SOLVED

Found a bug in Edge 87 policy

%3CLINGO-SUB%20id%3D%22lingo-sub-1801503%22%20slang%3D%22en-US%22%3EFound%20a%20bug%20in%20Edge%2087%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1801503%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20whenever%20I%20enable%20this%20policy%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%225.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F228160i31E7561D360B55FD%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%225.png%22%20alt%3D%225.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20option%20in%20Edge%20which%20is%20related%20to%20secure%20DNS%20lookups%2C%20becomes%20unavailable%20and%20disabled%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%221.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F228161i43439B9AC0AC3FE0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%221.png%22%20alt%3D%221.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20see%20no%20relation%20between%20the%202%20options.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ein%20Edge%20policy%20I%20only%20have%20this%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%222.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F228162i59D41F315B9C6C39%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222.png%22%20alt%3D%222.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhich%20should%20only%20apply%20to%20this%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%223.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F228163iB10D8EED5EF206BD%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%223.png%22%20alt%3D%223.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eand%20not%20other%20settings.%20so%20In%20my%20perspective%20this%20is%20a%20bug%2Funwanted%20behavior.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'll%20report%20it%20using%20feedback%20button%20on%20Edge%20too.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEdge%20Dev%2087-88%3C%2FP%3E%3CP%3EWindows%2010%2020H2%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eif%20for%20any%20reason%20this%20is%20actually%20an%20expected%20behavior%2C%20please%20let%20me%20know%20with%20some%20explanation%2C%20thank%20you.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1801503%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E87%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3E88%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EBUG%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Edev%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEdge%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EFeedback%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPolicy%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eproblem%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1801624%22%20slang%3D%22en-US%22%3ERe%3A%20Found%20a%20bug%20in%20Edge%2087%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1801624%22%20slang%3D%22en-US%22%3E%3CP%20data-unlink%3D%22true%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F310193%22%20target%3D%22_blank%22%3E%40HotCakeX%3C%2FA%3E%26nbsp%3BHi!%26nbsp%3B%20I'm%20checking%20with%20our%20team%20about%20what%20you've%20noticed%20when%20DefaultGeolocationSetting%26nbsp%3Bis%20enabled.%26nbsp%3B%20I'll%20follow%20up%20once%20I%20can%20gather%20some%20information.%26nbsp%3B%20Thanks!%3C%2FP%3E%0A%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20data-unlink%3D%22true%22%3E%3CEM%3E-Kelly%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1801821%22%20slang%3D%22en-US%22%3ERe%3A%20Found%20a%20bug%20in%20Edge%2087%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1801821%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F310193%22%20target%3D%22_blank%22%3E%40HotCakeX%3C%2FA%3E%26nbsp%3B-%20If%20the%20browser%20detects%20that%20the%20user%20is%20in%20a%20%E2%80%9Cmanaged%E2%80%9D%20environment%2C%20then%20DoH%20can%20be%20configured%20only%20by%20policy%2C%20not%20the%20end-user.%20That%E2%80%99s%20because%20Enterprise%20environments%20often%20have%20specific%20requirements%20for%20network%20configuration%20that%20are%20more%20likely%20to%20be%20broken%20by%20Secure%20DNS.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOn%20Windows%2C%20that%20detection%20shouldn't%20be%20tied%20to%20whether%20you've%20set%20a%20policy--%20it%20should%20instead%20be%20tied%20to%20%3CA%20href%3D%22https%3A%2F%2Fsource.chromium.org%2Fchromium%2Fchromium%2Fsrc%2F%2B%2Fmaster%3Achrome%2Fbrowser%2Fnet%2Fstub_resolver_config_reader.cc%3Bl%3D226%3Bdrc%3D929e790ad17a54008b3dac86cbe30751c968c2ce%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ewhether%20the%20machine%20is%20domain%20joined%3C%2FA%3E.%20On%20Mac%2C%20it%20looks%20like%20it%20may%20be%20tied%20to%20whether%20any%20policy%20is%20set.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fblog.chromium.org%252F2020%252F05%252Fa-safer-and-more-private-browsing-DoH.html%26amp%3Bdata%3D04%257C01%257CEric.Lawrence%2540microsoft.com%257C6783d1fd4c884705880d08d87556139f%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637388359969570642%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DnzC%252FQmyf%252BNIPzz0rf99X4xD27TEgokZDltFdwg%252BXUA4%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblog.chromium.org%2F2020%2F05%2Fa-safer-and-more-private-browsing-DoH.html%3C%2FA%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EIf%20you%20are%20an%20IT%20administrator%2C%20Chrome%20will%20disable%20Secure%20DNS%20if%20it%20detects%20a%20managed%20environment%20via%20the%20presence%20of%20one%20or%20more%20enterprise%20policies.%20We%E2%80%99ve%20also%20added%20new%20DNS-over-HTTPS%20enterprise%20policies%20to%20allow%20for%20a%20managed%20configuration%20of%20Secure%20DNS%20and%20encourage%20IT%20administrators%20to%20look%20into%20deploying%20DNS-over-HTTPS%20for%20their%20users.%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1802819%22%20slang%3D%22en-US%22%3ERe%3A%20Found%20a%20bug%20in%20Edge%2087%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1802819%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F317619%22%20target%3D%22_blank%22%3E%40ericlaw%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EThank%20you%2C%20that%20makes%20sense%20in%20enterprise%20environment%2C%3C%2FP%3E%3CP%3Ebut%20I%20only%20downloaded%20the%20latest%20policy%20files%20and%20installed%20them%20on%20my%20personal%20non-managed%20Windows%2010%2020H2%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Honored Contributor

So whenever I enable this policy

 

5.png

 

This option in Edge which is related to secure DNS lookups, becomes unavailable and disabled

 

1.png

 

I see no relation between the 2 options.

 

in Edge policy I only have this

 

2.png

 

which should only apply to this

 

3.png

 

and not other settings. so In my perspective this is a bug/unwanted behavior.

 

I'll report it using feedback button on Edge too.

 

Edge Dev 87-88

Windows 10 20H2

 

if for any reason this is actually an expected behavior, please let me know with some explanation, thank you.

 

8 Replies

@HotCakeX Hi!  I'm checking with our team about what you've noticed when DefaultGeolocationSetting is enabled.  I'll follow up once I can gather some information.  Thanks!

 

-Kelly

@HotCakeX - If the browser detects that the user is in a “managed” environment, then DoH can be configured only by policy, not the end-user. That’s because Enterprise environments often have specific requirements for network configuration that are more likely to be broken by Secure DNS.

 

On Windows, that detection shouldn't be tied to whether you've set a policy-- it should instead be tied to whether the machine is domain joined. On Mac, it looks like it may be tied to whether any policy is set.

 

https://blog.chromium.org/2020/05/a-safer-and-more-private-browsing-DoH.html

If you are an IT administrator, Chrome will disable Secure DNS if it detects a managed environment via the presence of one or more enterprise policies. We’ve also added new DNS-over-HTTPS enterprise policies to allow for a managed configuration of Secure DNS and encourage IT administrators to look into deploying DNS-over-HTTPS for their users.

@ericlaw 
Thank you, that makes sense in enterprise environment,

but I only downloaded the latest policy files and installed them on my personal non-managed Windows 10 20H2

 

@HotCakeX The "Your browser is managed by your organization" banner in your Settings screenshot indicates that your system is "Managed".

I misread the Chromium code-- the check falls through, so if your machine has any policies set (see about:policy), it's deemed "Managed": 

 

if (base::IsMachineExternallyManaged())  // <-- this is the domain join check 
return true;
#endif
#if !defined(OS_ANDROID) && !defined(OS_CHROMEOS)
if (g_browser_process->browser_policy_connector()
                  ->HasMachineLevelPolicies())  // <-- this is the policy check
return true;
#endif

@ericlaw 

Hi,

okay so I just tried this, instead of using computer configuration, i used user configuration group policies,

but I'm still getting the managed device banner and basically the same result

 

1.png

 

gfdgdgd.png

 

By "machineLevelPolicies" you mean the policies that are under "Computer Configuration" right? then no I have nothing set under that, just 1 policy under "User Configuration"

Best Response confirmed by HotCakeX (Honored Contributor)
Microsoft Verified Best Answer
Solution
The nomenclature used in the code is a bit misleading; by "machine level policies" they mean policies set by the platform policy provider (on Windows, that's Group Policy). Basically, if you see anything listed in about:policy (even a dummy policy name that doesn't really exist) the device is considered "Managed" and you'll get the "Managed Device" banners and end-user configuration of Secure DNS will be blocked in about:settings.
That clears up the confusion, thank you very much