SOLVED

Edge 116 Beta: Policies are blocked if MDM-Managed & Userprofile-Sync personal Account

Steel Contributor

On most current Edge Beta & DEV Versions there is a NEW BUG regarding accepting the Configuration of "sensitive Policies" which need the device to be Enterprise Managed (AD-Join or MDM-Enrolled). [Edit on next day 22.08.2023: see newer post below, not only sensitive Policies but much more policies are ignored! Therefore I modified the title of this Discussion and removed "sensitive"]

 

First, the affected Versions are:

Beta: Version 116.0.1938.54

Dev: Version 117.0.2045.1

 

NOT affected, still working as expected is:
Stable: Version 115.0.1901.203

 

To reproduce the issue, use a Windows 10 or Windows 11 22H2 Machine which is MDM-Enrolled.

 

Fresh Edge-Browser install, first NO Profile Sync / logged on User Account in Edge: OK; Policies work, are applied - as you see in this screenshot:

 

GunnarHaslinger_0-1692629008689.png

 

Now enable Profile-Sync / log on with personal Microsoft Account in Edge Browser (Profile). After Syncing Profile now restart Browser. => Problem: Device is not recognised as "MDM-Enrolled" any more, the "sensitive policies" are now ignored:

 

GunnarHaslinger_1-1692629138703.png

 

 

If you "sign out" (no need to delete Favorites, just "sign out" is enough) the policies start working again after next browser-start:

GunnarHaslinger_2-1692629311643.png

 

 

As I already said in the beginning, this is "brand new" problem in the most recent Beta- and DEV-Version. Was definitely not there in the last Beta-Version last week before (I think Beta Version 116.0.1938.51 was still OK). And Problem is not there in current Stable, only in Beta&Dev.

 

So please look into this and fix this before it gets into Stable!

 

Thank you!

 

@mkruger@Kelly_Y  I hope you are still working on the Edge team and can bring this to the attention of the right person? Thank you!

 

Not sure if this is an Edge Issue or an underlying Chromium-Issue. If it is a Chromium-Issue it maybe could be this Change: https://chromium-review.googlesource.com/c/chromium/src/+/4762065/1?tab=comments

 

26 Replies

@Gunnar Haslinger Hello!  You mentioned this is occurring when signing in with a personal MSA account.  This might be related to the new Microsoft Edge for Business feature.  Microsoft Edge for Business | Microsoft Learn

 

Kelly_Y_0-1692638627612.png

 

More information here: Microsoft Edge for Business FAQ - Microsoft Community Hub

 

If it is a separate issue, please let us know so we can investigate.  Thanks!

 

-Kelly

 

 

Thanks @Kelly_Y for the pointer to Edge for business, but no. Not using Edge for Business Preview and even not using Azure AD (Microsoft Entra ID login). Problem as described above, not Edge for business related. 

 

- Gunnar

Apologies, I don't know if this is related, but I managed to resolve the issue by signing-out of the Microsoft account within Edge

Devices in question are not MDM-Managed

Affected Policies; InternetExplorerIntegrationLevel, InternetExplorerIntegrationSiteList and EnterpriseModeSiteListManagerAllowed

Stable Version 115.0.1901.203 - Policy Status OK regardless of Microsoft Account signed in/out


Stable Version 116.0.1938.54 - Policy Status Ignored when Microsoft Account signed in, Policy Status OK when Microsoft Account signed out

@Robert_Holcombe yes, I think your troubles are related to my Issue described above.

 

Last night (August 21st to 22nd) new Edge v116.0.1938.54 Stable got rolled out via EdgeUpdate.  Yesterday I wrote (see post above), that STABLE v115 is not affected so far. Today with the rollout of v116 now all machines using Stable are affected.

 

You are listing some affected policies: InternetExplorerIntegrationLevel, InternetExplorerIntegrationSiteList and EnterpriseModeSiteListManagerAllowed - but those three policies are NOT so called "sensitive Policies" 

 

Yesterday when I was writing my initial post above I thought only the "sensitive Policies" are affected.

 

"Sensitive Policies" are Policies like e.g. those:

  • DefaultSearchProviderEnabled
  • PreventSmartScreenPromptOverride
  • SmartScreenAllowListDomains
  • HomepageIsNewTabPage
  • HomepageLocation
  • NewTabPageLocation
  • RestoreOnStartup
  • RestoreOnStartupURLs
  • AutoOpenFileTypes
  • CustomHelpLink

All "Sensitive Policies" are marked in the Microsoft Edge Policy Documentation as "This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, Windows 10 Pro, or Enterprise instances enrolled for device management."

 

BUT: You are right, not only "Sensitive Policies" are affected by this behaviour but also most of the other policies are affected and show up as ignored.

 

It seems @Kelly_Y has already pointed out the right core issue, it is Edge for Business added with v116. But according to the documentation and FAQ for Edge for Business it should not be activated by default without having a work-profile.

 

Here we find the list of Policies which are filtered out as ignored when "Edge for Business" is used with an Enterprise personal browser (MSA profile) ... and "Signing in" with a personal Microsoft Account to get Favorites synced seem to kick in this filtered mode regardless of Edge for Business is used or not. In my case it is NOT used, not activated. No visual  signs like the "Icon updated with the briefcase" shows up. There is no "one-time banner will appear at the top of the browser after first launching Edge for Business informing the user of the change with a link to learn more". Nothing of this described experiences which would give me an information that "Edge for Business" is activated are shown. No Idea why the "Edge for Business" behaviour for a Browser only having a single Profile (which is a "Personal Profile") kicks in. There is NO Work Profile configured / available, so no Idea why Edge thinks it should filter the policies out from the single profile available. We are not using Entra ID (which I read would enable Edge for Business by default).

 

So for me stripping out almost all policies we set because user is "Signed in" with a personal Microsoft Account is a huge issue. If this is not a bug but a wanted behaviour by Microsoft they really immediately have to add a policy to configure this / turn this off. I understand the concept of "Edge for Business" to have a Work-Profile having assigned the policies and a Personal-Profile having stripped off most of the Policies. But in my case there is no Work-Profile and Edge for Business is not used. So with Edge v116 all Users can just disable almost all Policies by just signing in with a Microsoft Account to sync their Favorites. Thats crazy.

 

Asking @Kelly_Y , @mkruger for help and advice.

 

So if want to use Edge with policies, I have to use a local account, hilarious. Edge forcing me not to use MSA, lol. Well, sync does not work properly anyway, cards get removed, so I am might as well do it.

@TairikuOkami as a (temporary) Workaround you can set the Policy RestrictSigninToPattern to something like ".@no-signin-allowed".

 

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge -> RestrictSigninToPattern 
(Type: Reg-SZ) Value e.g.: ".*@no-signin-allowed"

 

If you do this (and restart Edge, I needed to restart twice) the Sync with personal Microsoft Accounts gets paused and the Policies work again. 

@Gunnar Haslinger @Robert_Holcombe @TairikuOkami Thank you for your feedback and reaching out!  I've heard an update from the team.  In scenarios where there is only a single MSA profile and no work profile configured, policies should not be filtered out.  They just made this update, and the change should already be available in Stable 116.  

 

Please test and let us know if you are still having issues.  Thanks! 

 

-Kelly

Thanks @Kelly_Y, but I checked both Edge Stable 116.0.1938.54 as well as Beta 116.0.1938.54 ... no newer update is offered and behaviour is as already described, only one single MSA Profile is configured and the policies show up as "ignored" as already screenshotted.

@Gunnar Haslinger I believe this change is not being delivered via new Microsoft Edge versions.  Could you try restarting or signing out and then signing back in with the MSA account to see if the behavior has changed?  Thanks! 

 

-Kelly 

@Kelly_Y 

 

  • Restarting Edge Browser doesn't change anything
  • Sign out from MSA and restart Browser: now (with disabled sync) the Policies are OK and work
  • Sign in again to enable Sync, restart Browser -> Problem is back, Policies show up "ignored" and don't work as before.

Seems to be resolved now in Version 116.0.1938.54 (Official build), new update appears to have been pushed in the last hour.

Thanks all, appreciate the detailed responses @Gunnar Haslinger 

@Robert_Holcombe there is no Update offered to my clients here.

 

Still unchanged Version 116.0.1938.54 Stable, behaviour unchanged as described.

 

Even tried to download a Fresh MSI-File from https://www.microsoft.com/de-de/edge/business/download?form=MA13FJ but it is identically, unchanged - Authenticode signed last Friday.

 

So I will patiently wait to make the magic happen ;)

Same here, not fixed yet, but I am OK with the workaround till the next version gets released. I just sign out, restart the browser, then login and it is OK till I restart the browser, so I just have to avoid closing it.
@Kelly_Y
This situation is unacceptable, and I've already pushed out a rollback to 115.0.1901.203 through group policy. Edge must respect all policy settings for all profiles.

Can I / we have some confirmation whether this is a bug or an intended feature? If it's the latter, I would suggest that Microsoft needs to reassess ASAP.
We've been getting a ton of help desk tickets on this issue. We use Compatibility Mode for a few critical internal applications, and this update has prevented most of my customers from accessing those sites. We've been signing users out as mentioned above and that worked for some, but most of the customers we've had to remove the profile. We didn't realize at the time, but this also removed the customer's Favorites. So now we have upset customers on top of it.

@meveritt Just to confirm, this thread is specifically about policy filter issues when a user does not have Microsoft Entra ID login (AAD profile), only a MSA profile.  Is this also your scenario?  

 

@JayJayDoubleU The team has mentioned they made an update and IE mode policies should start being applied to the MSA profile.  This fix should be included in the next Microsoft Edge Stable v116 update.  

 

-Kelly

@Kelly_Y Thank you for your response. Yes, this is about certain administrator-defined policies not being applied on any profile that has a signed-in non-corporate Microsoft account, as described by @Gunnar Haslinger. It actually affects any domain-joined computer, not just AAD-joined.

The upshot is that Edge 116 is pushing consumer-level features at our users, when we have specifically set those to be disabled in group policy. I hope it's obvious that this is unacceptable, and untrustworthy behaviour.

We've already rolled back to 115.0.1901.203, and need to know - actually quite urgently - whether this is a bug or an intended change. As I said previously, if it IS an intended change, I think a) Microsoft ought to reconsider ASAP, and at the very least provide an option to override it; and b) Microsoft ought to be honest about it, because the current assumption in chatter across the Internet at the moment is that it's a bug.

Edge has no future in our organisation if it's going to start ignoring specified policy in order to push consumer features at our users.

Hey,


I posted yesterday that it appeared to have been resolved - this appears to only be for Windows 10 devices, not Windows 11

My sample size is pretty small, maybe others can confirm

@Kelly_Y I can now confirm, that in the "single MSA Profile Sync Szenario" the filtered Edge Policies are now working again on following Versions:

 

Edge Dev Version 117.0.2045.7

Edge Canary Version 118.0.2057.0

 

Still unchanged (not working) are those Versions which didn't get an Update so far:
Edge Beta Version 116.0.1938.54

Edge Stable Version 116.0.1938.54

 

Tested on both OSes: Windows 10 v22H2 as well as Windows 11 v22H2.

1 best response

Accepted Solutions
best response confirmed by Gunnar Haslinger (Steel Contributor)
Solution

@meveritt Great!  Thank you for testing and following up!  

 

Yes, Stable Version 116.0.1938.62 was released today.  For other folks on the thread, please let us know once you are able to test.  

 

Have a great weekend, everyone! 

 

-Kelly

View solution in original post