- Recommended security settings and new group policies for Microsoft Edge (from 107 on) - Fri, Jan 27 2023
- Save and access the BitLocker recovery key in the Microsoft account - Tue, Jan 24 2023
- Reopen apps after Windows startup - Thu, Jan 19 2023
A strength of Internet Explorer has always been that it can be managed in a very granular way with group policies. With Edge, an additional browser is automatically added to each computer. In its default state, it grants users unrestricted freedom. This applies, for example, to the risky installation of extensions or to the configuration of security settings in general. If your organization continues to use IE or has standardized on a different browser, you can disable Edge by activating the group policy Block access to a list of URLs. There, you enter a wildcard '*' as the value.
However, support for IE will expire on June 15, 2022, so you will have to switch to a newer browser by then at the latest. Since Edge is already included in Windows, is based on the de facto standard Chromium, and also offers some migration aids for IE-optimized pages, many companies will probably opt for this browser.
Managing Edge with group policies
The main tool for centrally managing Edge is also group policies. Most of the settings are inherited from the Chromium project and are identical to those that Google provides for Chrome. In addition, there are a number of Microsoft-specific options.
Although Edge is part of the operating system, Windows 10 does not ship with the browser's administrative templates. The included MicrosoftEdge.admx is still used to configure the previous non-Chromium-based Edge.
Admins must therefore download the Microsoft Edge templates from the manufacturer's website. Since the browser follows a different update cycle from the operating system, you have to make sure that you always use the appropriate ADMX for the respective channel.
The regular update of the templates is, of course, easier if you use a central store for this purpose. This saves you from having to update the templates on all admin PCs.
Customizing the security configuration
Besides mail clients, web browsers are known to be the main entry points for malware and therefore require appropriate attention. However, it is easy to lose track of this due to the large number of security-related settings involved.
For this reason, Microsoft has provided a recommended configuration as a security baseline. It is included in the Security Compliance Toolkit and can be imported from there. As with the GPO templates, there is a separate baseline for Edge and the operating system; hence, you have to update the security settings depending on the browser updates.
Extremely short update intervals are common practice in the browser market. A new release for Microsoft Edge appears every six weeks in the Stable channel. The manufacturer provides support for the current and the two previously released versions so that the total life cycle is only 18 weeks. After that, you will no longer receive any security updates for those versions.
Starting with version 94, the update cycle has changed because Microsoft has added a channel called Extended Stable. Stable then only receives four weeks of support for each of the last three updates, so that the support period only amounts to 12 weeks.
Microsoft will support Extended Stable for eight weeks per release, but only for the last two updates. In total, the maximum support period for a version is 16 weeks.
For this reason, admins must ensure that client devices are provided with a supported version on time. But unlike the competitors' browsers, new releases of Edge come via Windows Update.
Since many companies distribute updates centrally via WSUS, they can also deploy new Edge versions in this way. Here, too, the browser is listed as a separate product under Windows, so you have to subscribe to it first.
You will then receive updates for all channels, including Dev or Beta. It is, of course, important for admins that they do not lose track of the updates and that they approve the necessary ones in good time.
Compatibility with IE11
Edge's functions for IE compatibility are key arguments for companies that have previously used Internet Explorer as the standard browser. Very often, there are still intranet pages and applications that are tailored to IE.
The IE engine can be used in various ways in Edge, either through general redirects of internal URLs or through a site list in enterprise mode. However, the option to start IE externally as a standalone application will no longer be available after the end of support.
Deactivate Internet Explorer
If you have successfully mastered the switch from IE to Edge, then it makes sense to officially disable the old browser. After the support ends in mid-2022, Microsoft will complete this task anyway.
Since IE is no longer up-to-date with the latest web standards or security, there is no reason to continue making it accessible to users after migrating to Edge.
Microsoft provides a new group policy for disabling Internet Explorer. It is called Disable Internet Explorer as a standalone browser and can be used to inform users that the browser is blocked.
Due to the announced end of support for IE11, users will have to switch to an alternative browser if they have not already done so. In both cases, Edge is a good choice because it comes as part of the operating system, and with the Chromium engine, it uses an industry standard.
Subscribe to 4sysops newsletter!
Nevertheless, Edge remains its own application, which is decoupled from the OS in many ways and therefore requires separate maintenance. This applies to the administrative templates for the group policies as well as the security baseline, the support intervals, and the updates.