With the availability of the new Edge browser based on chromium I gained the first experiences about configuring the browser in an enterprise environment. Of course I want to share those with you. This post hopefully helps you to roll-out and configure the new Edge Browser with Microsoft Intune.

Install the new Edge Chromium with Intune

The installation of Edge is not the main topic of this post. The Edge browser is available in Intune as built-in app type like the Office 365 suite. More information about the installation process is available here.

Set Edge Chromium as default browser

Default applications are configured on the Windows 10 operating system level via app associations. The current app associations of a device can be exported with dism and the command:

Dism /Online /Export-DefaultAppAssociations:"appassociations.xml"

Which will produce a file containing all associations. For setting Edge as the default browser this one is sufficient:

To deploy an app associations file with Intune it needs to be base64 encoded. I used the base64encode online tool.

Intune configuration

To distribute the default app association configure the following OMA-URI in a custom device configuration profile:

Name Default app association
Description Configures Edge as default app browser
OMA-URI ./Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration
Data type String
Value Insert original content of the base64 encoded file mentioned above.

Create a new administrative template device configuration

The new Edge browser is managed with administrative templates in Intune. As a first step create a new device configuration profile and select administrative templates as profile type.

User or device setting?

Each setting for the Microsoft Edge browser is available as user and device setting:

I mainly chose the “device” settings because the settings should apply for all users on a device. If you want to distinguish settings on a per-user level for multiple users sharing a device you should probably better go for the “user” configuration (although the user settings part seems more a group policy relict).

Configure Google as default search engine

Edge chromium ships with Bing set as default search engine. If you want to change that you need to enable the following settings. First I was  irritated because the values with all those curly brackets looked quite strange but you do not need to replace anything regarding the values.

Setting State
Default search provider search URL Enabled: {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}ie={inputEncoding}
Default search provider URL for suggestions Enabled: {google:baseURL}complete/search?output=chrome&q={searchTerms}
Enable the default search provider Enabled
Default search provider name Enabled: Google

The “Default search provider name” setting has only some kind of cosmetique effect and will display the configured name instead of the configured search provider url.

End user experience

Google configured as default search engine

Configure Internet explorer mode & enterprise site list

If you have intranet applications which require Internet Explorer the IE mode is the right thing for you. Because the enterprise site list needs to be available locally or on a web server I will show you how to host the file on azure blob storage (which allows to access the file via url).

The enterprise mode site list is generated with the Enterprise Mode Site List Manager tool which is available here. After you generated the list, export the xml file.

Note: Only v.2 schema is supported for Edge chromium.

To host the enterprise mode site list let’s deploy an azure storage account. This gives us the ability to change the enterprise mode site list without any file copy to our Intune clients and makes a dedicated web server obsolete.

To store the file we need a new container. We choose public access for individual blobs.

Now upload your enterprise site list and copy the URL. In my case the URL was: https://nicolonskyintuneconfig.blob.core.windows.net/iesitelist/EnterpriseSiteList.xml.

Administrative template setting

In Intune configure the following settings in your administrative template:

Setting State
Configure the Enterprise Mode Site List Enabled: {URL of your enterprise mode site list}
Configure Internet Explorer integration Enabled: Internet Explorer mode

User experience

When accessing a website configured in the enterprise mode site list a small internet explorer icon gets displayed next to the address bar, indicating that IE mode is configured.

To troubleshoot or view additional details of your enterprise mode site list type edge://compat in the address bar. You will find the configured site list and a button to force-update the list. Additionally you get a nice  overview about the configured domains.

Deploy managed extensions

Extensions can be deployed on all devices with the managed extensions setting. The setting requires the ID of the extension which can be retrieved from the url of the extension store (https://microsoftedge.microsoft.com/addons) when browsing to the extension:

The ID of the extension is sufficient for the policy to work. The update url can be specified optionally.

Administrative template setting

Setting State
Control which extensions are installed silently Enabled: {ID of the extensions copied from the store}

An important hint from this setting reminds us that even if the installation of all extensions is blocked (default setting of the security baseline) managed extensions have a higher precedence than this setting:

This policy takes precedence over a potentially conflicting ‘ExtensionInstallBlocklist’ policy. When you take an extension off of the force-installed list it’s automatically uninstalled by Microsoft Edge.

End user experience

The extension gets automatically enabled and a small enterprise icon indicates a managed extension.

Provision managed favorites

Managed favorites are supplied as json file containing links with the possibility to add sub-folders. Managed favorites can neither be modified or synced by users. Managed favorites are super useful to distribute all the Microsoft portal urls to end-users and in my opinion a very welcome replacement for desktop icons.

Here’s an example of a json file to deploy managed favorites:

If you want to edit your list i recommend visual studio code or an online json formatter.

Administrative template setting

Setting State
Configure favorites Enabled: {content of your json file}

End user experience

Managed favorites are placed as first entry on the favorites bar and a nice way to distribute url’s to company applications:

Configure the security baseline

The Edge security baseline is directly available from Intune. A nice excel list with all the settings (also includes all Edge policies) is included in the security and compliance toolkit available as a download: https://www.microsoft.com/en-us/download/details.aspx?id=55319.

Edge chromium is included in the Intune security baselines
Security Baseline Compliance

Wrapping it all up

We now have successfully configured the following settings in our administrative template configuration:

Configured Administrative Template Settings for Edge

Don’t forget to assign the device configuration to a group of users and devices.

Troubleshooting

All configured policies for Edge can be viewed by typing “edge://policy/” in the address bar.

Hide the first run wizard

Not this setting is not yet available in the administrative templates in Intune!

Starting with Edge version 80 the first run wizard can be hidden with the following setting:

Setting State
Hide the First-run experience and splash screen Enabled

If you enable to hide the first run wizard:

  • The new tab page will show MSN news and configure the layout to Inspirational
  • Users will be automatically signed-in
  • Favorite sync will not be enabled by default

More information is available here.

Edge URL list

Let’s end this post with a list containing useful built-in Edge urls which might help you:

URL Description
edge://about Display all Edge-urls
edge://version Display version information about the Edge installation
edge://policy List configured policies
edge://compat/enterprise Internet Explore mode & Enterprise Mode Site List information

Further reading

Happy Edge deployment!

Tags:

Updated:

Comments