With the availability of the new Edge browser based on chromium I gained the first experiences about configuring the browser in an enterprise environment. Of course I want to share those with you. This post hopefully helps you to roll-out and configure the new Edge Browser with Microsoft Intune.
Install the new Edge Chromium with Intune
The installation of Edge is not the main topic of this post. The Edge browser is available in Intune as built-in app type like the Office 365 suite. More information about the installation process is available here.
Set Edge Chromium as default browser
Default applications are configured on the Windows 10 operating system level via app associations. The current app associations of a device can be exported with dism and the command:
Dism /Online /Export-DefaultAppAssociations:"appassociations.xml"
Which will produce a file containing all associations. For setting Edge as the default browser this one is sufficient:
To deploy an app associations file with Intune it needs to be base64 encoded. I used the base64encode online tool.
Intune configuration
To distribute the default app association configure the following OMA-URI in a custom device configuration profile:
| Name | Default app association | | Description | Configures Edge as default app browser | | OMA-URI | ./Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration | | Data type | String | | Value | Insert original content of the base64 encoded file mentioned above. |
Create a new administrative template device configuration
The new Edge browser is managed with administrative templates in Intune. As a first step create a new device configuration profile and select administrative templates as profile type.
User or device setting?
Each setting for the Microsoft Edge browser is available as user and device setting:
I mainly chose the “device” settings because the settings should apply for all users on a device. If you want to distinguish settings on a per-user level for multiple users sharing a device you should probably better go for the “user” configuration (although the user settings part seems more a group policy relict).
Configure Google as default search engine
Edge chromium ships with Bing set as default search engine. If you want to change that you need to enable the following settings. First I was irritated because the values with all those curly brackets looked quite strange but you do not need to replace anything regarding the values.
| Setting | State | | Default search provider search URL | Enabled: {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}ie={inputEncoding} | | Default search provider URL for suggestions | Enabled: {google:baseURL}complete/search?output=chrome&q={searchTerms} | | Enable the default search provider | Enabled | | Default search provider name | Enabled: Google |
The “Default search provider name” setting has only some kind of cosmetique effect and will display the configured name instead of the configured search provider url.
End user experience
Configure Internet explorer mode & enterprise site list
If you have intranet applications which require Internet Explorer the IE mode is the right thing for you. Because the enterprise site list needs to be available locally or on a web server I will show you how to host the file on azure blob storage (which allows to access the file via url).
The enterprise mode site list is generated with the Enterprise Mode Site List Manager tool which is available here. After you generated the list, export the xml file.
Note: Only v.2 schema is supported for Edge chromium.
To host the enterprise mode site list let’s deploy an azure storage account. This gives us the ability to change the enterprise mode site list without any file copy to our Intune clients and makes a dedicated web server obsolete.
To store the file we need a new container. We choose public access for individual blobs.
Now upload your enterprise site list and copy the URL. In my case the URL was: https://nicolonskyintuneconfig.blob.core.windows.net/iesitelist/EnterpriseSiteList.xml.
Administrative template setting
In Intune configure the following settings in your administrative template:
| Setting | State | | Configure the Enterprise Mode Site List | Enabled: {URL of your enterprise mode site list} | | Configure Internet Explorer integration | Enabled: Internet Explorer mode |
User experience
When accessing a website configured in the enterprise mode site list a small internet explorer icon gets displayed next to the address bar, indicating that IE mode is configured.
To troubleshoot or view additional details of your enterprise mode site list type edge://compat in the address bar. You will find the configured site list and a button to force-update the list. Additionally you get a nice overview about the configured domains.
Deploy managed extensions
Extensions can be deployed on all devices with the managed extensions setting. The setting requires the ID of the extension which can be retrieved from the url of the extension store (https://microsoftedge.microsoft.com/addons) when browsing to the extension:
The ID of the extension is sufficient for the policy to work. The update url can be specified optionally.
Administrative template setting
| Setting | State | | Control which extensions are installed silently | Enabled: {ID of the extensions copied from the store} |
An important hint from this setting reminds us that even if the installation of all extensions is blocked (default setting of the security baseline) managed extensions have a higher precedence than this setting:
This policy takes precedence over a potentially conflicting ‘ExtensionInstallBlocklist’ policy. When you take an extension off of the force-installed list it’s automatically uninstalled by Microsoft Edge.
End user experience
The extension gets automatically enabled and a small enterprise icon indicates a managed extension.
Provision managed favorites
Managed favorites are supplied as json file containing links with the possibility to add sub-folders. Managed favorites can neither be modified or synced by users. Managed favorites are super useful to distribute all the Microsoft portal urls to end-users and in my opinion a very welcome replacement for desktop icons.
Here’s an example of a json file to deploy managed favorites:
If you want to edit your list i recommend visual studio code or an online json formatter.
Administrative template setting
| Setting | State | | Configure favorites | Enabled: {content of your json file} |
End user experience
Managed favorites are placed as first entry on the favorites bar and a nice way to distribute url’s to company applications:
The Edge security baseline is directly available from Intune. A nice excel list with all the settings (also includes all Edge policies) is included in the security and compliance toolkit available as a download: https://www.microsoft.com/en-us/download/details.aspx?id=55319.
Wrapping it all up
We now have successfully configured the following settings in our administrative template configuration:
Don’t forget to assign the device configuration to a group of users and devices.
Troubleshooting
All configured policies for Edge can be viewed by typing “edge://policy/” in the address bar.
Hide the first run wizard
Not this setting is not yet available in the administrative templates in Intune!
Starting with Edge version 80 the first run wizard can be hidden with the following setting:
| Setting | State | | Hide the First-run experience and splash screen | Enabled |
If you enable to hide the first run wizard:
- The new tab page will show MSN news and configure the layout to Inspirational
- Users will be automatically signed-in
- Favorite sync will not be enabled by default
More information is available here.
Edge URL list
Let’s end this post with a list containing useful built-in Edge urls which might help you:
| URL | Description | | edge://about | Display all Edge-urls | | edge://version | Display version information about the Edge installation | | edge://policy | List configured policies | | edge://compat/enterprise | Internet Explore mode & Enterprise Mode Site List information |
Further reading
- Microsoft Edge - Policies [Microsoft]
- How to set UI language on Edge with Intune [Per Larsen]
- Deploying the new Microsoft Edge without a desktop shortcut [Michael Niehaus]
- Setup an Edge Chromium based Kiosk device with Microsoft Intune [Peter Klapwijk]
Happy Edge deployment!