Disable de-elevation in Edge

Iron Contributor

Hello,

 

It looks like it is now default behavior for Edge to de-elevate when it is launched as administrator. While I understand the security benefits of this choice, there are use cases in our environment that this interferes with for which another browser must be used. 

 

It looks like there was at one point a flag to control this behavior, but it is not present and I cannot find an equivalent policy. I can get it to stay elevated if I adjust compatibility options for the .exe, but I don't want the browser to run elevated at all times, just when necessary. 

 

Does anyone know a way to prevent Edge from de-elevating when it is intentionally launched as administrator? 

 

Thanks!

Andrew

5 Replies

@AndrewSAIF Hi!  I just spoke with our developers and if this is necessary you could try launching MS Edge with --do-not-de-elevate parameter and it will stop the auto de-elevate behavior.   

 

Also, our developers were wondering if you could share more information about your specific use cases when you need to run the browser elevated.  Let us know if you can share any info!  Thanks! 

 

-Kelly

@Kelly_Y 

Hi Kelly,

Thanks for the quick response and suggestion. I'm glad that parameter exists, but unfortunately I don't think it will help for our particular use case (an application opens the machine's default browser to a web page, not from a shortcut). Is there an equivalent registry value for this?

After digging into this issue a little more, I think perhaps that it's not the de-elevation itself that is causing problems, but that it does not always de-elevate as the same user that started the process.


Here's an example they should be able to duplicate:

  1. Log into a machine as a standard user (User 1)
  2. Run PowerShell as administrator (User 2)
  3. Enter credentials for User 2 
  4. Run Start-Process msedge.exe

The Edge process initially opens as User 2, then de-elevation kicks in and re-launches the process as User 1. 

 

A use case where this would become important is where IWA is used, and User 1 and User 2 have different access. If you launch a browser targeting a particular page as User 2, it de-elevates and re-launches as User 1, and SSO signs User 1 in. 

 

This obviously isn't a problem if you 'Run as other user' rather than 'Run as administrator', so this is an OK workaround, but there are two problems I found with this:

  1. If you have the policy BrowserSignin set to 2, and you launch Edge as another user that does not yet have an Edge profile, the login prompt appears, but does not allow you to interact with it. This might be a bug. 
  2. There doesn't appear to be a way to launch Windows Terminal as another user without launching it as administrator.

We are in the process of hybrid joining our machines, so I'll be able to do away with BrowserSignin soon. We can also just steer people toward other terminal apps and have them run without elevation. 

 

We noticed this behavior using the Okta ASA product, but I'd imagine there are other use cases as well. 

 

Hope this helps!

Andrew

@AndrewSAIF Hello!  Some additional information I wanted to pass along: 

 

"If you want to disable the auto de-elevate while launching a webpage or file from another program, it's possible if that program uses ShellExecute(Ex) with the "runas" verb, it's also possible to use in Powershell using Start-Process <URL> -verb runas​

 

MS Edge currently doesn't have a policy or other persisted setting like a reg key for this."

 

Thanks! 

 

-Kelly

@Kelly_Y 

Thanks for the info, Kelly. I appreciate the advice, but I don't have control over the way the application we are using launches the browser unfortunately. 

 

The way that it switches to the logged in user rather than the user that started the elevated process seems like an unintended consequence of this feature. Also, the incompatibility with the BrowserSignin policy seems like a bug. Are there any plans to address these issues? 

 

If not, would it be possible to implement a flag/registry value/group policy so system administrators can optionally disable the feature? We'd like it if folks used Edge, but I have multiple users demanding to have Chrome set as their default browser because of this feature. 

 

Thanks! 

Andrew

@Kelly_Y 

Hi there,

 

Just checking in to see if there has been any consideration of the issues I raised. 

 

Thanks,

Andrew