Example of well-formed local network domain name in relevant ActiveDirectory policies governing Edge

%3CLINGO-SUB%20id%3D%22lingo-sub-2645988%22%20slang%3D%22en-US%22%3EExample%20of%20well-formed%20local%20network%20domain%20name%20in%20relevant%20ActiveDirectory%20policies%20governing%20Edge%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2645988%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20are%20several%20Active%20Directory%20policies%20governing%20Edge%20behavior%20that%20ask%20for%20a%20domain%20name%2C%26nbsp%3B%26nbsp%3B%3CSTRONG%3ESmartScreenAllowListDomains%26nbsp%3B%3C%2FSTRONG%3Eand%20%3CSTRONG%3EAutoOpenFileTypes%26nbsp%3B%3C%2FSTRONG%3E%26nbsp%3Band%20%3CSTRONG%3EExemptDomainFileTypePairsFromFileTypeDownloadWarnings%3C%2FSTRONG%3E%20for%20example.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20context%20of%20a%20ClickOnce%20desktop%20application%20deployment%20to%20an%20%3CEM%3Eintranet%3C%2FEM%3E%20website%2C%20where%20the%20internal%20(not%20public%20facing)%20installer%20web%20page%20would%20be%20referenced%20as%20follows%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fmylanserver%2Fapps%2Fappname%2Fpublish.htm%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmyintranetwebserver%2Fapps%2Fappname%2Fpublish.htm%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20How%20would%20these%20Edge%20policy%20registry%20entries%20refer%20to%20the%20domain%3F%20Is%20it%20the%20internal%20domain%20to%20which%20%3CSTRONG%3Emyintranetwebserver%3C%2FSTRONG%3E%20belongs%2C%20i.e.%26nbsp%3B%3CSTRONG%3E*%3C%2FSTRONG%3E.%3CSTRONG%3Eourdomain.net%3C%2FSTRONG%3E%26nbsp%3B%20or%20perhaps%20%3CSTRONG%3Ehttps%3A%2F%2F*.ourdomain.net%3C%2FSTRONG%3E%20%3F%20Or%20is%20it%20%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fmylanserver%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmyintranetwebserver%3C%2FA%3E%26nbsp%3B%3C%2FSTRONG%3E%20or%20%3CSTRONG%3Ehttps%3A%2F%2F*.myintranetwebserver%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%5BSIDE%20NOTE%3A%20the%20intranet%20web%20server%20has%20a%20self-signed%20SSL%20certificate%20which%20is%20imported%20into%20the%20appropriate%20certificate%20store%20on%20user%20machines%20to%20allow%20for%20SSL%20encryption%20between%20user%20desktops%20and%20the%20intranet%20web%20server.%5D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20When%20specifying%20%3CSTRONG%3EAutoOpenFileTypes%3C%2FSTRONG%3E%20is%20there%20a%20way%20avoid%20making%20them%20%3CEM%3Eglobal%3C%2FEM%3E%20and%20only%20applicable%20to%20specified%20domains%2C%20as%20can%20be%20done%20with%20%3CSTRONG%3EExemptDomainFileTypePairsFromFileTypeDownloadWarnings%26nbsp%3B%26nbsp%3B%3C%2FSTRONG%3E%20where%20a%20file-type%20extension%20is%20linked%20to%20an%20array%20of%20domain%20names%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20What%20is%20the%20expected%20combined%20behavior%20when%20policies%20for%20both%20%3CSTRONG%3EAutoOpenFileTypes%3C%2FSTRONG%3E%20and%26nbsp%3B%3CSTRONG%3EExemptDomainFileTypePairsFromFileTypeDownloadWarnings%26nbsp%3B%3C%2FSTRONG%3Eappear%20in%20the%20registry%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20there%20precise%20definitions%20(rather%20than%20simple%20bullet-type%20blurbs)%20for%20the%20behavior%20of%20each%20of%20those%20settings%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2654297%22%20slang%3D%22en-US%22%3ERe%3A%20Example%20of%20well-formed%20local%20network%20domain%20name%20in%20relevant%20ActiveDirectory%20policies%20governing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2654297%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1126891%22%20target%3D%22_blank%22%3E%40lloydmalvern%3C%2FA%3E%26nbsp%3BHi%20again!%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%26nbsp%3B%3CSTRONG%3EAutoOpenFileTypes%3C%2FSTRONG%3E%2C%20you%20can%20use%20the%26nbsp%3B%3CSTRONG%3EAutoOpenAllowedForURLs%26nbsp%3B%3C%2FSTRONG%3Ein%20conjunction.%20Here%20is%20the%20documentation%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-policies%23autoopenallowedforurls%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-policies%23autoopenallowedforurls%3C%2FA%3E%26nbsp%3Bwhich%20also%20contains%20a%20link%20to%20the%20URL%20pattern%20documentation%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FDeployEdge%2Fedge-learnmmore-url-list-filter%2520format%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FDeployEdge%2Fedge-learnmmore-url-list-filter%2520format%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20working%20on%20deploying%20MS%20Edge%2C%20have%20you%20heard%20of%20our%20FastTrack%20team%20(%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Ffasttrack%2Fmicrosoft-365%2Fmicrosoft-edge%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Ffasttrack%2Fmicrosoft-365%2Fmicrosoft-edge%3C%2FA%3E)%3F%20They%20can%20help%20with%20configuring%20MS%20Edge%20for%20your%20organization%20and%20provide%20guidance%20with%20these%20policies.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHopefully%20this%20will%20help%20with%20some%20of%20your%20questions.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E-Kelly%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2655682%22%20slang%3D%22en-US%22%3ERe%3A%20Example%20of%20well-formed%20local%20network%20domain%20name%20in%20relevant%20ActiveDirectory%20policies%20governing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2655682%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20very%20much%20for%20the%20links%20to%20the%20current%20policies.%20I%20can't%20get%20it%20to%20work.%20Edge%20is%20still%20blocking%20setup.exe%3CBR%20%2F%3E%3CBR%20%2F%3ETo%20confirm%20the%20domain%20I%20open%20Edge%20and%20type%20the%20following%20into%20the%20address%20bar%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2FMYDEVMACHINENAME%2FClickOnce%2FTestApp%2Fpublish.htm%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2FMYDEVMACHINENAME%2FClickOnce%2FTestApp%2Fpublish.htm%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20ClickOnce%20publish.htm%20for%20TestApp%20is%20successfully%20opened%20in%20the%20browser.%3CBR%20%2F%3E%3CBR%20%2F%3EThere%20is%20a%20registry%20entry%20to%20enable%20ClickOnce%3A%3CBR%20%2F%3E%3CBR%20%2F%3EPolicies-%26gt%3BMicrosoft-%26gt%3BEdge%3CBR%20%2F%3EClickOnceEnabled.............REG_DWORD........................0x00000001%20(1)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20registry%20the%20domain%20has%20been%20exempted%20from%20file%20type%20warnings%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPolicies-%26gt%3BMicrosoft-%26gt%3BEdge-%26gt%3BExemptDomainFileTypePairsFromFileTypeDownloadWarnings%3C%2FP%3E%3CP%3E1.............REG_MULTI-SZ%26nbsp%3B%20%7B%22file_extension%22%3A%22exe%22%2C%22domains%22%3A%5B%22%3CA%20href%3D%22https%3A%2F%2FMYDEVMACHINENAME%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2FMYDEVMACHINENAME%3C%2FA%3E%22%5D%7D%3CBR%20%2F%3EClickOnceEnabled.............REG_DWORD........................0x00000001%20(1)%3C%2FP%3E%3CP%3E%3CBR%20%2F%3Eexe%20is%20specified%20in%20AutoOpenFileTypes%20key%20in%20the%20registry%3A%3CBR%20%2F%3E%3CBR%20%2F%3EPolicies-%26gt%3BMicrosoft-%26gt%3BEdge-%26gt%3BAutoOpenFileTypes%3CBR%20%2F%3E1.......REG_SZ................exe%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20in%20AutoOpenAllowedForURLs%20in%20the%20registry%20I've%20added%20the%20path%20to%20the%20IIS%20web-application%20above%3CBR%20%2F%3E%3CBR%20%2F%3EPolicies-%26gt%3BMicrosoft-%26gt%3BEdge-%26gt%3BAutoOpenAllowedForURLs%3CBR%20%2F%3E1.......REG_SZ................%3CA%20href%3D%22https%3A%2F%2FMYDEVMACHINENAME%2FClickOnce%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2FMYDEVMACHINENAME%2FClickOnce%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ENOTE%3A%20The%20case-sensitivity%20matches.%3CBR%20%2F%3E%3CBR%20%2F%3EDo%20I%20have%20to%20specify%20the%20full%20path%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2FMYDEVMACHINENAME%2FClickOnce%2FTestApp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2FMYDEVMACHINENAME%2FClickOnce%2FTestApp%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWhen%20I%20do%20that%2C%20there%20is%20no%20change%20to%20the%20behavior.%20Setup.exe%20is%20still%20blocked.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

There are several Active Directory policies governing Edge behavior that ask for a domain name,  SmartScreenAllowListDomains and AutoOpenFileTypes  and ExemptDomainFileTypePairsFromFileTypeDownloadWarnings for example.

 

In the context of a ClickOnce desktop application deployment to an intranet website, where the internal (not public facing) installer web page would be referenced as follows:

 

https://myintranetwebserver/apps/appname/publish.htm

 

1. How would these Edge policy registry entries refer to the domain? Is it the internal domain to which myintranetwebserver belongs, i.e. *.ourdomain.net  or perhaps https://*.ourdomain.net ? Or is it https://myintranetwebserver  or https://*.myintranetwebserver

 

[SIDE NOTE: the intranet web server has a self-signed SSL certificate which is imported into the appropriate certificate store on user machines to allow for SSL encryption between user desktops and the intranet web server.]

 

2. When specifying AutoOpenFileTypes is there a way avoid making them global and only applicable to specified domains, as can be done with ExemptDomainFileTypePairsFromFileTypeDownloadWarnings   where a file-type extension is linked to an array of domain names?

 

3. What is the expected combined behavior when policies for both AutoOpenFileTypes and ExemptDomainFileTypePairsFromFileTypeDownloadWarnings appear in the registry?

 

Are there precise definitions (rather than simple bullet-type blurbs) for the behavior of each of those settings?

 

 

2 Replies

@lloydmalvern Hi again! 

 

For AutoOpenFileTypes, you can use the AutoOpenAllowedForURLs in conjunction. Here is the documentation: https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#autoopenallowedforurls which also contains a link to the URL pattern documentation: https://docs.microsoft.com/en-us/DeployEdge/edge-learnmmore-url-list-filter%20format

 

If you are working on deploying MS Edge, have you heard of our FastTrack team (https://www.microsoft.com/en-us/fasttrack/microsoft-365/microsoft-edge)? They can help with configuring MS Edge for your organization and provide guidance with these policies.  

 

Hopefully this will help with some of your questions.

 

-Kelly

Thanks very much for the links to the current policies. I can't get it to work. Edge is still blocking setup.exe

To confirm the domain I open Edge and type the following into the address bar

https://MYDEVMACHINENAME/ClickOnce/TestApp/publish.htm

The ClickOnce publish.htm for TestApp is successfully opened in the browser.

There is a registry entry to enable ClickOnce:

Policies->Microsoft->Edge
ClickOnceEnabled.............REG_DWORD........................0x00000001 (1)

 

In the registry the domain has been exempted from file type warnings:

 

Policies->Microsoft->Edge->ExemptDomainFileTypePairsFromFileTypeDownloadWarnings

1.............REG_MULTI-SZ  {"file_extension":"exe","domains":["https://MYDEVMACHINENAME"]}
ClickOnceEnabled.............REG_DWORD........................0x00000001 (1)


exe is specified in AutoOpenFileTypes key in the registry:

Policies->Microsoft->Edge->AutoOpenFileTypes
1.......REG_SZ................exe

And in AutoOpenAllowedForURLs in the registry I've added the path to the IIS web-application above

Policies->Microsoft->Edge->AutoOpenAllowedForURLs
1.......REG_SZ................https://MYDEVMACHINENAME/ClickOnce

NOTE: The case-sensitivity matches.

Do I have to specify the full path?

https://MYDEVMACHINENAME/ClickOnce/TestApp

When I do that, there is no change to the behavior. Setup.exe is still blocked.