{"id":1363,"date":"2020-01-30T00:07:55","date_gmt":"2020-01-29T23:07:55","guid":{"rendered":"https:\/\/hitco.at\/blog\/?p=1363"},"modified":"2026-03-29T22:05:27","modified_gmt":"2026-03-29T20:05:27","slug":"apply-edge-policies-for-non-domain-joined-devices","status":"publish","type":"post","link":"https:\/\/hitco.at\/blog\/apply-edge-policies-for-non-domain-joined-devices\/","title":{"rendered":"Edge Policies for non-Domain-joined Devices – Successfully apply HomepageLocation, DefaultSearchProvider, …"},"content":{"rendered":"\n

In this Blog-Post I describe, how to apply restricted Edge based on Chromium Policies<\/strong> like HomepageLocation, NewTabPageLocation, RestoreOnStartupURLs, DefaultSearchProvider, SmartScreen<\/code> and several more without domain-joining the Devices by using a „Fake-MDM-Provider“.<\/strong> You need this solution, if some of your policies show up in edge:\/\/policy<\/code> overview to be „blocked“.<\/p>\n\n\n\n

Several Microsoft Edge (based on Chromium, Version 77 and newer) Policies are described as follows: This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain or Windows 10 Pro or Enterprise instances that are enrolled for device management. <\/a><\/em><\/p>\n\n\n\n

This means, that this policies are not respected and therefore not successfully applied to Edge when configured locally by gpedit.msc (Group Policy Editor) as local registry keys on devices, which are not managed by Active-Directory Domain-Join or an Mobile-Device-Management-Solution.<\/p>\n\n\n\n

But: there is an easy workaround to achieve a successful honored configuration of this restricted policies by configuring a „Fake-MDM-Provider“ (= enrolled for device management without actually using MDM).<\/p>\n\n\n\n

This blog-post is a rewrite of an older blog-post I initially published in April 2018<\/a>. The difference between my older blog-post and this newer version is, that:
1. This one covers Edge based on Chromium<\/a> (Edge v77 and newer), the older Blog-Post<\/a> covers Edge v44 (the now called „Edge Legacy“ which was shipped with Windows 10 Releases up to v1909).
2. This one is written in english, my older one<\/a> was published in German. As so many people in Microsoft-TechCommunity are asking about this restriction I decided to blog this one in English to reach a broader audience.<\/p>\n\n\n\n

Local Group Policy Restrictions<\/h2>\n\n\n\n

As already described, several Microsoft Edge Policies are restricted to be only honored and applied when the device is Domain-Joined or managed by MDM. You can find those restricted Policies by searching for the String „This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain or Windows 10 Pro or Enterprise instances that are enrolled for device management“ <\/em>in the Microsoft Edge Policy-Documentation<\/a>. If you use gpedit.msc (the Local Group Policy Editor) this restriction is well documented even in the comments of the Policy-Description (but you have to scroll down to see it, as you can see on the next Screenshot):<\/p>\n\n\n\n

\"\"
Local Group Policy Editor, Edge Policies – some of them resticted to AD-joined-Machines<\/figcaption><\/figure>\n\n\n\n

Fake-MDM-Provider?<\/h2>\n\n\n\n

Mobile-Device-Management-Solutions<\/a> like Microsoft Intune, BlackBerry UEM, Cisco Meraki, Airwatch, MobileIron, etc… allow you to use a lightweight Device-Management by applying some assorted policies to MDM-managed-devices. Most of these solutions are not free of charge, but there are even some cloud-managed, free of charge solutions like Miradore Online<\/a> to run some cost-free experiments. To „enroll“ a Windows-Device to a MDM-Solution the Mobile Device Enrollment Protocol<\/a> is used. <\/p>\n\n\n\n

What I did is, I traced all modifications (tons of registry Keys etc…) on a Windows Machine, when enrolling a Win10\/Win11-device to an MDM-Solution. Then I traced those Registry Keys checked by Microsoft Edge, to decide if the Device is MDM-Managed or not. I narrowed down the ton of registry keys to only a few of them really needed to successfully let Edge detect „this device seems to be MDM-Managed“ without actually having a connection to an MDM-Provider.<\/p>\n\n\n\n

As a result I can provide you a minimal-set of Registry-Keys you have to add to make Edge on a Win10\/Win11-Machine „feel“ like it is MDM-Managed and honors to apply the restricted Policies like HomepageLocation, NewTabPageLocation, RestoreOnStartupURLs, DefaultSearchProvider, SmartScreen and several more without domain-joining the Devices.<\/p>\n\n\n

\nWindows Registry Editor Version 5.00\n\n; # Fake MDM-Enrollment - Key 1 of 2 - let a Windows Machine "feel" MDM-Managed\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Enrollments\\FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF] \n"EnrollmentState"=dword:00000001 \n"EnrollmentType"=dword:00000000 \n"IsFederated"=dword:00000000\n\n; # Starting with Edge v147 in 04\/2026 a UPN is needed, otherwise the MDM-Provider is not accepted\n"UPN"="user@Fake-MDM-Provider.local"\n\n; # Fake MDM-Enrollment - Key 2 of 2 - let a Windows Machine "feel" MDM-Managed\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Provisioning\\OMADM\\Accounts\\FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF]\n"Flags"=dword:00d6fb7f\n"AcctUId"="0x000000000000000000000000000000000000000000000000000000000000000000000000"\n"RoamingCount"=dword:00000000\n"SslClientCertReference"="MY;User;0000000000000000000000000000000000000000"\n"ProtoVer"="1.2"\n<\/pre><\/div>\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"
Some of the Fake-MDM-Provider Registry-Keys<\/figcaption><\/figure>\n\n\n\n
Download the needed reg-Files<\/h2>\n\n\n\n
I provide you a single zip-File<\/a> which contains 3 Files:<\/strong>
1. MDM-FakeEnrollment.reg<\/a> … the Registry-Keys you have to add to let Edge „feel“ like the Win10\/Win11-Machine is MDM-Managed.
2. EdgeChromium-Policies-Mandatory.reg<\/a> … some sample policies like configuring Google as Search-Engine, Homepage, New-Tab-Page etc… – this works after the MDM-FakeEnrollment is applied. If you set „Mandatory“ Policies these Settings cannot be (re-)configured by users themselves.
3. EdgeChromium-Policies-Recommended.reg<\/a> … some sample policies configured not „Mandatory“ but only as „Recommeded“, these Settings can be changed by users themselves, they are just a default.
4. EdgeChromium-UpdatePolicy-SideBySide.reg<\/a> … this (fully optional) Policy you may like to set to keep old EdgeLegacy available when installing EdgeChromium. Now in Year 2022+ this is obsolete, as the old EdgeLegacy is not available on current Windows 10 Systems any more.<\/p>\n\n\n\n
Just import the 1st one (MDM-FakeEnrollment.reg<\/a> )<\/a> to enable the „Fake-MDM-Provider“. Use the 2nd one (EdgeChromium-Policies-Mandatory.reg)<\/a> to import my sample configuration (like shown in the next screenshot) or use your gpedit.msc (Local Group Policy Editor).<\/p>\n\n\n\n
\"\"
Local Policies for Edge (based on Chromium)<\/figcaption><\/figure>\n\n\n\n
When using the Group Policy Editor you need the admx-Files for Edge based on Chromium from Microsoft, you can download them here:  https:\/\/www.microsoft.com\/en-us\/edge\/business\/download<\/a> (Link: „Get Policy Files). Configuration then looks like this: Computer Configuration => Administrative Templates => Microsoft Edge. Be aware: it is NOT<\/strong> „Windows Components => Microsoft Edge“ (this would be the old Edge Legacy Browser!).<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Compatibility<\/h2>\n\n\n\n