SOLVED

Windows 10 WIP rules and Chromium Edge cannot access Sharepoint Online ERR_BLOCKED_BY_ADMINISTRATOR

Brass Contributor

Hi all,

 

A few weeks ago Sharepoint Online access via Edge (Chromium) browser stopped working from our AAD joined + Intune Windows 10 (2004) computers. 

 

Error from Edge:

 

You don’t have access to this content


Try accessing the site again using a profile connected to your work or school account. Learn more. If the problem continues, contact your administrator.


ERR_BLOCKED_BY_ADMINISTRATOR

 

I suspect the issue has something to do with Windows Information Protection (WIP) policy because of the error message and since IE still works. 

 

There is no briefcase in Edge address bar.

 

Intune App Protection have and Windows Information Protection (WIP) policy. The policy have both WIPMode Allow and Exempt policy XML files added. It have worked for a few months up to a couple weeks ago. We have not touched any policy.

 

MsEdge - WIPMode-Allow - Enterprise AppLocker Policy File.xml

MsEdge - WIPMode-Exempt - Enterprise AppLocker Policy File.xml

 

Also, the WIP policy do have a Network Boundary for Sharepoint

Edit network boundary.png

 

 

 

 

 

 

 

 

 

Any suggestions?

 

Thanks!

 

 

8 Replies

FYI: Case with Microsoft Support on this.

 

My affected Version 85.0.564.63 (Official build) (64-bit) 

 

When downloading version 84 everything started working again. When Edge auto-updated back to 85.x the problem came back again. Microsoft have escalated the case.

@Björn Lagerwall 

Any news on this issue we have the same problem with Edge

@fbiermaier hey, no waiting on an update from Microsoft Support. The case is escalated but I cannot say to which level. 


Probably something with Applocker and that version of Edge that stopped working. Seeing some stuff in applocker logs I sent to MS Support.

 

 

@Björn Lagerwall I seem to be having the same problem when I try to reach an internal resource all of a sudden as well. Could reach it without any issues before using Edge. Have to switch to chorme browser to continue operations.

I'm wondering if this could be caused by some group policy as we just updated the admx files in the central store.

@Dadoks Hey, 

I have the case up at engineering now and they want me to test more stuff. Hopefully I get time today toi test. I'll post my findings here.

 

BR
Björn 

@Björn Lagerwall Please let us know what you results are. I also noticed that the issue seems to be particular to systems that have recieved the Win10 20H2 update. Hope that helps you narrow down and simulate the cause.

@Dadoks yeah will post here. Case is still ongoing. Apparently Edge Team and WIP Team now are looking into the issue. 

 

Using an older version of Edge (ver 85 if I recall correctly) it started to work again. But the Edge auto-updated and it stopped once again. 

 

Hopefully, they find it soon, granted complicated issue, bit still a long running case.

best response confirmed by Björn Lagerwall (Brass Contributor)
Solution
Hi all,

Got an suggestion from Microsoft Support to change the corporate identity in WIP policy from tenant name to our AD name and it worked!

See below explanation from Microsoft Support.


Resolution: We made a change in the Edge 85-86 to check the domain of the profile's AAD identity instead of automatically treating all AAD identities as a work profile.
In your case, the corporate identity was contoso.onmicrosoft.com, and your Work profile was contoso.com. We confirmed by checking edge://edge-dlp-internals/#NetworkIsolation-policies and seeing EnterpriseNetworkDomainNames we blank. After making the change of the corporate identity to contoso.com, you can now access your SharePoint site.
1 best response

Accepted Solutions
best response confirmed by Björn Lagerwall (Brass Contributor)
Solution
Hi all,

Got an suggestion from Microsoft Support to change the corporate identity in WIP policy from tenant name to our AD name and it worked!

See below explanation from Microsoft Support.


Resolution: We made a change in the Edge 85-86 to check the domain of the profile's AAD identity instead of automatically treating all AAD identities as a work profile.
In your case, the corporate identity was contoso.onmicrosoft.com, and your Work profile was contoso.com. We confirmed by checking edge://edge-dlp-internals/#NetworkIsolation-policies and seeing EnterpriseNetworkDomainNames we blank. After making the change of the corporate identity to contoso.com, you can now access your SharePoint site.

View solution in original post