How to Block Automatic Delivery of Microsoft Edge
As I reported on Petri recently, Microsoft has already made changes to Windows 10 to accommodate its new Chromium-based Edge browser. With general availability due to start January 15th, Microsoft apparently plans to begin a staged rollout of the browser via Windows Update on the same date, meaning that eventually all Windows 10 devices on version 1803 or later will see the new browser replace the legacy version unless steps are taken to block it. Microsoft says that it is taking this step to help customers ‘become more secure and up-to-date’. In practice, the new browser is an improvement over legacy Edge but when it ships in mid-January, there will be some features missing and others that haven’t been ported over. For those reasons, and potential issues with application compatibility, organizations might consider blocking the update.
Organizations using Windows Server Update Server (WSUS) and/or Microsoft Endpoint Manager will be able to block the update. Those relying on Windows Update or Windows Update for Business will need to take some steps to block the browser. This week Microsoft made available a Blocker Toolkit for disabling automatic delivery of Edge and it is available to download here.
Microsoft Edge Blocker Toolkit
The toolkit won’t prevent users from manually installing the new Edge. For that, you should look at application control features in Windows like AppLocker and Windows Defender Application Control (previously Device Guard). The Blocker Toolkit consists of two components: a script (EdgeChromium_Blocker.cmd) and a Group Policy Administrative Template. Organizations using Windows Server Active Directory can use the template to deploy a Group Policy computer setting to devices to block the update.
You will be able to find the new setting under Computer Configuration > Administrative Templates > Windows Components > Windows Update > Microsoft Edge (Chromium-based) Blockers. The registry setting created by the policy isn’t stored in a policies key, meaning that it is considered a preference and if the Group Policy Object (GPO) is removed or set to Not Configured, the setting will remain in the registry. To enable distribution of Microsoft Edge, organizations need to change the Group Policy setting to Disabled.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
Alternatively, the script can be used to create the registry key and set the desired value. The DoNotUpdateToEdgeWithChromium key can be set to 0 or 1. 0 unblocks and 1 blocks distribution of Edge.
The script uses the following syntax:
EdgeChromium_Blocker.cmd [<machine name>] [/B] [/U] [/H]
The /B switch sets the key value to 1 and blocks distribution of Edge. /U does the opposite and unblocks distribution, and /H displays help. The command can also be run against remote devices by including a computer name. If [<machine name>] is not specified, then the command changes the registry on the local device.