Forum Discussion
July 12, 2022—KB5015807 (OS Builds 19042.1826, 19043.1826, and 19044.1826)
was in contact with Microsoft, they have multiple cases of the same issue, patch breaking IE-mode. They're looking into it.
Meanwhile, I notice it has been mentioned on the website, have a look at:
https://support.microsoft.com/en-us/topic/july-12-2022-kb5015807-os-builds-19042-1826-19043-1826-and-19044-1826-8c8ea8fe-ec83-467d-86fb-a2f48a85eb41
The solution is to use Known Issue Rollback as workaround.
- I actually removed the MDAG policies in the end but I also had it working by configuring Enterprise Cloud Resources under Network Isolation in a settings catalog device configuration profile in InTune.
I am fortunate not to have any intranet sites needing IE compatibility mode so can't confirm if there is a difference for intranet sites but for the 3rd Party ones I configured it in InTune. So I go Endpoint Security -> Attack Surface Reduction -> Edit my policy for "App and Browser Isolation" -> Neutral Resources -> add sites and IP's as needed. My devices normally take a couple of manual syncs or just leave them for a couple of hours for them to pickup the policy setting change.
Sorry I can't be of more help.
VMStrengell We unassigned the policy from our devices but that was only due to the fact the policies were not production ready or tested.
Mike
- Did you configure the GPO/Intune policies or just disabled MDAG policies? Having the same problem but cant get those intranet sites working..
EdwinLJ Thanks so much. Our Edge would go in to IE mode and show a 'cannot connect' error. If you refreshed, it wouldn't use IE mode but show the webpage. If you refreshed again it would go back in to IE mode with a 'cannot connect' error. We have been running with the same configuration for months with no issues.
I can confirm that this fixed it for us. I would never have found the cause of this!
- Thanks EdwinLJ I can confirm the workaround of removal the MDAG policies fixed our issue. In our case the policies were not correctly implemented by a project and we were planning to remove them to start a fresh.
MattiasB3 Microsoft have come back to us and said they are looking into the cause for now they have provided a couple of possible work arounds I have used the NeutralResources via Intune Policies rather than GPO but the result should be the same. My users can now access the few URL's we need to work via IE computability mode. I dismissed the option of disabling Edge MDAG completely however we did test that on a test device and it also fixed the issue so seems to be something in the MDAG isolation policies causing the issue post patch.
Add the sites in the IE Mode list as trusted in the Network Isolation policy. On the gpedit the path to the polices -> Computer Configuration\Administrative Templates\Network\Network Isolation.- For intRAnet sites, you’ll need to add their IP addresses & the corresponding Network Domains to EnterpriseIPRanges (Network Isolation\Private network ranges for apps) & EnterpriseNetworkDomainNames (Intune only) policy
- For intERnet sites, you’ll need to add their domains to either EnterpriseCloudResources (Network Isolation\Enterprise resource domains hosted in the cloud) or NeutralResources (Network Isolation\Domains categorized as both work and personal) policy
OR
Stop targeting Edge MDAG policies to those machines
Hope this helps you.
- Hi EdwinLJ,
using a computer pre-patch KB5015807 is working. I know of no other work around. You can't downgrade if the patch is already installed - it will not help.
/BR Mattias - Has anyone been able to find a work around for this? Logged a call with Microsoft Support and waiting to hear back from them but figured I would see if anyone has figured a way around it.
The KIR has been on the site since the release, it does not help at all with the issue - already tested.
/BR Mattias
