none
Why are Edge settings in Computer Configuration?

    Question

  • Why are Edge settings in Computer Configuration? Things like homepages, favorites etc are user settings are they not? These settings are in User Configuration for IE, it just seems odd to put them into Computer Configuration.

    Thursday, December 3, 2015 1:04 PM

Answers

  • Hi,
     
    Am 03.12.2015 um 14:04 schrieb Eric G-S:
    > Why are Edge settings in Computer Configuration?
     
    Short answer: for security reasons.
     
    Long answer ...
    IE could alway be configured user or computerspecific, but
    computersettings win. IE preferes them, read them first, ignores user
    settings, when settings are set in both objects. The reason is security.
     
    If you restrict the IE for the user, normally the admin will not get
    this settings, he excludes himself ... but any browser on the system is
    the most dangerous part, because it´s the door into the internet, where
    all this scary things can happen ;-)
     
    So, if you restrict a user, who is not allowed to change anything on the
    system, the security effect is not that big, but restricting an admin
    takes a huge step in direction of security.
    You restrict all machines, no matter who logs in.
     
    If you take a look into the security recommandations, SCM (Security
    Compliance Manager,Microsoft), CIS (Center of Internet Security, US) or
    BSI (Bundesinstitut für Sicherheit in der Informationstechnologie,
    Germany) they all define security related settings on the computer site.
     
    Doing that, the admin can no longer exclude himself from being hit by
    policy, you get a much more secure system.
    Now you need a specific workstation to test all things, but your daily
    system is secure.
     
    Beside of that, you will no longer be able to set the homepage for a
    user with policies. Thats a complete new understanding and changing in
    behavior.
    Why? Because all PUA/PUP (Potentially Unwanted Applications\...Programs)
    "hijack" the search URLs or the homepage to redirect the users homepage
    to a commercial site or data collector.
     
    Now, Edge only allows manually set homepages and the setting most come
    through the API from Edge, done by the user, crypted with some
    %username% and other user-identifying variables.
     
    You will find the edge homepage as a "Reg-binary-blob" here:
    HKEY_CURRENT_USER\SOFTWARE\Classes\Local
    Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected
    - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy
     
    No joke, THIS is the Key:
    *Protected - It is a violation of Windows Policy to modify. See
    aka.ms/browserpolicy*
     
    Open http://aka.ms/browserpolicy and you will find:
    | The user must be in control of their IE home page
    | Software must clearly inform the user if they want to change the
    | user’s home page(s).
     
    Favorites can still be controlled, they are just shortcuts within the
    users profile you can create/delete/control them with many ideas and
    tools: Script, GPP Shortcut, IEAK ... deployment in any style you like.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    • Marked as answer by Eric G-S Tuesday, December 8, 2015 1:21 PM
    Saturday, December 5, 2015 8:57 AM

All replies

  • Sorry to say but the new Edge Group Policy settings are computer only.

    Alan Burchill (MVP)
    http://www.grouppolicy.biz

    @alanburchill

    Saturday, December 5, 2015 4:00 AM
  • Hi,
     
    Am 03.12.2015 um 14:04 schrieb Eric G-S:
    > Why are Edge settings in Computer Configuration?
     
    Short answer: for security reasons.
     
    Long answer ...
    IE could alway be configured user or computerspecific, but
    computersettings win. IE preferes them, read them first, ignores user
    settings, when settings are set in both objects. The reason is security.
     
    If you restrict the IE for the user, normally the admin will not get
    this settings, he excludes himself ... but any browser on the system is
    the most dangerous part, because it´s the door into the internet, where
    all this scary things can happen ;-)
     
    So, if you restrict a user, who is not allowed to change anything on the
    system, the security effect is not that big, but restricting an admin
    takes a huge step in direction of security.
    You restrict all machines, no matter who logs in.
     
    If you take a look into the security recommandations, SCM (Security
    Compliance Manager,Microsoft), CIS (Center of Internet Security, US) or
    BSI (Bundesinstitut für Sicherheit in der Informationstechnologie,
    Germany) they all define security related settings on the computer site.
     
    Doing that, the admin can no longer exclude himself from being hit by
    policy, you get a much more secure system.
    Now you need a specific workstation to test all things, but your daily
    system is secure.
     
    Beside of that, you will no longer be able to set the homepage for a
    user with policies. Thats a complete new understanding and changing in
    behavior.
    Why? Because all PUA/PUP (Potentially Unwanted Applications\...Programs)
    "hijack" the search URLs or the homepage to redirect the users homepage
    to a commercial site or data collector.
     
    Now, Edge only allows manually set homepages and the setting most come
    through the API from Edge, done by the user, crypted with some
    %username% and other user-identifying variables.
     
    You will find the edge homepage as a "Reg-binary-blob" here:
    HKEY_CURRENT_USER\SOFTWARE\Classes\Local
    Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected
    - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy
     
    No joke, THIS is the Key:
    *Protected - It is a violation of Windows Policy to modify. See
    aka.ms/browserpolicy*
     
    Open http://aka.ms/browserpolicy and you will find:
    | The user must be in control of their IE home page
    | Software must clearly inform the user if they want to change the
    | user’s home page(s).
     
    Favorites can still be controlled, they are just shortcuts within the
    users profile you can create/delete/control them with many ideas and
    tools: Script, GPP Shortcut, IEAK ... deployment in any style you like.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    • Marked as answer by Eric G-S Tuesday, December 8, 2015 1:21 PM
    Saturday, December 5, 2015 8:57 AM
  • Mark, thank you for your comprehensive answer.

    I must admit I still find it a bit bizarre. As admin accounts should not have internet access at all, the worry about them seems excessive.

    The article you reference is about Add-ons, which I can understand the restrictions for. Restricting companies from providing groups of internal users with tailored homepages is just wrong.

    Tuesday, December 8, 2015 8:11 AM
  • Hi,
     
    Am 08.12.2015 um 09:11 schrieb Eric G-S:
    > I must admit I still find it a bit bizarre. As admin accounts should not
    > have internet access at all, the worry about them seems excessive.
     
    Most companies handle it different and if something bad happens, the
    people usually point to Microsoft and say: MS did it wrong. They gave us
    the tool and possibility. It´s not our fault in behavior ...
     
    MS now corrects behaviors, that are not their fault by changing
    configuration.
     
    > The article you reference is about Add-ons,
     
    Not at all, it´s about "manipulating" the settings. How should Edge
    know, where the settings come from?
    The "reg hack" just happens, from an AddOn, from reg add, from regedit
    /s, from msi installer, from Domain GPO, from local registry.pol, from
    ... how to identify the 1000 ways to edit it?
     
    The only solution would be: You need to verify which source is valid,
    that can not be handled in a simple way. Now we are talking about file
    signing by GPO and approve certificates prior to import "registry.pol"
    files comming from a valid source (all your domain controllers) etc.
    A big overhead, just to proove a valid source.
     
    The easy way is: Homepage is defined by users.
     
    I never thaught, defining homepage is a need. To me, setting the
    homepage is always wrong. It takes to much time to load, most intranet
    sites are poor developed etc. Whats wrong in "about:blank" or let the
    user decide? It´s not a security issue, it´s less than a convinience
    problem.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Tuesday, December 8, 2015 8:39 AM
  • Besides, there is a lack of settings availalble in GPO about Edge. MDM is the future, I believe that overall we should manage Edge with MDM. GPO is legacy, MS is not developing it anymore, at least not so fast as it should be growing. And same story with Windows 10, you cannot manage everything with GPO anymore.
    Tuesday, December 8, 2015 8:44 AM
  • Hi,
     
    Am 08.12.2015 um 09:44 schrieb yannara:
    > Besides, there is a lack of settings availalble in GPO about Edge. MDM
    > is the future, I believe that overall we should manage Edge with MDM.
     
    MDM is not the solution. Edge must provide the opportunity.
     
    In the end, it´s just deployment. The client/product team is responsible
    to define reg-keys or "somesettings" (in reg, wmi, xml, ini,
    whateveryoulike)
     
    there is no difference if you deploy the setting by GPO, MDM, Intune,
    Deployment (any Product you like), Script or whatever.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Tuesday, December 8, 2015 11:01 AM