Forum Discussion
Example of well-formed local network domain name in relevant ActiveDirectory policies governing Edge
There are several Active Directory policies governing Edge behavior that ask for a domain name, SmartScreenAllowListDomains and AutoOpenFileTypes and ExemptDomainFileTypePairsFromFileTypeDownloadWarnings for example.
In the context of a ClickOnce desktop application deployment to an intranet website, where the internal (not public facing) installer web page would be referenced as follows:
https://myintranetwebserver/apps/appname/publish.htm
1. How would these Edge policy registry entries refer to the domain? Is it the internal domain to which myintranetwebserver belongs, i.e. *.ourdomain.net or perhaps https://*.ourdomain.net ? Or is it https://myintranetwebserver or https://*.myintranetwebserver
[SIDE NOTE: the intranet web server has a self-signed SSL certificate which is imported into the appropriate certificate store on user machines to allow for SSL encryption between user desktops and the intranet web server.]
2. When specifying AutoOpenFileTypes is there a way avoid making them global and only applicable to specified domains, as can be done with ExemptDomainFileTypePairsFromFileTypeDownloadWarnings where a file-type extension is linked to an array of domain names?
3. What is the expected combined behavior when policies for both AutoOpenFileTypes and ExemptDomainFileTypePairsFromFileTypeDownloadWarnings appear in the registry?
Are there precise definitions (rather than simple bullet-type blurbs) for the behavior of each of those settings?
- Kelly_YMicrosoft
lloydmalvern Hi again!
For AutoOpenFileTypes, you can use the AutoOpenAllowedForURLs in conjunction. Here is the documentation: https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#autoopenallowedforurls which also contains a link to the URL pattern documentation: https://docs.microsoft.com/en-us/DeployEdge/edge-learnmmore-url-list-filter%20format
If you are working on deploying MS Edge, have you heard of our FastTrack team (https://www.microsoft.com/en-us/fasttrack/microsoft-365/microsoft-edge)? They can help with configuring MS Edge for your organization and provide guidance with these policies.
Hopefully this will help with some of your questions.
-Kelly
- lloydmalvernCopper Contributor
Thanks very much for the links to the current policies. I can't get it to work. Edge is still blocking setup.exe
To confirm the domain I open Edge and type the following into the address bar
https://MYDEVMACHINENAME/ClickOnce/TestApp/publish.htm
The ClickOnce publish.htm for TestApp is successfully opened in the browser.
There is a registry entry to enable ClickOnce:
Policies->Microsoft->Edge
ClickOnceEnabled.............REG_DWORD........................0x00000001 (1)In the registry the domain has been exempted from file type warnings:
Policies->Microsoft->Edge->ExemptDomainFileTypePairsFromFileTypeDownloadWarnings
1.............REG_MULTI-SZ {"file_extension":"exe","domains":["https://MYDEVMACHINENAME"]}
ClickOnceEnabled.............REG_DWORD........................0x00000001 (1)
exe is specified in AutoOpenFileTypes key in the registry:
Policies->Microsoft->Edge->AutoOpenFileTypes
1.......REG_SZ................exe
And in AutoOpenAllowedForURLs in the registry I've added the path to the IIS web-application above
Policies->Microsoft->Edge->AutoOpenAllowedForURLs
1.......REG_SZ................https://MYDEVMACHINENAME/ClickOnce
NOTE: The case-sensitivity matches.
Do I have to specify the full path?
https://MYDEVMACHINENAME/ClickOnce/TestApp
When I do that, there is no change to the behavior. Setup.exe is still blocked.