Forum Discussion
Do the Group Policy templates actually work for stopping/controlling Microsoft Edge Updates?
Hello
I am current testing MS Edge for Business with the specific goal of controlling the update cadence for the Stable channel. I want complete control on when these updates are applied and ONLY deploy them in a small business environment via WSUS or ManageEngine Desktop Central.
I have downloaded the current policy files for Edge Business and studied the update attributes and items found here:
https://docs.microsoft.com/en-us/deployedge/microsoft-edge-update-policies#updatedefault
But I have some serious concerns about the validity of these group policy templates. I have been unable to determine the exact policy combination to get the updates to stop while continuing to allow Edge's default payloads to be enabled (3 Services and 2 scheduled tasks that appear in Task Scheduler) after a standard install OR an update?
I have been testing this a lot for weeks now and in a stock install of Edge for Business - either a new install OR an update to an existing install - the installer adds (AND reactivates if disabled) the following services:
It also adds (and re-enables if disabled) the following tasks into Task Scheduler as well:
MicrosoftEdgeUpdateTaskMachineCore
MicrosoftEdgeUpdateTaskMachineUA
These 5 items – if present and enabled – would seem to allow Edge to update itself like it would in a consumer environment - by itself - every hour on the hour regardless of any GP that may be enabled.,
The only way I have found to exert any control over the updates is to set these policies (Via GPEDIT)
And then run a standalone PS script that actually DELETES the scheduled tasks and disables two of the three services. But I should not have to do this much work.
Q: Does the group policy (Update policy override setting) actually override/stop the activity of these 3 services and 2 tasks?
While I always believed that GP should be the law - I am skeptical if these services and tasks are actually taken out of the equation with the GP (Update Policy Override) enabled.
And even with all this extra work - if a user goes and opens the "..." menu in the upper right and then choose Settings->Help and Feedback->About Edge - Edge will then attempt update itself here as well - which I also do not want my users to be able to do.
Ideally what I really want is this to display if a user attempts to select "About Edge":
Appreciate any update on how to completely control the Edge Update cycle and have the system ignore these tasks and services that it places on the machine during each update.
Cheers
Bruce
Hi Bruce_McDonald,
Setting the "Update policy override" to "Updates disabled: Updates are never applied" will prevent Edge from being updated on any domain-joined machine. Setting this is sufficient to prevent any updating from happening. When configured, the services / scheduled tasks will not update the browser. They're still scheduled in the case that the policy changes from "off" to "on".
Thanks,
Andy Zeigler
Edge Team
Bruce_McDonald Thanks for reaching out. I'm looping in our Enterprise team and will let you know if they have any insights to share.
Fawkes (they/them)
Project & Community Manager - Microsoft EdgeDeleted
Thanks for the update!
I am finding it very odd that there is not a lot of guidance on this subject. You would think there would be a simple article somewhere on the web saying "make the following settings and Edge is under control" 🙂
OR - every other admin worldwide has either figured it out OR is letting Edge update itself automatically and not worrying about auto updates.
Edge for Business (the browser itself) is very very good - if I can get the update cadence reeled in a bit for my users - that would just about make it perfect.
Cheers
Bruce
Bruce_McDonald I'm glad that Microsoft Edge is working well for your Enterprise environment! While we wait to hear back from the team, I will do my best to address your questions.
For documentation: this landing page is your go-to source for all MSFT Edge information. After a quick search, I came across details for this policy, which may help answer your question. (In full disclosure, this is not my feature area, so please use your own discretion regarding its applicability to you.)
From what I've heard from other Admins, they let the browser update automatically and just keep an eye on our shipping cadence. (Our releases roughly align with the Chromium schedule, in order to deliver cohesive browsing and developing experiences.) We also recommend allowing automatic updates to ensure that your machines receive any/all intermittent bug fixes or security patches.
Fawkes (they/them)
Project & Community Manager - Microsoft Edge
