Forum Discussion

AndrewSAIF's avatar
AndrewSAIF
Iron Contributor
May 05, 2021

Disable de-elevation in Edge

Hello,   It looks like it is now default behavior for Edge to de-elevate when it is launched as administrator. While I understand the security benefits of this choice, there are use cases in our en...
AndrewSAIF's avatar
AndrewSAIF
Iron Contributor
May 06, 2021

Kelly_Y 

Hi Kelly,

Thanks for the quick response and suggestion. I'm glad that parameter exists, but unfortunately I don't think it will help for our particular use case (an application opens the machine's default browser to a web page, not from a shortcut). Is there an equivalent registry value for this?

After digging into this issue a little more, I think perhaps that it's not the de-elevation itself that is causing problems, but that it does not always de-elevate as the same user that started the process.


Here's an example they should be able to duplicate:

  1. Log into a machine as a standard user (User 1)
  2. Run PowerShell as administrator (User 2)
  3. Enter credentials for User 2 
  4. Run Start-Process msedge.exe

The Edge process initially opens as User 2, then de-elevation kicks in and re-launches the process as User 1. 

 

A use case where this would become important is where IWA is used, and User 1 and User 2 have different access. If you launch a browser targeting a particular page as User 2, it de-elevates and re-launches as User 1, and SSO signs User 1 in. 

 

This obviously isn't a problem if you 'Run as other user' rather than 'Run as administrator', so this is an OK workaround, but there are two problems I found with this:

  1. If you have the policy BrowserSignin set to 2, and you launch Edge as another user that does not yet have an Edge profile, the login prompt appears, but does not allow you to interact with it. This might be a bug. 
  2. There doesn't appear to be a way to launch Windows Terminal as another user without launching it as administrator.

We are in the process of hybrid joining our machines, so I'll be able to do away with BrowserSignin soon. We can also just steer people toward other terminal apps and have them run without elevation. 

 

We noticed this behavior using the Okta ASA product, but I'd imagine there are other use cases as well. 

 

Hope this helps!

Andrew

Kelly_Y's avatar
Kelly_Y
Icon for Microsoft rankMicrosoft
May 14, 2021

AndrewSAIF Hello!  Some additional information I wanted to pass along: 

 

"If you want to disable the auto de-elevate while launching a webpage or file from another program, it's possible if that program uses ShellExecute(Ex) with the "runas" verb, it's also possible to use in Powershell using Start-Process <URL> -verb runas​

 

MS Edge currently doesn't have a policy or other persisted setting like a reg key for this."

 

Thanks! 

 

-Kelly

  • AndrewSAIF's avatar
    AndrewSAIF
    Iron Contributor
    Jun 02, 2021

    Kelly_Y 

    Thanks for the info, Kelly. I appreciate the advice, but I don't have control over the way the application we are using launches the browser unfortunately. 

     

    The way that it switches to the logged in user rather than the user that started the elevated process seems like an unintended consequence of this feature. Also, the incompatibility with the BrowserSignin policy seems like a bug. Are there any plans to address these issues? 

     

    If not, would it be possible to implement a flag/registry value/group policy so system administrators can optionally disable the feature? We'd like it if folks used Edge, but I have multiple users demanding to have Chrome set as their default browser because of this feature. 

     

    Thanks! 

    Andrew

    • AndrewSAIF's avatar
      AndrewSAIF
      Iron Contributor
      Nov 04, 2021

      @Kelly_Y 

      Hi there,

       

      Just checking in to see if there has been any consideration of the issues I raised. 

       

      Thanks,

      Andrew

Resources