Forum Discussion
HotCakeX Your machine needs to be MDM-Managed or AD-Joined, otherwise you get a "this policy is blocked" Error.
Workaround for non-MDM-Managed an non-AD-Joined Devices, have a look at my Blog-Post:
https://hitco.at/blog/apply-edge-policies-for-non-domain-joined-devices/
Gunnar-Haslinger wrote:HotCakeX Your machine needs to be MDM-Managed or AD-Joined, otherwise you get a "this policy is blocked" Error.
Workaround for non-MDM-Managed an non-AD-Joined Devices, have a look at my Blog-Post:
https://hitco.at/blog/apply-edge-policies-for-non-domain-joined-devices/
Thanks, I just finished reading your blog post, It is a workaround on those specific Windows versions but there are things that need to be considered:
- I'm using Windows 10 20H2 (release preview) and it might/might not work with those registry keys. and I don't want to use them in case it conflicts with something else somewhere in Windows that is still undocumented or just simply unknown.
- Windows 10 is always changing and evolving, this solution is a brute force method to achieve what I want.
I would rather have an explanation to know at least why this requires a domain controller or MDM to work. after all, what I was doing is just a test and I didn't want to fire up any servers to do a simple task like that, but apparently, I need to.
so again, these 3 are my main concerns and I want Edge team to consider as feedback and change the behavior (if possible) in the future:
- Gunnar-HaslingerOct 20, 2020Steel Contributor
I'm using Windows 10 20H2 (release preview) and it might/might not work with those registry keys. and I don't want to use them in case it conflicts with something else somewhere in Windows that is still undocumented or just simply unknown.
HotCakeX my Solution is successfully tested with newest 20H2 Insider Build and newest Dev-Channel of Edge too (just updated/added Version Information in my Blogpost)
- Gunnar-HaslingerOct 20, 2020Steel Contributor
I'm using Windows 10 20H2 (release preview) and it might/might not work with those registry keys. and I don't want to use them in case it conflicts with something else somewhere in Windows that is still undocumented or just simply unknown.
HotCakeX my Solution is successfully tested with newest 20H2 Insider Build and newest Dev-Channel of Edge too (just updated/added "Compatibility" Version-Information in my Blogpost)
- HotCakeXOct 20, 2020MVP
Thank you, good job,
correct me if i'm wrong but this further proves our point because your findings show that how easy it is for an attacker to fake MDM enrollment status on a victim's system and then push their malicious policy files.
in both methods, attacker needs to have an elevated access to do all these but the lack of proper verification of a legit MDM or Windows server domain lets them push the policy and that security measure they put in place is virtually useless, and all it does is to put unnecessary limitations for users.
- Gunnar-HaslingerOct 20, 2020Steel Contributor
HotCakeX I agree, but in addition: as an "hacker" there is even no need to elevate to Admin/System. It is much easier to just modify your user-writeable Edge-Profile to do the same. Maybe not as persistent as setting policies, but the point is: If you allow malware to run on your system your Edge-Settings are the least problem and you already lost the game.
- Gunnar-HaslingerOct 20, 2020Steel Contributor
HotCakeX I would wonder if you can trigger the edge-team to give you a satisfying answer or a change of the current behavior. This behavior is "by design" or "by choice of Microsoft". It is not a technical decision but a management decision.
- HotCakeXOct 20, 2020MVP
Gunnar-Haslinger wrote:HotCakeX I would wonder if you can trigger the edge-team to give you a satisfying answer or a change of the current behavior.
This behavior is "by design" or "by choice of Microsoft". It is not a technical decision but a management decision.
It's the tech community, I'm not necessarily asking them to change it, I just need a technical explanation that why it is what it is. also, it's feedback from a user and that's what they are asking for.
The 2nd part of it is pure speculations
- Gunnar-HaslingerOct 20, 2020Steel Contributor
I tried to get a solution / answer by opening a paid premier support ticket for this. This management-decision is not new, it was the same in Edge-Legacy. Answer is, it is a management-decision to pick some Policies not being manageably on devices not AD-joined or MDM-Managed.
If you like to have a more technical answer: Malware could easily use these Policies to for example set your Homepage - a regular user on a Home-Machine (non-managed) will have a hard job to find out what's wrong and what happened. On managed machines this would be cleared out / reset to admins-choice on next policy-apply-run.