Forum Discussion
Why this policy is producing error? Configure new tab page URL
Could it be because in the description it says:
"This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, Windows 10 Pro or Enterprise instances that enrolled for device management, or macOS instances that are that are managed via MDM or joined to a domain via MCX." ?
there it says this policy is available only on ..., I'm testing it on my personal Windows 10 machine that is not managed by a Windows server or MDM, could this be the reason?
If that is indeed the case then:
- the description is misleading, because it's not about availability, it's about whether the policy works or not.
- the error message in Edge://policy is vague and doesn't say exactly what happened and what is wrong.
- Any other policy that I tried works fine, this one doesn't. why a simple configuration like this would require a Windows server or MDM in order to work?
HotCakeX Your machine needs to be MDM-Managed or AD-Joined, otherwise you get a "this policy is blocked" Error.
Workaround for non-MDM-Managed an non-AD-Joined Devices, have a look at my Blog-Post:
https://hitco.at/blog/apply-edge-policies-for-non-domain-joined-devices/
- HotCakeXOct 20, 2020MVPSpoiler
Gunnar-Haslinger wrote:HotCakeX Your machine needs to be MDM-Managed or AD-Joined, otherwise you get a "this policy is blocked" Error.
Workaround for non-MDM-Managed an non-AD-Joined Devices, have a look at my Blog-Post:
https://hitco.at/blog/apply-edge-policies-for-non-domain-joined-devices/
Thanks, I just finished reading your blog post, It is a workaround on those specific Windows versions but there are things that need to be considered:
- I'm using Windows 10 20H2 (release preview) and it might/might not work with those registry keys. and I don't want to use them in case it conflicts with something else somewhere in Windows that is still undocumented or just simply unknown.
- Windows 10 is always changing and evolving, this solution is a brute force method to achieve what I want.
I would rather have an explanation to know at least why this requires a domain controller or MDM to work. after all, what I was doing is just a test and I didn't want to fire up any servers to do a simple task like that, but apparently, I need to.
so again, these 3 are my main concerns and I want Edge team to consider as feedback and change the behavior (if possible) in the future:
- Gunnar-HaslingerOct 20, 2020Steel Contributor
I'm using Windows 10 20H2 (release preview) and it might/might not work with those registry keys. and I don't want to use them in case it conflicts with something else somewhere in Windows that is still undocumented or just simply unknown.
HotCakeX my Solution is successfully tested with newest 20H2 Insider Build and newest Dev-Channel of Edge too (just updated/added "Compatibility" Version-Information in my Blogpost)
- HotCakeXOct 20, 2020MVP
Thank you, good job,
correct me if i'm wrong but this further proves our point because your findings show that how easy it is for an attacker to fake MDM enrollment status on a victim's system and then push their malicious policy files.
in both methods, attacker needs to have an elevated access to do all these but the lack of proper verification of a legit MDM or Windows server domain lets them push the policy and that security measure they put in place is virtually useless, and all it does is to put unnecessary limitations for users.
- Gunnar-HaslingerOct 20, 2020Steel Contributor
I'm using Windows 10 20H2 (release preview) and it might/might not work with those registry keys. and I don't want to use them in case it conflicts with something else somewhere in Windows that is still undocumented or just simply unknown.
HotCakeX my Solution is successfully tested with newest 20H2 Insider Build and newest Dev-Channel of Edge too (just updated/added Version Information in my Blogpost)
- Gunnar-HaslingerOct 20, 2020Steel Contributor
HotCakeX I would wonder if you can trigger the edge-team to give you a satisfying answer or a change of the current behavior. This behavior is "by design" or "by choice of Microsoft". It is not a technical decision but a management decision.
- HotCakeXOct 20, 2020MVP
Gunnar-Haslinger wrote:HotCakeX I would wonder if you can trigger the edge-team to give you a satisfying answer or a change of the current behavior.
This behavior is "by design" or "by choice of Microsoft". It is not a technical decision but a management decision.
It's the tech community, I'm not necessarily asking them to change it, I just need a technical explanation that why it is what it is. also, it's feedback from a user and that's what they are asking for.
The 2nd part of it is pure speculations