Forum Discussion

HotCakeX's avatar
HotCakeX
MVP
Oct 20, 2020
Solved

Found a bug in Edge 87 policy

So whenever I enable this policy     This option in Edge which is related to secure DNS lookups, becomes unavailable and disabled     I see no relation between the 2 options.   in...
87
88
BUG
dev
edge
Feedback
policy
problem
  • Eric_Lawrence's avatar
    Eric_Lawrence
    Oct 21, 2020
    The nomenclature used in the code is a bit misleading; by "machine level policies" they mean policies set by the platform policy provider (on Windows, that's Group Policy). Basically, if you see anything listed in about:policy (even a dummy policy name that doesn't really exist) the device is considered "Managed" and you'll get the "Managed Device" banners and end-user configuration of Secure DNS will be blocked in about:settings.
Eric_Lawrence's avatar
Eric_Lawrence
Icon for Microsoft rankMicrosoft
Oct 21, 2020

HotCakeX - If the browser detects that the user is in a “managed” environment, then DoH can be configured only by policy, not the end-user. That’s because Enterprise environments often have specific requirements for network configuration that are more likely to be broken by Secure DNS.

 

On Windows, that detection shouldn't be tied to whether you've set a policy-- it should instead be tied to whether the machine is domain joined. On Mac, it looks like it may be tied to whether any policy is set.

 

https://blog.chromium.org/2020/05/a-safer-and-more-private-browsing-DoH.html

If you are an IT administrator, Chrome will disable Secure DNS if it detects a managed environment via the presence of one or more enterprise policies. We’ve also added new DNS-over-HTTPS enterprise policies to allow for a managed configuration of Secure DNS and encourage IT administrators to look into deploying DNS-over-HTTPS for their users.

  • HotCakeX's avatar
    HotCakeX
    MVP
    Oct 21, 2020

    Eric_Lawrence 
    Thank you, that makes sense in enterprise environment,

    but I only downloaded the latest policy files and installed them on my personal non-managed Windows 10 20H2

     

    • Eric_Lawrence's avatar
      Eric_Lawrence
      Icon for Microsoft rankMicrosoft
      Oct 21, 2020

      HotCakeX The "Your browser is managed by your organization" banner in your Settings screenshot indicates that your system is "Managed".

      I misread the Chromium code-- the check falls through, so if your machine has any policies set (see about:policy), it's deemed "Managed": 

       

      if (base::IsMachineExternallyManaged())  // <-- this is the domain join check 
      return true;
      #endif
      #if !defined(OS_ANDROID) && !defined(OS_CHROMEOS)
      if (g_browser_process->browser_policy_connector()
                        ->HasMachineLevelPolicies())  // <-- this is the policy check
      return true;
      #endif
      • HotCakeX's avatar
        HotCakeX
        MVP
        Oct 21, 2020
        By "machineLevelPolicies" you mean the policies that are under "Computer Configuration" right? then no I have nothing set under that, just 1 policy under "User Configuration"

Resources