Forum Discussion
Microsoft Edge Group Policies for lists like Pop-ups do NOT combine -they replace unlike IE?
Here is the structure.
All Health authorities = OU = Tier 1
Group Policy linked to OU = "User and IE Edge Settings All"
User Configuration - Admin templates
Microsoft Edge (latest ADMX) = Pop up blocker = Allow = *.domain1.com *.domain2.com *.domain3.com
IE Settings = Pop up blocker = Allow = *.domain1.com *.domain2.com *.domain3.com
Child OU = Health Authority A (so this OU is inside the above one) = Tier 2
"Health Authority A User and IE Edge Settings All"
User Configuration
Microsoft Edge (latest ADMX) = Pop up blocker = Allow = *.siteextra1.com *.siteextra2.com *.siteextra3.com
IE Settings = Pop up blocker = Allow = *.siteextra1.com *.siteextra2.com *.siteextra3.com
Group Policies with Lists are SUPPOSED to be "cumulative" so if you add a Trusted site or a popup for IE in the Parent OU and different ones in the child OU they "merge" together.
End result for computer inside Child OU.
IE Settings = Pop up blocker = Allow = *.domain1.com *.domain2.com *.domain3.com *.siteextra1.com *.siteextra2.com *.siteextra3.com
Microsoft Edge = Pop up blocker = Allow = *.siteextra1.com *.siteextra2.com *.siteextra3.com
So instead of Edge "appending" the registry key like IE does, the policy deletes the Tier 1 settings and applies only the Tier 2 settings.
Note we have thousands of group policies with lists like Applocker, IE settings, Office settings in multiple policies. Lists in ALL those policies are always combined for the end result.
Edge Policies are the only one where a list is blown away entirely and not appended to if another policy adds to the list.
Note that Computer settings for IE always overwrite the same User settings. That is 100% expected.
However, if we set computer settings for Edge with lists in multiple policies the lists are not merged regardless if it is extensions, or anything else.
Hello,
GPOs are applied on Windows Level independent from the application they are dealing with. When a GPO is applied registry keys are simply created. Besides processing order there is afaik no further logic involved.
My assumption is:
For Edge registry keys may be created in the form of
Pop up blocker Allow\1\*.siteextra1.com
Pop up blocker Allow\2\*.siteextra2.com
Pop up blocker Allow\3\*.siteextra3.com
When a gpo for the same policy is applied on a different level the numbering will start from 1 and will overwrite existing values.
Maybe for IE the naming of the registry keys was different, for example like
Internet Settings\ZoneMap\Domains\siteextra1.com\*\
Internet Settings\ZoneMap\Domains\siteextra2.com\*\
Internet Settings\ZoneMap\Domains\siteextra3.com\*\
If i’m right this name schema would lead to no conflicting registry values and the settings will appear as combined/merged.
But please don‘t take this for granted it has been a while since i dealt with GPOs...
- lforbesApr 21, 2021Iron Contributor
The ADMX needs to be fixed with the later version so that it doesn't overwrite lists.
There should be no 1, 2, 3 etc it should just be keys.
Therefore the ONLY Overriding should be if the key is identical.
That is just the way group policies are supposed to work.
With IE there is a standard processing process for policies and it worked great. If Edge is supposed to replace IE as the standard browser then they need to fix it so that it works well in Group Policy in the same way as IE does.- Kelly_YApr 23, 2021Microsoft
lforbes I've just talked to the team that manages MS Edge policies and got some information.
Right now the experience is by design and aligns with Chrome and other Chromium based browser policies. The team has heard from other customers moving from IE to MS Edge and I have also passed along your scenario.
This is something they plan to investigate and try to improve but right now there is no ETA. Once more information is available we can follow up here. Thank you for your feedback!
-Kelly
- lforbesApr 24, 2021Iron Contributor
Chrome doesn't have official supported updated ADMX Group Policies. It is NOT a corporate browser. It is NOT designed for Group Policy or corporate use.
It is a home based browser and the user made ADMX for Chrome don't work most of the time. For example if you set the home page to "run once" in Chrome it doesn't even set at all.
Edge Chromium is being advertised as a replacement for Internet Explorer in a corporate world. Therefore it should not copy a crappy unsupported home browser.
Please realized that we have IE and we are trying to migrate away from it. I have 86,000 workstations and we cannot upgrade them until they can fix Edge to run like IE.