Apr 20 2021 02:45 PM
Apr 20 2021 02:45 PM
We have 86,000 health computers we are migrating to Microsoft Edge from IE 11.
In Group Policy for IE if you add "pop-up allow list" at a root group policy, and then another lower group policy the pop-up lists MERGE. So pop-ups allowed in the root policy and pop-ups allowed in the lower policies BOTH get added to the computer.
This goes for all the other IE GPO settings.
However, for Microsoft Edge it is a REPLACE in policy and registry which is really, really bad for Enterprise.
If we allow 20 sites to not block popups then those 20 sites should remain EVEN if a subset of the organization wants to add their own sites to the list.
The same seems to go for all these "list" type Edge policies. Anything that has a list if it is set again, the list gets replaced instead of appended.
There is absolutely no reason why it is not working.
Group Policies have always been set to COMBINE and in the case of the Edge Policies they also should combine" not replace.
Note the registry keys get replaced too.
Apr 20 2021 04:54 PM
@lforbes Hello! Can you clarify/explain a little about the root group policy and lower group policy you mentioned?
We had a previous discussion here about the ExtensionInstallForcelist policy, I think it is the same or very similar question to yours. Basically in that case MS Edge always applies the device policies after the user policies, so device will always win when there is a conflict between them.
Apr 20 2021 08:00 PM - edited Apr 20 2021 08:03 PM
Here is the structure.
All Health authorities = OU = Tier 1
Group Policy linked to OU = "User and IE Edge Settings All"
User Configuration - Admin templates
Microsoft Edge (latest ADMX) = Pop up blocker = Allow = *.domain1.com *.domain2.com *.domain3.com
IE Settings = Pop up blocker = Allow = *.domain1.com *.domain2.com *.domain3.com
Child OU = Health Authority A (so this OU is inside the above one) = Tier 2
"Health Authority A User and IE Edge Settings All"
Microsoft Edge (latest ADMX) = Pop up blocker = Allow = *.siteextra1.com *.siteextra2.com *.siteextra3.com
IE Settings = Pop up blocker = Allow = *.siteextra1.com *.siteextra2.com *.siteextra3.com
Group Policies with Lists are SUPPOSED to be "cumulative" so if you add a Trusted site or a popup for IE in the Parent OU and different ones in the child OU they "merge" together.
End result for computer inside Child OU.
IE Settings = Pop up blocker = Allow = *.domain1.com *.domain2.com *.domain3.com *.siteextra1.com *.siteextra2.com *.siteextra3.com
Microsoft Edge = Pop up blocker = Allow = *.siteextra1.com *.siteextra2.com *.siteextra3.com
So instead of Edge "appending" the registry key like IE does, the policy deletes the Tier 1 settings and applies only the Tier 2 settings.
Note we have thousands of group policies with lists like Applocker, IE settings, Office settings in multiple policies. Lists in ALL those policies are always combined for the end result.
Edge Policies are the only one where a list is blown away entirely and not appended to if another policy adds to the list.
Note that Computer settings for IE always overwrite the same User settings. That is 100% expected.
However, if we set computer settings for Edge with lists in multiple policies the lists are not merged regardless if it is extensions, or anything else.
Apr 21 2021 01:19 PM - edited Apr 21 2021 01:25 PM
GPOs are applied on Windows Level independent from the application they are dealing with. When a GPO is applied registry keys are simply created. Besides processing order there is afaik no further logic involved.
My assumption is:
For Edge registry keys may be created in the form of
Pop up blocker Allow\1\*.siteextra1.com
Pop up blocker Allow\2\*.siteextra2.com
Pop up blocker Allow\3\*.siteextra3.com
When a gpo for the same policy is applied on a different level the numbering will start from 1 and will overwrite existing values.
Maybe for IE the naming of the registry keys was different, for example like
If i’m right this name schema would lead to no conflicting registry values and the settings will appear as combined/merged.
But please don‘t take this for granted it has been a while since i dealt with GPOs...
Apr 21 2021 02:07 PM - edited Apr 21 2021 02:09 PM
The ADMX needs to be fixed with the later version so that it doesn't overwrite lists.
There should be no 1, 2, 3 etc it should just be keys.
Therefore the ONLY Overriding should be if the key is identical.
That is just the way group policies are supposed to work.
With IE there is a standard processing process for policies and it worked great. If Edge is supposed to replace IE as the standard browser then they need to fix it so that it works well in Group Policy in the same way as IE does.
Apr 23 2021 03:40 PM
@lforbes I've just talked to the team that manages MS Edge policies and got some information.
Right now the experience is by design and aligns with Chrome and other Chromium based browser policies. The team has heard from other customers moving from IE to MS Edge and I have also passed along your scenario.
This is something they plan to investigate and try to improve but right now there is no ETA. Once more information is available we can follow up here. Thank you for your feedback!
Apr 23 2021 05:29 PM - edited Apr 23 2021 05:30 PM
Chrome doesn't have official supported updated ADMX Group Policies. It is NOT a corporate browser. It is NOT designed for Group Policy or corporate use.
It is a home based browser and the user made ADMX for Chrome don't work most of the time. For example if you set the home page to "run once" in Chrome it doesn't even set at all.
Edge Chromium is being advertised as a replacement for Internet Explorer in a corporate world. Therefore it should not copy a crappy unsupported home browser.
Please realized that we have IE and we are trying to migrate away from it. I have 86,000 workstations and we cannot upgrade them until they can fix Edge to run like IE.
Jan 31 2022 10:52 AM