Apply all Edge Policies like HomepageLocation, DefaultSearchProvider, … for non-Domain-joined Devices

In this Blog-Post I describe, how to apply restricted Edge based on Chromium Policies like HomepageLocation, NewTabPageLocation, RestoreOnStartupURLs, DefaultSearchProvider, SmartScreen and several more without domain-joining the Devices by using a “Fake-MDM-Provider”.

Several Microsoft Edge (based on Chromium, Version 77 and newer) Policies are described as follows: This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain or Windows 10 Pro or Enterprise instances that are enrolled for device management.

This means, that this policies are not respected and therefore not successfully applied to Edge when configured locally by gpedit.msc (Group Policy Editor) as local registry keys on devices, which are not managed by Active-Directory Domain-Join or an Mobile-Device-Management-Solution.

But: there is an easy workaround to achieve a successful honored configuration of this restricted policies by configuring a “Fake-MDM-Provider” (= enrolled for device management without actually using MDM).

This blog-post is a rewrite of an older blog-post I initially published in April 2018. The difference between my older blog-post and this newer version is, that:
1. This one covers Edge based on Chromium (Edge v77 and newer), the older Blog-Post covers Edge v44 (the now called “Edge Legacy” which was shipped with Windows 10 Releases up to v1909).
2. This one is written in english, my older one was published in German. As so many people in Microsoft-TechCommunity are asking about this restriction I decided to blog this one in English to reach a broader audience.

Local Group Policy Restrictions

As already described, several Microsoft Edge Policies are restricted to be only honored and applied when the device is Domain-Joined or managed by MDM. You can find those restricted Policies by searching for the String “This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain or Windows 10 Pro or Enterprise instances that are enrolled for device management” in the Microsoft Edge Policy-Documentation. If you use gpedit.msc (the Local Group Policy Editor) this restriction is well documented even in the comments of the Policy-Description (but you have to scroll down to see it, as you can see on the next Screenshot):

Local Group Policy Editor, Edge Policies – some of them resticted to AD-joined-Machines

Fake MDM-Provider?

Mobile-Device-Management-Solutions like Microsoft Intune, BlackBerry UEM, Cisco Meraki, Airwatch, MobileIron, etc… allow you to use a lightweight Device-Management by applying some assorted policies to MDM-managed-devices. Most of these solutions are not free of charge, but there are even some cloud-managed, free of charge solutions like Miradore Online to run some cost-free experiments. To “enroll” a Windows-Device to a MDM-Solution the Mobile Device Enrollment Protocol is used.

What I did is, I traced all modifications (tons of registry Keys etc…) on a Windows Machine, when enrolling a Win10-device to an MDM-Solution. Then I traced those Registry Keys checked by Microsoft Edge, to decide if the Device is MDM-Managed or not. I narrowed down the ton of registry keys to only a few of them really needed to successfully let Edge detect “this device seems to be MDM-Managed” without actually having a connection to an MDM-Provider.

As a result I can provide you a minimal-set of Registry-Keys you have to add to make Edge on a Win10-Machine “feel” like it is MDM-Managed an honors to apply the restricted Policies like HomepageLocation, NewTabPageLocation, RestoreOnStartupURLs, DefaultSearchProvider, SmartScreen and several more without domain-joining the Devices.

MDM-FakeEnrollment-Win10_v1809_v1909.reg
Some of the Fake-MDM-Provider Registry-Keys

Download the needed reg-Files

I provide you a single zip-File which contains 3 Files:
1. MDM-FakeEnrollment-Win10_v1809_v1909.reg … the Registry-Keys you have to add to let Edge “feel” like the Win10-Machine is MDM-Managed.
2. EdgeChromium-Policies.reg … some sample policies like configuring Google as Search-Engine, Homepage, New-Tab-Page etc… – this works after the MDM-FakeEnrollment is applied.
3. EdgeChromium-UpdatePolicy-SideBySide.reg … this (fully optional) Policy you may like to set to keep old EdgeLegacy available when installing EdgeChromium.

Just import the 1st one (MDM-FakeEnrollment-Win10_v1809_v1909.reg ) to enable the “Fake-MDM-Provider”. Use the 2nd one (EdgeChromium-Policies.reg) to import my sample configuration (like shown in the next screenshot) or use your gpedit.msc (Local Group Policy Editor).

Local Policies for Edge (based on Chromium)

When using the Group Policy Editor you need the admx-Files for Edge based on Chromium from Microsoft, you can download them here: https://www.microsoft.com/en-us/edge/business/download (Link: “Get Policy Files). Configuration then looks like this: Computer Configuration => Administrative Templates => Microsoft Edge. Be aware: it is NOT “Windows Components => Microsoft Edge” (this would be the old Edge Legacy Browser!).

Compatibility

I successfully tested my solution with all currently Microsoft-supported Windows 10 Releases: v1709, v1809, v1903, v1909, 2019 LTSC and all currently (January 2020) available Edge based on Chromium Versions: v79, v80 (Beta), v81 (Dev).
Update 09.02.2020: Successfully tested with v80.0.361.48 (Stable) up to v82.0.418.0 (Canary)

Edge Releases

After successfully applying the Fake-MDM-Registry-Keys for example the Open page on start-up Setting is successfully configured and locked:

All Edge Policies applied can be viewed by opening edge://policy

Edge-Policy Overview edge://policy

1 Comment

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht.