Edge is allowed to run in locked-down kiosk config

%3CLINGO-SUB%20id%3D%22lingo-sub-2372670%22%20slang%3D%22en-US%22%3EEdge%20is%20allowed%20to%20run%20in%20locked-down%20kiosk%20config%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2372670%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20deploying%20an%20assigned%20access%20XML%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fconfiguration%2Fkiosk-xml%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fconfiguration%2Fkiosk-xml%3C%2FA%3E)%20in%20order%20to%20create%20a%20kiosk%20that's%20used%20by%20non-company%20individuals%20to%20run%20specific%20programs%20only.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20understanding%20of%20how%20this%20is%20supposed%20to%20work%20is%20allowed%20applications%20that%20are%20defined%20in%20my%20XML%20are%20allowed%20to%20run%2C%20but%20other%20applications%20are%20not.%20However%2C%20despite%20not%20including%20Chromium%20Edge%20in%20my%20configuration%20XML%2C%20the%20Edge%20executable%20is%20being%20allowed%20to%20run.%20I've%20confirmed%20this%20through%20the%20%22EXE%20and%20DLL%22%20Applocker%20event%20viewer%20log%20life.%20This%20is%20an%20issue%20because%20one%20of%20the%20applications%20on%20the%20kiosk%20has%20a%20UI%20option%20that%20opens%20a%20site%20using%20the%20default%20browser%2C%20which%20is%20Edge.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20workaround%20I've%20found%20is%20to%20downgrade%20Chromium%20Edge%20to%20Legacy%20Edge%2C%20which%20is%20correctly%20blocked%20from%20running%2C%20as%20it%20has%20not%20been%20explicitly%20allowed.%20I%20could%20also%20implement%20Edge%20policies%20to%20limit%20the%20UI%20so%20that%20navigation%2C%20address%20bar%20etc%20are%20not%20available%2C%20but%20that%20doesn't%20seem%20like%20a%20good%20solution.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20wondering%20why%20Edge%20is%20being%20allowed%20to%20run%20in%20my%20locked-down%20kiosk%20configuration.%20Is%20there%20a%20reason%20why%20Edge%20runs%20despite%20not%20being%20explicitly%20allowed%3F%20Is%20there%20a%20way%20to%20change%20this%20behavior%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

I'm deploying an assigned access XML (https://docs.microsoft.com/en-us/windows/configuration/kiosk-xml) in order to create a kiosk that's used by non-company individuals to run specific programs only.

 

My understanding of how this is supposed to work is allowed applications that are defined in my XML are allowed to run, but other applications are not. However, despite not including Chromium Edge in my configuration XML, the Edge executable is being allowed to run. I've confirmed this through the "EXE and DLL" Applocker event viewer log file. This is an issue because one of the applications on the kiosk has a UI option that opens a site using the default browser, which is Edge.

 

One workaround I've found is to downgrade Chromium Edge to Legacy Edge, which is correctly blocked from running, as it has not been explicitly allowed. I could also implement Edge policies to limit the UI so that navigation, address bar etc are not available, but that doesn't seem like a good solution.

 

I am wondering why Edge is being allowed to run in my locked-down kiosk configuration. Is there a reason why Edge runs despite not being explicitly allowed? Is there a way to change this behavior?

0 Replies