating system.
In the future, Microsoft will include Edge on the installation media for Windows 10, and thus, new PCs will have it preloaded. In addition, Microsoft is now beginning to roll out the browser to private users via Windows Update.
Unlike in the past, the manufacturer still does not want to abuse its dominant position in desktop operating systems. For example, it respects existing settings and does not set Edge as the default browser when updating. Likewise, it does not configure Bing as the preferred search engine if the user has previously picked a different one.
Deployment in companies
Automatic installation of the new Edge via Windows Update only affects the Home and Pro editions, excluding the Enterprise, Workstation Pro, and Education editions. However, smaller companies that obtain their updates directly from Microsoft and use the Pro edition can prevent the download of Edge for the time being by using the Blocker Toolkit.
This consists of an .admx template for group policies and a batch file to enter the required key directly into the registry.
For centrally managed environments, Microsoft offers two alternative deployment options. First, administrators can download a standalone installer as an .msi and distribute it via the company's own mechanisms such as System Center Configuration Manager (SCCM) or group policies.
In contrast, the normal installer for consumers requests the required files for each individual PC via the internet. If employees want to use it to install Edge on their own, they need administrative privileges. User-level installations like with Chrome or previews of Edge no longer work with the stable version.
The preferred channel for companies to obtain Edge will probably be via Windows Server Update Services (WSUS). Microsoft will use it to deliver not only security updates but also complete releases. Microsoft has announced such feature updates for every six weeks—similar intervals as for Google or Firefox.
To receive updates for Microsoft Edge via WSUS, admins must subscribe to it as a separate product under the Windows category. The WSUS server then retrieves updates for all Edge development channels and thus also obtains Dev and Beta. There is currently no filter to limit the downloads to Stable.
Management via group policies
Microsoft also takes advantage of the Chromium project's groundwork by reusing the .admx templates, which you can download from the Edge for Business website. They contain mostly the same settings as Google Chrome.
Many of these settings are relevant for browser security, such as those that allow admins to control the installation of extensions. Edge supports not only those from Microsoft's own store but also extensions for Google Chrome. However, the latter are not necessarily trustworthy.
To assist administrators in securely configuring Edge, Microsoft provides a security baseline, as it does for Windows and Office. This contains a complete list of all Group Policy settings and recommends which ones to configure. The baseline is part of the Security Compliance Toolkit available from Microsoft Download.
Edge-specific Group Policy additions include those that affect Microsoft's own services, such as SmartScreen or Bing. They also allow admins to control the integration with older Microsoft browsers.
Compatibility with IE and Edge I
Internet Explorer mode, which was already available for IE11 as Enterprise mode, opens certain applications with an older browser engine. The functionality remains unchanged with Edge.
For configuration, you first activate this compatibility mode via the Configure Internet Explorer Integration setting and then upload a list of URLs where Edge should start IE. You must create this site list in an XML format. The Enterprise Mode Site List Manager will simplify this task.
Enabling Internet Explorer mode via Group Policy Management Editor
You store the list of URLs for old or incompatible web applications on a web server and then enter the address into the Configure the Enterprise Mode Site List setting.
Only one setting lets you control the relationship to the original Edge browser. It toggles the possibility to use the predecessor at all. By default, this is no longer accessible after installing the new Edge, and all corresponding calls are redirected to the new version.
Go to Computer Configuration > Policies > Administrative Templates > Microsoft Edge Update > Applications > Allow Microsoft Edge Side by Side browser experience to ensure that the old Edge is still available. You must activate this before updating to the new browser.
If you want to keep the old Edge, you have to ensure this via a Group Policy Object (GPO) before updating to Edge Chromium
However, there are probably not many reasons to do this, since Microsoft has recently removed epub support, one of the few exclusive features of first generation Edge.
Microsoft wants to end its failed web browser strategy by quickly integrating the Chromium-based Edge into its operating system. Home users will receive the software via Windows Update, while companies have several deployment options.
For professional users, the new Edge should be appealing because you can update it via WSUS and manage it with GPOs. Another argument in its favor is that it contains Chromium's leading HTML engine but without ties to Google services. A relatively strict default setting also prevents excessive tracking.
Subscribe to 4sysops newsletter!
Finally, you can even install Edge Chromium under Server Core, where the browser can serve as a local console for Windows Admin Center.