Edge

5 Things To Check In Your Microsoft Edge Configuration

In what has now become a ‘5 Things To Check’ series, this time we’re looking at Microsoft Edge. The Center for Internet Security’s (CIS) Microsoft Edge benchmark is up to v2.0.0, so again I’ll pick my favourite 5 things listed, along with giving my own explanation of why they matter and other considerations.

By the way, did you know there’s now a whole ‘Policies for Microsoft Edge’ area of the Microsoft 365 admin center? More details on the Microsoft Edge management service here.

OK let’s jump into the top 5!

1. Ensure ‘Configure extension management settings’ is set to ‘Enabled: *’

Browser extensions can do a bunch of useful things, including potentially reading everything you do and sending it off to a third party. Even if it’s not for malicious purposes, your users certainly aren’t looking into what an extension does permission wise, and thinking about data sovereignty (I know there will be exceptions to this!). Just like any other app, extensions should be controlled and go through an approval process before they’re allowed on a work device. Moreso, the tie-in with using Microsoft Edge with a work profile to both be required to access certain resources, as well as pulling down policies automatically to configure the profile in a secure state goes a long way to providing a full secure experience.

By default, all users can install whatever extensions they like.

Microsoft have full documentation on how to manage Microsoft Edge extensions here Detailed guide to the ExtensionSettings policy | Microsoft Learn but this setting is the start of enabling it, and blocking all by default unless there’s an exception – which is why it’s being set to a wildcard *. Exceptions to the global block can be granted with the setting ‘Allow specific extensions to be installed.’. There’s several ways to manage and deploy this:

Group Policy – https://learn.microsoft.com/en-us/deployedge/microsoft-edge-manage-extensions-policies#allow-or-block-extensions-in-group-policy

Intune – https://support.imperosoftware.com/hc/en-au/articles/10590384691347-Managing-Edge-extensions-in-Microsoft-InTune

Microsoft Edge management service (the new way!) https://learn.microsoft.com/en-us/deployedge/microsoft-edge-management-service#manage-settings-for-all-extensions

Yes there is management overhead in blocking all extensions and looking at each case on what you should allow, and yes you need to consider other browsers like Google Chrome – you can’t just lock down Microsoft Edge and leave Google Chrome to be a free for all, or users will go there instead.

2. Ensure ‘Enable profile creation from the Identity flyout menu or the Settings page’ is set to ‘Disabled’

I called out profiles in the first tip – Edge profiles are a core component of Microsoft Edge security. A work or school account signed into Microsoft Edge can pull down Microsoft 365 tenant settings, including the new Microsoft Edge Management Service which to quote the start of the learn.microsoft.com article:

The Microsoft Edge management service is a platform in the Microsoft 365 admin center that enables admins to easily configure Microsoft Edge browser settings for their organization. These configurations are stored in the cloud and the settings can be applied to a user’s browser through group assignment or group policy. Users must be logged into Microsoft Edge to retrieve these settings.

https://learn.microsoft.com/en-us/deployedge/microsoft-edge-management-service

Either Single Sign-on should enforce Edge to automatically sign in with the same account as the PC is logged in as, or on BYOD the requirement to create a profile with the work account can allow for application management – things like stopping data exiting the browser session, screenshots, the blocking of extensions etc.

On the flip side, letting users create profiles throws all that security and control out the window. If someone can create a new profile even as a guest, a lot of the controls drop off – as well as potentially treating the browser session as a consumer one, and things like Microsoft Rewards turn up. You also have history, bookmarks, password managers etc potentially being saved against a Microsoft account (rather than a work/school one). That Microsoft account may not even have MFA on it – so a compromised Microsoft account used to sync browser information could grab a lot of company related data if it’s being used for the wrong purposes.

The setting can be set by Group Policy if you download the Microsoft Edge for Business pack (worth doing if you’re living in Group Policy land still) – Download Edge for Business (microsoft.com), or the registry setting:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge]
“BrowserAddProfileEnabled”=0

You can also set this via Microsoft Edge management service https://admin.cloud.microsoft/#/Edge/PolicyConfiguration/

3. Ensure ‘Enable AutoFill for addresses’ is set to ‘Disabled’

Ever walked up to an iPad at a business that you need to register your details on, and as you click on the first part of the form it shows you a bunch of other people’s data? That’s AutoFill enabled by default, when it definitely should not be.

This is a tough one, because AutoFill is so handy. You go to a website and need to fill in a form, but instead you get a dropdown, pick your name and the form is mostly filled out! In a work environment though, this can be a big catch. Are you ever putting in personally identifiable information for someone else? It could be as simple as an email address. That data gets saved in a manner that isn’t that much different to having a text file in your profile that contains the same data – so it shouldn’t be allowed.

You’d probably get user pushback on this, but a decent password manager should also have AutoFill functionality, but where it prompts you before it saves the data, and it’s easily readable against a profile rather than the more obfuscated method that Edge (and other browsers) generally use.

The AutofillAddressEnabled is easy to disable via registry, Group Policy with Download Edge for Business (microsoft.com) or via Microsoft Edge management service (and untick that ‘Allow users to override’ option which is ticked by default!).

4. Ensure ‘Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads’ is set to ‘Enabled’

Microsoft Defender SmartScreen

Microsoft’s support site explains to users about Defender SmartScreen, including the Screening downloads part. Seems like a pretty good idea, if a user downloads something and it matches a file that Microsoft has already found unsafe, it’ll warn you:

Screening downloads: SmartScreen checks your downloads against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen warns you that the download has been blocked for your safety. SmartScreen also checks your downloaded files against a list of well-known and popular downloads by Microsoft Edge users and warns you if your download is not on this list. 

https://support.microsoft.com/en-au/microsoft-edge/how-can-smartscreen-help-protect-me-in-microsoft-edge-1c9a874a-6826-be5e-45b1-67fa445a74c8#:~:text=Screening%20downloads%3A%20SmartScreen%20checks%20your,been%20blocked%20for%20your%20safety.

You can just bypass this warning and download the file anyway. A home user may want this experience to make the decision themselves, but this probably isn’t the decision you want an end user to make in a corporate environment and on a work device. Arguably, several other layers should protect you anyway including Defender for Endpoint or whatever EDR solution is in place, but this is a pretty safe extra layer to have in place.

Preventing user bypass of a SmartScreen detected suspicious download seems like an obvious one. Again, PreventSmartScreenPromptOverrideForFiles is a single setting via registry, Group Policy, or Microsoft Edge management service:

5. Ensure ‘Enhance the security state in Microsoft Edge’ is set to ‘Enabled: Balanced mode’

This is disabled by default. Clicking the ? next to ‘Enhance your security on the web’ will tell you:

What is enhanced security mode?
This runs your unfamiliar sites without the just in time (JIT) compilation to provide added protection. Running JIT-less reduces attack surface, making it difficult for malicious sites to exploit.
The additional protection includes Windows operating system mitigations such as Hardware Enforced Stack Protection, Arbitrary Code Guard (ACG), and Control Flow Guard (CFG).

Although there is a caveat ‘Most sites work as expected’, it’s an adaptive setting that learns behavour and what’s common the more it gets used. Admins can also add exceptions or forced enhanced security to certain sites: Browse more safely with Microsoft Edge | Microsoft Learn

I’ve been running this setting on at home for several months and haven’t noticed any issues, but I’m sure there are some sites that would be affected by this. You can decide if you let users toggle the option off on a per-website basis too.

The ‘Balanced mode option under ‘EnhanceSecurityMode’ setting can be set via registry, Group Policy with Download Edge for Business (microsoft.com) or via Microsoft Edge management service:

Bonus because I couldn’t pick between this and #5!
6. Ensure ‘Allow personalization of ads, Microsoft Edge, search, news and other Microsoft services by sending browsing history, favorites and collections, usage and other browsing data to Microsoft’ is set to ‘Disabled’

This is enabled by default. Regardless of trust in Microsoft or not, unnecessarily sending information such as browser history, favorites/collections etc is worth blocking. At the cost of ad personalisation, which should be irrelevant in a corporate setting. Enable this one!

The PersonalizationReportingEnabled setting is easy to disable via registry, Group Policy with Download Edge for Business (microsoft.com) or via Microsoft Edge management service:

It’s also worth calling out that Microsoft have their own Security Baseline for Microsoft Edge included in this: Download Microsoft Security Compliance Toolkit 1.0 from Official Microsoft Download Center which lists out all the policies with recommended settings, along with a bunch of other products. You should be keeping track of the Security Baseline for Microsoft Edge and following the guidance where possible on each release.

Microsoft Edge 87 Enterprise Considerations

Microsoft Edge 87 has now been fully released. There’s a few options in this that Business and Enterprises should consider:

Shopping

Microsoft by default, are enabling a bunch of shopping options in Edge. As per the article above, there’ll be coupons that’ll pop up, detections when there might be the same item you’re looking at cheaper elsewhere, and tab page enhancements to add extra shopping info about items.

I can already hear some of you saying you don’t want this in your place of business, so to disable it you’ll need to find the ‘Shopping in Microsoft Edge Enabled‘ GPO, located under User Configuration > Policies > Administrative Templates > Microsoft Edge default settings (users can override) / Microsoft Edge:

If you’re missing this setting, make sure you update your ADMX files by downloading from here and updating your central repository.

It’s good that this is under both force disable, as well as disable but let a user turn it on if they want. It’s not good that it’s on by default.

Friendly URLs

If you’re on Edge, you may have noticed this already. Copying a URL link from Edge, then pasting it somewhere that supports HTML code results in this:

AdamFowlerIT.com

instead of this:

https://www.adamfowlerit.com/

It’s another ‘on by default’ and although I can see certain use cases where this would be preferable, I’m fairly against changing the default copy/paste behavior that has been in place for decades.

If you copy a link and want to paste it as the link itself, you can use Ctrl + Shift + V instead of Ctrl + V … except right now, this doesn’t work in Office apps like Outlook or Word, and I’ve tested in both 2016 and 365.

Edge itself also has a new right click menu for pasting showing the options, but right click > mouse to menu, mouse to submenu, choose ‘Plain text’ is a bit clunky.

You can turn this off in the Edge settings, but again businesses and enterprises may not want this new feature in place, since some would more frequently be copying a link because they want the link itself, rather than a nice way to share it.

Again, Group Policy has a setting for this but this time it’s just a forced setting, rather than user changeable. If you want that, you’d need to deploy the registry setting as per the above article with a ‘apply once and don’t reapply’ option ticked.

The GPO is under User Configuration > Policies > Administrative Templates > Microsoft Edge > Configure the default paste format of URLs copied from Microsoft Edge, and determine if additional formats will be available to users

That’s a doozy of a name, and a doozy of a long dropdown menu with a ‘coming soon’ dropdown – none of these dropdowns actually match the description given.

I am a big fan of Edge, but it’s pretty obvious that the normal care that goes into updates just hasn’t happened in this instance. There’s already a fair bit of noise about this change, so who knows, maybe they’ll at least change the default behavior and not have it on?

My Feed

This one actually sounds really useful and lets both users and admins modify and present different sets of data arounds news and the organisation.

It has to be enabled in the Microsoft 365 admin center, which it was already on for me:

But, I’m missing some of the options selected in my Australian tenant. I checked my U.S. tenant and I see different things:

I’m not actually seeing the My Feed in my Australian tenant’s accounts, so I’d be guessing it’s either a US only thing at this stage, or it’s still rolling out. A bit annoying that this isn’t mentioned in the ‘My Feed‘ article or the original article mentioning the features that are now out, so hopefully the rest of us get it soon!

For the US tenant account though, it’s all there!

Set Microsoft Edge as Default Browser One Time

The New Microsoft Edge browser is great and everyone should use it :) Especially if you’re still on Internet Explorer, you can make Edge use IE mode for the sites you have that still require IE, without having to actually use IE.

I had a scenario where I wanted Internet Explorer users to be changed to Microsoft Edge. Previously, we’d had business requirements to set IE as the default – but now that’s no longer required, I wanted to flip their default. At the same time, I didn’t want to change Google Chrome default browser users as they’d already made that choice, and didn’t want to shove a similar Chromium browser down their throats.

As per Microsoft’s doco https://docs.microsoft.com/en-us/deployedge/edge-default-browser you can use an XML file with default associations, and use Group Policy to point to that XML. It doesn’t stop users from changing the associations, but it does reset the associations each time the user logs in – so not ideal if you want to set a default, but also allow flexibility.

I worked out how to do this based on current default browser and using GPO still, so here’s what I did:

As per the doco above, create an XML file that sets Microsoft Edge as the default application for certain protocols:

<?xml version="1.0" encoding="UTF-8"?>
<DefaultAssociations> 
  <Association ApplicationName="Microsoft Edge" ProgId="MSEdgeHTM" Identifier=".html"/>
  <Association ApplicationName="Microsoft Edge" ProgId="MSEdgeHTM" Identifier=".htm"/>
  <Association ApplicationName="Microsoft Edge" ProgId="MSEdgeHTM" Identifier="http"/>
  <Association ApplicationName="Microsoft Edge" ProgId="MSEdgeHTM" Identifier="https"/>  
  <Association ApplicationName="Microsoft Edge" ProgId="MSEdgePDF" Identifier=".pdf"/>
</DefaultAssociations>

Note that .PDF is included, so if you’d rather not default .PDF files to Microsoft Edge, remove that line from the code.

The Group Policy in the doco to set this XML is called Set a default associations configuration file – and all it’s doing is populating a registry key. Instead of using the Group Policy setting, create a registry setting to apply a value to:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
DefaultAssociationsConfiguration - REG_SZ - Path to XML e.g. \\dfs\share\defaultapplication.xml

The Group Policy registry setting will look like this:

We only want this registry setting to apply when the default browser is IE, and not apply any other time. We can use two options to do this – Remove this item when it is no longer applied, and Item-level targeting:

“Remove this item when it is no longer applied” will remove the registry setting when the item-level targeting condition is no longer true, which will stop the default browser applying again and again once the default browser isn’t IE.

“Item-level Targeting” is where we’ll check another registry value to see if IE is the default browser.

This is checking the registry key path Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

and the Value name ProgId

and the Value Data IE.HTTP

Only when all this is true, will the XML reg key apply. Next time someone logs on, the default program associations file will be read and apply the new browser default. Then, next time Group Policy evaluates, the registry setting will be out of scope and removed, so the default program assocations file registry setting will be removed.

For reference, Chrome will be the value ChromeHTML and Edge will be MSEdgeHTM.

This method worked quite well and gave me what I was after – a one time change from Internet Explorer to Microsoft Edge, without bothering Chrome and Firefox users.

Note that this will also keep kicking in if the user changes their browser default back to Internet Explorer, which might be what you want – but if not, you’d need to add another Item-level target using a flag file or registry setting to mark that the default browser has already been applied once.

The Current State of Edgium

Update 16th Jan 2020: The New Edge is now live! You can download from here” https://www.microsoft.com/en-us/edge?form=MO12GC&OCID=MO12GC and more details here: https://blogs.windows.com/windowsexperience/2020/01/15/new-year-new-browser-the-new-microsoft-edge-is-out-of-preview-and-now-available-for-download/

Original Article:

“Edgium” or ‘The next version of Microsoft Edge’ is Microsoft’s rebuild of the Microsoft Edge browser, built on the open-source Chromium platform. I recently decided to start using it and see the current state of Edgium (which I’ll call it that for the rest of this post for clarification’s sake).

Microsoft Edge was met with a lot of resistance when launched – and although there were reasonable claims about it being the fastest browser around, there were a lot of features lacking and sites that wouldn’t work with it.

Here’s why Microsoft decided to abandon Edge as it is. It’s interesting to note that on mobile devices, they were already using an open-source foundation from the start, and for the desktop version there’s a focus on making sure all web standards are adopted.

You can download Microsoft Edge Beta right now and install it in parallel with the old Edge – or you can install the build that replaces old Edge direct from Microsoft here (keep in mind you can’t uninstall from this). The Beta is good if you want to have a play around before committing.

The expirience I’ve had so far is rock solid. There are some ways where it loosk and feels like Chrome, and others where it’s more Edgey. The import options (for me at least) just worked – I could import everything from browser history, favorites and saved passwords and pick which Chrome profile I wanted to import it from.

At the Edgium end, I’ve then created multiple profiles and imported each relevant profile across to match the experience I was having on Chrome. Multiple profiles is great when you’re doing things in Microsoft 365 and have multiple accounts (user and admin) and different tenants to access.

Also, Edgium fully supports Chrome extensions. Old Edge did have extensions too, but very few. Edgium will prompt, asking if you want to allow 3rd party extensions, and then you add them just like you would in Chrome:

The settings area of Edgium in my opinion, is much better than Chrome:

Google Chrome Settings Page
Microsoft Edgium Settings Page

There’s also already Group Policy ADM/ADMX files ready to use which gives IT Administrators a lot of control over the browser, which is worth putting in place and going through before you even consider piloting Edgium.

For IT Admins, also check out the security baseline you should use, currently in draft form.

Edgium also has an Internet Explorer mode, so hopefully this can end up with Edgium replacing Chrome, Internet Explorer and Old Edge with a single browser – it might take a while of course, but for a company looking to control the user experience a bit more and not manage lots of browsers, it’s looking hopeful.

At the time of writing there’s no announced release date of Edgium, but it’s expected to completely replace Edge – so it’s worth getting used to it early. I’m sure there will be some changes between here and launch, but it should all be small changes.

Personally I’ve made the move from Chrome to Edge and haven’t hit an issue yet. Old Edge is on the way out, and overall this seems to be a positive decision for all involved. Let’s see how

Chinese Characters in IE11, Edge and Windows 10

I recently worked on an issue where all Windows 10 users were seeing two strange display issues on certain websites via Internet Explorer 11 and Edge. There were two noticeable symptoms:

  • Chinese characters would show in particular locations on many websites. These were often buttons, but sometimes other symbols.
  • Buttons would be completely blank. The buttons themselves worked, which you could either use if they had a graphical representation of the button still, or you knew where to click.

This was even presenting itself in Office 365 – I couldn’t see the Notifications, Settings or Help buttons, and they would instead show as blank boxes.

This was found while piloting Windows 10 from Windows 7. The visible options in Internet Explorer seemed identical. and other browsers weren’t affected – Chrome could display these sites perfectly fine.

I worked out what the problem and fix was (jump to the end if you want that now), but here’s the story on how we got to this broken state:

As part of prepping for Windows 10, I followed Microsoft’s Security Baseline documentation which contains a handy Excel spreadsheet, with recommendations on what Group Policy settings you should use for best security practises. I followed this (I’ve linked to a newer version) and made choices based on understanding each option, and what worked for us. There were very few settings I didn’t follow exactly.

One of these settings was ‘Untrusted Font Blocking‘. The document recommended enabling this, to stop untrusted fonts being used as they’re a security risk – the loading of a font can allow elevated privileges, and has been used before. Made sense to me, so I enabled it.

This is what Group Policy says about Untrusted Font Blocking:

This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked. If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues.

Eventually with a lot of testing and googling, I tried disabling this option – and it worked. Once you know the fix to a problem, it’s really easy to work backwards to find out more about it.

It turns out that in simple terms, websites can present their own fonts to use. It may be easier to present an arrow that’s from a font, rather than making a graphic of a font. Usually the site will load the font on the fly, but blocking that means the site fails back to a ‘best match’ on the font, which seems to be a font for Chinese characters, or a font that has a blank character for the matched result. Makes sense.

Microsoft changed their mind on this recommendation, only a month ago from time of writing. That recommendation change is worth reading, as it explained why they did it, and why they’re now changing their mind. The good news is that you’re not losing security by abandoning this setting, as the way fonts are parsed has changed from kernel to sandboxed user mode.

TL;DR version:

Turn off Untrusted Font Blocking through either of these methods:

Group Policy – Disable or change to Not Configured: Computer Configuration > Policies > Administrative Templates > System > Mitigation Options > Untrusted Font Blocking

Registry Setting – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\ – QWORD MitigationOptions

  • To turn this feature on. Type 1000000000000.
  • To turn this feature off. Type 2000000000000.
  • To audit with this feature. Type 3000000000000.Important
    Your existing MitigationOptions values should be saved during your update. For example, if the current value is 1000, your updated value should be 1000000001000