Update 10.01.2020: The docs article is updated with better information about which devices are targeted. https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-blocker-toolkit#overview
Update 27.12.2019: The Microsoft Edge team informed me, that they will only make Edge available in specific scenarios. For more information read the comment of Sean. Thanks for this update and hopefully the official docs will be updated soon.
Microsoft is planning to release the chromium based edge to customers around the 15. January. Most of us can’t wait on the release of this new version but as workplace engineers we also have to test, communicate and plan the rollout to end users. Therefore, we need some control over it. If you use WSUS or MEMCM/SCCM to deploy your updates, then you are just fine. But if you are using Windows Update for Business then you need to take action to control the rollout of the new Microsoft Edge. This preparation is just because it’s unclear what the general availability in the mentioned blog means and currently we do not know on which channels Microsoft will release the new version at this date. But for sure it’s good if you start testing your applications with the new version soon.
Why should you block the update?
The chromium based Edge brings a lot of cool new features but also a lot of new security settings. Therefore, it’s important, that you verify and configure all settings correctly from the beginning. This also includes compatibility settings and think about how favorites will be handled in the future.
Block options
Microsoft released a docs article which describes which registry keys are used to block the update. The toolkit contains also a cmd (Really a CMD!!!!) and a ADMX file to use GPO’s.
First I think we should use PowerShell scripts to set the registry key and not a CMD file. One reason is, that we are then also able to deploy it via Intune, which will be the main customer group because they use Windows Update for Business, but also regarding security. In this blog I will share how to deploy the setting with a PowerShell script.
Intune with PowerShell Script
 |
First we need to create a new PowerShell script in Intune (Microsoft Intune > Device Configuration > PowerShell Scripts). As soon you are on the script list, click on Add to start. |
|
|
On the first wizard step you can define the script name. In my example I use: W10-General-Block-EdgeChromiumInstall |
|
|
Then you can upload the PowerShell script which I provide on Github: The rest of the settings on this page are:
Then click on next. |
 |
On this page we can directly assign the script to a group. Do at least an assignment to your test devices to test the script. |
 |
Review the settings and click on Add. Now we have to wait until the script is executed on the first device. |
Result
 | On the target device you can observe, that the registry key is set according to the Microsoft documentation. |
 | You can also monitor the deployment in Intune and hopefully it should be just success messages… |
 | … but if not, then the script writes a log file in the c:\Windows\Logs directory. |
- Microsoft Sentinel ASIM Parser demystified - March 31, 2024
- Enhancing Network Security Insights with IDS/IPS of Ubiquiti Dream Machine Pro and Microsoft Sentinel - March 10, 2024
- Ubiquiti Dream Machine Pro Logs to Microsoft Sentinel - February 6, 2024
3 Comments
Sean Lyndersay · December 27, 2019 at 17:09
Hey Thomas,
Thanks for writing this! Just a quick note — if a device is managed by Windows Update for Business, is MDM-managed, is volume-licensed or is an Enterprise, Education or Server SKU, it will not be targeted for automatic rollout and the blocker toolkit is not required. The blocker toolkit is only required on devices that don’t meet the criteria above. We will update the blocker toolkit docs to make that clear and will publish additional documentation in the new year.
– Sean Lyndersay (Microsoft Edge team)
Thomas Kurth · December 27, 2019 at 18:09
Perfect, then the holidays will be saved for a lot people :). I will refer to this comment in the blog and as soon the docs are updated to the docs.
Regards
Thomas
Tom · December 30, 2019 at 18:12
@Sean – thank you for the more specific information. Just to be sure I read your statement right, this is an “AND” between all these (WUfB, MDM, Lic) requirements? So e.g. if you have WUfB, MDM and a Windows Pro device instead the mentioned license versions, then the toolkit is needed in this case?