Forum Discussion
Why this policy is producing error? Configure new tab page URL
Gunnar-Haslinger wrote:HotCakeX Your machine needs to be MDM-Managed or AD-Joined, otherwise you get a "this policy is blocked" Error.
Workaround for non-MDM-Managed an non-AD-Joined Devices, have a look at my Blog-Post:
https://hitco.at/blog/apply-edge-policies-for-non-domain-joined-devices/
Thanks, I just finished reading your blog post, It is a workaround on those specific Windows versions but there are things that need to be considered:
- I'm using Windows 10 20H2 (release preview) and it might/might not work with those registry keys. and I don't want to use them in case it conflicts with something else somewhere in Windows that is still undocumented or just simply unknown.
- Windows 10 is always changing and evolving, this solution is a brute force method to achieve what I want.
I would rather have an explanation to know at least why this requires a domain controller or MDM to work. after all, what I was doing is just a test and I didn't want to fire up any servers to do a simple task like that, but apparently, I need to.
so again, these 3 are my main concerns and I want Edge team to consider as feedback and change the behavior (if possible) in the future:
I'm using Windows 10 20H2 (release preview) and it might/might not work with those registry keys. and I don't want to use them in case it conflicts with something else somewhere in Windows that is still undocumented or just simply unknown.
HotCakeX my Solution is successfully tested with newest 20H2 Insider Build and newest Dev-Channel of Edge too (just updated/added "Compatibility" Version-Information in my Blogpost)
Thank you, good job,
correct me if i'm wrong but this further proves our point because your findings show that how easy it is for an attacker to fake MDM enrollment status on a victim's system and then push their malicious policy files.
in both methods, attacker needs to have an elevated access to do all these but the lack of proper verification of a legit MDM or Windows server domain lets them push the policy and that security measure they put in place is virtually useless, and all it does is to put unnecessary limitations for users.
HotCakeX I agree, but in addition: as an "hacker" there is even no need to elevate to Admin/System. It is much easier to just modify your user-writeable Edge-Profile to do the same. Maybe not as persistent as setting policies, but the point is: If you allow malware to run on your system your Edge-Settings are the least problem and you already lost the game.
- Yup, can't agree with that more