06-14-2019 07:35 PM - edited 07-22-2019 12:13 PM
06-14-2019 07:35 PM - edited 07-22-2019 12:13 PM
Update July 22nd 2019:
Thanks for all the great feedback! We announced last week that Edge is now ready for Enterprise evaluations.
You can find the latest ADMX files and MSIs/PKGs here:
And you can find all the enterprise-focused documentation here:
There is also an Enterprise-focused section of these Insider forums which the team will be monitoring. Direct link here:
Thanks again for the great feedback and engagement. Looking forward to continuing to hear from all of you!
(Note: I have removed the ADMX zip file which was originally attached to this mail. Please see the latest versions at the links above)
Original post follows:
We've been asked fairly regularly what policies we intend to support. We're still working on the list, but I’d like to share an early preview of the management policies we are working on for the new version of Microsoft Edge.
You can find a zip file attached to this post, that includes the ADMX file, an English (US) version of the ADML file, and an English (US) HTML doc with the list of policies and descriptions.
Please note that not all of the associated policies have been implemented by current canary or dev builds!
Please send us feedback on the list, or the description text in the policies if something seems unclear.
Please let us know if there are policies missing from the list, and give us feedback on the policy design.
Thanks for your interest!
Sean, on behalf of the Microsoft Edge team
06-19-2019 03:22 AM
@Sean Lyndersay Will these same policies also be built into Intune or will we need to inject the ADMX file like we do for Chrome at the moment?
06-19-2019 07:37 AM
@Sean Lyndersay I'm not seeing any mention of "IE mode" in the preview, is that just because it hasn't gone out to insiders yet? The killer feature I'm looking for is the ability to use GP to automatically whitelist some internal sites for all of my users with that.
06-19-2019 07:42 AM - edited 06-19-2019 04:43 PM
The policies will be available in Intune by default, and updated automatically with every release.
06-19-2019 07:47 AM
06-19-2019 09:41 AM - edited 06-19-2019 09:47 AM
@Sean Lyndersay My main list would be:
06-19-2019 12:03 PM
06-19-2019 12:27 PM
06-19-2019 01:48 PM
Yes, we are definitely using the Enterprise Mode Site List.
IE mode does not run a separate window. It's not even a separate tab. It's fully integrated into Edge -- as you navigate to a site that requires IE mode, the engine is seamlessly switched out under the covers and the site renders as you would expect it to. When you navigate back to a site that does not require IE mode, it switches back to the modern rendering engine.
If you want to see a detailed explanation and demo of IE mode, you can watch the video below:
06-21-2019 12:10 AM
@Sean Lyndersay the feature i miss is to add a custom 'User Agent String' to the new Edge.
we use this in IE to allow ADFS to distinguish our managed machines from "guest" machines. our domain joined machines get the GPO and thus the custom user agent string, which is added to the ADFS filter This allows windows integrated authentication for our domain joined boxes. while other (non-domain joined) machines get forms authentication.
06-21-2019 08:52 AM
Being inactivity/idle lock screen for browser user profiles would be nice. Especially for when AAD sign on for profiles becomes an option. The combination of these two settings would do wonders for shared computers in our environment. As we send more and more processes to Office 365, this gets hard to maintain secure access to our employees who can only use shared computers on our manufacturing side. @Sean Lyndersay
06-22-2019 06:19 AM
06-23-2019 02:30 PM
06-24-2019 04:31 AM - edited 06-24-2019 04:43 AM
Thanks for sharing the GPO-Files.
I'm currently testing it locally on my Surface. What I'm missing is a setting for the Enterprise Mode Site list. Is this due to there's no enterprise version of Edge C available, yet?
Or do I have to use the Internet Explorer GPO settings for a Link to the XML file?
And what's up with the Enterprise Mode Site List Manager. Will we see a Version 3 for Edge Chromium? I've heard that the XML scheme has been updated once again.
06-24-2019 09:07 AM
Thank you! This was high on my list to see these GPO templates.
One setting I am not seeing in this list that would be important to my organization:
06-24-2019 11:26 PM
@Miguel_Garrido WIP support is in the roadmap. I can't confirm for sure that it will make the first release, but we'll definitely have it pretty soon thereafter.
AAD Sign will be available in Canary builds pretty soon (you can test it by turning on a flag: edge://flags/#edge-sign-in-with-aad)
06-24-2019 11:29 PM
@ikkerus IE mode group policies to configure the sitelist will be in a future update.
We will be updating the schema and the documentation, as well as releasing an update to the Site List Manager.
06-25-2019 06:16 AM
@Tinshield Thank you for the feedback. Today we support most of the policies in your list.
06-25-2019 06:20 AM
@danmurphy As Sean said we are partnering with Intune. What has your experience been like with Chrome and Intune?
06-25-2019 06:22 AM
@Brian Altman thanks for the reply. As far as ad blocking, being able to add extensions will suffice! Favorite redirection may work already as part of folder redirection policies, it does for IE.
06-25-2019 06:24 AM
@stevepogue We support silent extension installs - "Control which extensions are installed silently" GP
06-25-2019 06:21 PM
@Sean Lyndersay going forward where can we find updates for the GPOs? Are you going to have dedicated page like Google does it?
06-25-2019 06:52 PM
@anthonymel Yup. We will have a dedicated page on docs.microsoft.com, and a change list for each major release.
Your should expect something conceptually similar to what we've done for the current version of Edge:
06-26-2019 11:13 AM
@Brian Altman Its quite straightforward but does take a bit of time to get set up back when I did it. I've looked recently and Google have exact instructions here: https://support.google.com/chrome/a/answer/9102677
06-26-2019 12:18 PM
Hello @Sean Lyndersay
Thanks for this early preview.
Is it possible to add a GPO to sync favorites between Internet Explorer and Edge ? We can do that with the current "EdgeHTML" version of Edge. We can configure KFR Redirection of Favorites in IE, then, if the user creates a favorites in IE, it shows up in Edge and vice-versa.
06-26-2019 11:45 PM
I agree. This would be a huge feature for corporate and enterprise users. It would be nice to be able to turn on "legacy favorites integration", and a legacy favorites button would appear next to regular favorites. Then users click whichever one they want.
06-27-2019 12:40 AM
Thanks for the feedback.
I'd like to understand a little more about what you are trying to do. We have looked into keeping IE favorites and Edge favorites in sync, and it's a little tricky (for example, with the current EdgeHTML version, when that policy is enabled, device-to-device sync is disabled to avoid loops). We want to make sure we're meeting your needs, so it'd be great if you could elaborate on the specific scenarios so we can do the right thing for you.
First, you mentioned that you want to use KFR -- what does using KFR to redirect the favorites folder get you vs using the built in Edge Sync mechansm to sync folders across devices?
Second, you mentioned that you would want a "legacy favorites" integration button. We can automatically migrate IE favorites into the new Edge on first launch (a one time activity), so all IE favorites would be in the new Edge. What would be the scenario in which a user would want to access the IE favorites separately from the Edge favorites?
Many thanks for help in understanding what you're trying to do.
06-27-2019 12:42 AM
The policies for the update service will be published in a separate ADMX file, but the policy to disable the native update service is definitely part of the set we will have.
06-27-2019 01:34 PM
About our scenario and KFR :
Many of our users are familiar with Internet Explorer, remember its name, know they have to use it "because of reasons" or otherwise some business applications may not work (especially for historical reasons). Users have had their habits for years, and they don't want/don't need to worry about which browser to use.
When Windows 10 arrived, we set Edge as the default browser and enabled redirection to Internet Explorer for some sites.
This is where it starts to get complicated, here's a example:
The user launches the first browser he sees (Edge because it is pinned in the taskbar), start browsing Intranet/Internet. His favorites are still there: so far, so good.
Then the user connects to a website that requires IE, the system starts IE and loads the URL. After that, the user keeps browsing Intranet/Internet but never returns to Edge: in this case, if the favorites are not synchronized, the user is lost, because the next time he'll launch a browser, it may be Edge again (and favorites created in IE must be there).
You'll tell me that there's a GPO that sends all sites to Edge if they're not in Enterprise Mode list, but the problem is basically the same because the user will create favorites in Edge and expect to find them in IE.
Why KFR ? Because we are not using Azure, and Edge device-to-device sync requires a Microsoft account.
It might be OK if you load IE websites directly inside Edge (without opening IE), and if we can redirect IE to Chromium Edge for everything (to catch all shortcuts and entry points towards IE) and store/read the favorites in the Favorites directory (supporting KFR so the user can use another computer and find his favorites).
It reminds me of something else: In "EdgeHTML Edge" the Enterprise List is loaded after ~60 seconds, and that's really inconvenient because when a new user profile is created on a computer, the user start Edge, browse to a legacy website: The redirection will not take effect because Edge didn't read the file yet. In this Chromium version, if you can start reading the file as soon as the browser is started, it'd be cool
Thanks for your time, and please tell me if anything is not clear.
06-29-2019 12:16 PM
@Sean Lyndersay This looks really promising. Will you give a shout on @MSEdgeDev twitter if/when there is updates to the templates
06-30-2019 07:52 AM
I have a question for one of the settings:
Using the admx/adml templates, whe i what to configure the Administrative Templates\Microsoft Edge\Manage Search Engines setting, the example value is:
so i wanted to enter:
but there is only a online textfield. Is the correct value a path to a .json file or how should it be configured?
Will it be possible to configure flags as well as settings?
07-01-2019 04:46 AM
Do any of these policies affect the normal windows 10 Edge (am i safe to deploy test policies without breaking anything other than Edge Chromium
07-01-2019 06:45 AM
07-03-2019 12:24 AM
Chrome/Chromium have some settings stating "This policy is not available on Windows instances that are not joined to a Microsoft® Active Directory® domain.".
For example "Action on startup - Restore the last session', the URLs that were open last time Google Chrome was closed will be reopened and the browsing session will be restored as it was left.".
Are there similar limitations for some settings in Edge?
07-03-2019 06:36 AM
Will there be any management from the mac side? We are now officially managing macs in our environment and I’d like to understand how I will be able to manage their settings as well. #macOS
07-03-2019 07:45 AM
07-03-2019 07:47 AM
@Sean Lyndersay Thank you much, we are using JAMF so this will be helpful. Appreciate your quick response and looking forward to these changes.
07-03-2019 09:33 AM - edited 07-03-2019 09:38 AM
I still don't see a way to customize 'top sites' or new tab layout.
Would be nice to have a list of sites to open in IE mode.
07-03-2019 02:19 PM
very much agree to the Sync between Edge/IE. This is a hassle free solution as we already redirect them (as documents, desktop, links) to work folders.
Automatic backup of both and sync between them.
07-04-2019 06:23 AM
@Sean Lyndersay Any particular reason the "Prevent bypassing Windows Defender SmartScreen prompts for files" isn't in there yet? This setting is in the standard Microsoft security baseline for Edge, so I expected it here as well.
07-10-2019 08:17 PM
@P3c4s0 Yes, some of the policies have that restriction.
Generally, this restriction exists to limit the impact of policies that are often used by adware/grayware to make changes to the browser bypassing the usual protections against manipulating settings. Enforcing that the device is domain-joined makes it less likely that adware will use those particular settings (since they won't work on most machines). The current version of Edge has similar limitations on policies that impact homepages and search providers (the most commonly misused policies).
The particular policy you cited can be used to specify a specific set of URLs to open on startup, which can be misused to effectively do a homepage takeover, which is why the limitation exists.