In this Blog-Post I describe, how to apply restricted Edge based on Chromium Policies like
HomepageLocation, NewTabPageLocation, RestoreOnStartupURLs, DefaultSearchProvider, SmartScreen and several more without domain-joining the Devices by using a “Fake-MDM-Provider”. You need this solution, if some of your policies show up in
edge://policy overview to be “blocked”.
Several Microsoft Edge (based on Chromium, Version 77 and newer) Policies are described as follows: This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain or Windows 10 Pro or Enterprise instances that are enrolled for device management.
This means, that this policies are not respected and therefore not successfully applied to Edge when configured locally by gpedit.msc (Group Policy Editor) as local registry keys on devices, which are not managed by Active-Directory Domain-Join or an Mobile-Device-Management-Solution.
But: there is an easy workaround to achieve a successful honored configuration of this restricted policies by configuring a “Fake-MDM-Provider” (= enrolled for device management without actually using MDM).
This blog-post is a rewrite of an older blog-post I initially published in April 2018. The difference between my older blog-post and this newer version is, that:
1. This one covers Edge based on Chromium (Edge v77 and newer), the older Blog-Post covers Edge v44 (the now called “Edge Legacy” which was shipped with Windows 10 Releases up to v1909).
2. This one is written in english, my older one was published in German. As so many people in Microsoft-TechCommunity are asking about this restriction I decided to blog this one in English to reach a broader audience.
Local Group Policy Restrictions
As already described, several Microsoft Edge Policies are restricted to be only honored and applied when the device is Domain-Joined or managed by MDM. You can find those restricted Policies by searching for the String “This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain or Windows 10 Pro or Enterprise instances that are enrolled for device management” in the Microsoft Edge Policy-Documentation. If you use gpedit.msc (the Local Group Policy Editor) this restriction is well documented even in the comments of the Policy-Description (but you have to scroll down to see it, as you can see on the next Screenshot):
Mobile-Device-Management-Solutions like Microsoft Intune, BlackBerry UEM, Cisco Meraki, Airwatch, MobileIron, etc… allow you to use a lightweight Device-Management by applying some assorted policies to MDM-managed-devices. Most of these solutions are not free of charge, but there are even some cloud-managed, free of charge solutions like Miradore Online to run some cost-free experiments. To “enroll” a Windows-Device to a MDM-Solution the Mobile Device Enrollment Protocol is used.
What I did is, I traced all modifications (tons of registry Keys etc…) on a Windows Machine, when enrolling a Win10-device to an MDM-Solution. Then I traced those Registry Keys checked by Microsoft Edge, to decide if the Device is MDM-Managed or not. I narrowed down the ton of registry keys to only a few of them really needed to successfully let Edge detect “this device seems to be MDM-Managed” without actually having a connection to an MDM-Provider.
As a result I can provide you a minimal-set of Registry-Keys you have to add to make Edge on a Win10-Machine “feel” like it is MDM-Managed and honors to apply the restricted Policies like HomepageLocation, NewTabPageLocation, RestoreOnStartupURLs, DefaultSearchProvider, SmartScreen and several more without domain-joining the Devices.
Download the needed reg-Files
I provide you a single zip-File which contains 3 Files:
1. MDM-FakeEnrollment-Win10.reg … the Registry-Keys you have to add to let Edge “feel” like the Win10-Machine is MDM-Managed.
2. EdgeChromium-Policies-Mandatory.reg … some sample policies like configuring Google as Search-Engine, Homepage, New-Tab-Page etc… – this works after the MDM-FakeEnrollment is applied. If you set “Mandatory” Policies these Settings cannot be (re-)configured by users themselves.
3. EdgeChromium-Policies-Recommended.reg … some sample policies configured not “Mandatory” but only as “Recommeded”, these Settings can be changed by users themselves, they are just a default.
4. EdgeChromium-UpdatePolicy-SideBySide.reg … this (fully optional) Policy you may like to set to keep old EdgeLegacy available when installing EdgeChromium. Now in Year 2022+ this is obsolete, as the old EdgeLegacy is not available on current Windows 10 Systems any more.
Just import the 1st one (MDM-FakeEnrollment-Win10.reg ) to enable the “Fake-MDM-Provider”. Use the 2nd one (EdgeChromium-Policies-Mandatory.reg) to import my sample configuration (like shown in the next screenshot) or use your gpedit.msc (Local Group Policy Editor).
When using the Group Policy Editor you need the admx-Files for Edge based on Chromium from Microsoft, you can download them here: https://www.microsoft.com/en-us/edge/business/download (Link: “Get Policy Files). Configuration then looks like this: Computer Configuration => Administrative Templates => Microsoft Edge. Be aware: it is NOT “Windows Components => Microsoft Edge” (this would be the old Edge Legacy Browser!).
- Test in January 2020: I successfully tested my solution with all currently Microsoft-supported Windows 10 Releases: v1709, v1809, v1903, v1909, 2019 LTSC and all currently (January 2020) available Edge based on Chromium Versions: v79, v80 (Beta), v81 (Dev).
- Test on 09.02.2020: Successfully tested with Edge v80.0.361.48 (Stable) up to v82.0.418.0 (Canary)
- Test on 20.05.2020: Successfully tested with Edge v81.0.416.77 (Stable) up to v84.0.520.0 (Canary) on Win10 v1909 as well as Win10 v2004 (by InplaceUpgrade from Win10 v1909)
- Test on 22.05.2020: Successfully tested with Edge v81.0.416.77 (old Stable) as well as v83.0.478.37 (new Stable) up to v84.0.520.0 (Canary) on Win10 v2004 (Fresh Install, Build 19041.264)
- Test on 12.10.2020: Successfully tested with Edge v86.0.622.38 (Stable) up to v87.0.658.0 (Dev) on Win10 v1909
- Test on 21.10.2020: Successfully tested with Edge v86.0.622.48 (Stable), v87.0.664.12 (Beta), v88.0.673.0 (Dev), 88.0.677.0 (Can) on Win10 v2009 / 20H2 Build 19042.572
- Test on 13.11.2020: Successfully tested with Edge v86.0.622.68 (Stable), v87.0.664.30 (Beta), v88.0.692.0 (Dev), v88.0.698.0 (Can) on Win10 v2009 / 20H2 Build 19042.630 (Professional, Education, Enterprise)
- Test on 14.12.2020: Successfully tested with Edge v87.0.664.60 (Stable), v88.0.705.18 (Beta), v89.0.723.0 (Dev), 89.0.731.0 (Can) on Win10 v2009 / 20H2 Build 19042.685 (Professional, Education, Pro Education, Enterprise)
- Test on 11.06.2021: Successfully tested with Edge v91.0.864.41 (Stable), v92.0.902.9 (Beta), v93.0.910.5 (Dev) on Win10 v21H1 Build 19043.1052 (Professional, Education, Pro Education, Enterprise)
- Test on 13.08.2021: Successfully tested with Edge v92.0.902.73 (Stable), v93.0.961.18 (Beta), v94.0.975.1 (Dev) on Win11 Preview v21H2 Build 22000.132 (Professional, Education, Pro Education, Enterprise)
- Test on 20.04.2022: Successfully tested with Edge v100.0.1185.44 (Stable), Edge v101.0.1210.19 (Beta), Edge v102.0.1227.0 (Dev+Canary) on Windows 10 v21H2 Build 19044.1620 (Professional) all Patches applied. There was a Bug in the “early” v101-Beta-Releases which was fixed starting with v101.0.1210.19.
- Test on 05.09.2022: Successfully tested with Edge 105.0.1343.27 (Stable & Beta), Edge 106.0.1363.0 (Dev) on Windows 10 v21H2 Build 19044.1889 (Professional, Enterprise) all Patches applied.
- Test on 12.09.2022: Successfully tested with Edge 105.0.1343.33 (Stable & Beta), Edge 107.0.1375.0 (Dev) on Windows 11 v21H2 Build 22000.918 (Professional, Pro for Workstations, Pro Education, Education, Enterprise) all Patches applied
- Test on 22.09.2022: Successfully tested with Edge 105.0.1343.42 (Stable), 106.0.1370.17 (Beta), Edge 107.0.1387.2 (Dev) on Windows 11 v21H2 Build 22000.1042 (Professional, Pro for Workstations, Pro Education, Education, Enterprise) and Windows 11 v22H2 Build 22621.521 (Professional, Pro for Workstations, Pro Education, Education, Enterprise) – all Patches applied
- Test on 30.12.2022: Successfully tested with Edge 108.0.1462.54 (Stable), 109.0.1518.26 (Beta), 110.0.1556.0 (Dev) on Windows 10 Pro v22H2 and Windows 11 Pro v22H2 – all Patches applied
Supported Windows Editions:
- Windows 10 Home => NO! Does not Support MDM, not supported by Fake-MDM-Provider
- Windows 10 Pro Education => Bug identified on 13.11.2020, does not work with MDM or Fake-MDM => I reported this issue to Microsoft => It is fixed in Edge Stable 87.0.664.53+ or Edge Canary v88.0.704.0+
- Windows 10 Pro => YES! tested Win10 20H2, 21H1, 21H2, 22H2
- Windows 10 Pro for Workstations => Bug identified on 11.06.2021, does not work with MDM or Fake-MDM => I reported this issue to Microsoft => It is fixed in Edge starting with Version 93.0.930.0+ => YES!
- Windows 10 Education => YES! tested Win10 20H2, 21H1, 21H2, 22H2
- Windows 10 Enterprise => YES! tested Win10 20H2, 21H1, 21H2, 22H2
- Windows 10 IoT Enterprise LTSC 2021 21H2 => Bug identified in 03/2022 => Reported to Microsoft => Result: YES, works starting with Edge v100+
- Windows 11 Professional => YES! tested with Win11 21H2 and 22H2 on 22.09.2022
- Windows 11 Pro for Workstations => YES! tested with Win11 21H2 and 22H2 on 22.09.2022
- Windows 11 Pro Education => YES! tested with Win11 21H2 and 22H2 on 22.09.2022
- Windows 11 Education => YES! tested with Win11 21H2 and 22H2 on 22.09.2022
- Windows 11 Enterprise => YES! tested with Win11 21H2 and 22H2 on 22.09.2022
After successfully applying the Fake-MDM-Registry-Keys for example the Open page on start-up Setting is successfully configured and locked:
All Edge Policies applied can be viewed by opening edge://policy
Side-Effect: Defender Tamper Protection turned off on MDM-managed Devices
When a Windows-Machine is MDM-managed the Windows Defender Tamper Protection is “Managed by Administrator” and shows turned off. This is not intentionally caused by my Fake-MDM-Provider, it is generally behavior by any MDM-managed Device as you can read here. Thanks ¡Firedog for bringing this to my attention.