[German]Microsoft has updated the Edge browser to version 116.0.1938.54 as of August 21, 2023. It is a new development branch that also brings new features and fixes vulnerabilities. In the meantime, however, I have a reader's report about problems with group policies. These are ignored when logging into the Microsoft account.
Advertising
Edge 116.0.1938.54
Tom pointed out the release of Edge 116.0.1938.54 in this comment (thanks for that). On the one hand, the release notes for Edge 116.0.1938.54 report that various bugs and performance issues have been fixed. On the other hand, it says (in the security release notes) that the following two vulnerabilities have been fixed:
- CVE-2023-38158: Information Disclosure; Exploitation of this vulnerability can expose limited information; no sensitive information can be obtained.
- CVE-2023-36787: Elevation of Privilege; In a web-based attack scenario, an attacker could host a website that contains a specially crafted file that would allow the vulnerability to be exploited to the victim system. The attacker would have to get the user to click on a link, usually in an email or instant messenger message, and then get them to open the specially crafted file.
For both vulnerabilities, Microsoft sees the exploitability as low. The release notes for Edge 116.0.1938.54 also state that the following new features will be rolled out with this version:
- Microsoft Edge for Business. With native security, productivity, manageability, and built-in artificial intelligence, Edge for Business enables businesses to maximize productivity and security, and provides the ability to create separation between work and personal browsing by automatically switching between the easily managed personal browser window (MSA profile) and the work browser window (Microsoft Entra ID). All users who sign in with their Entra ID (formerly Azure Active Directory) will automatically receive Edge for Business and see an updated Edge icon with a briefcase to indicate they are in the work browser window. For more information, see this FAQ. Business and see an updated Edge icon with a briefcase to designate they're in the work browser window. For more information, read our FAQ.
- Option to attach Edge sidebar to Windows desktop. Microsoft Edge sidebar users can access their apps and websites directly from their Windows 10 desktop. As an opt-in experience in Windows 10, users can attach the sidebar to their Windows desktop by clicking a "popout" icon near the base of the sidebar in the browser. This enables a side-by-side experience that works with any Windows app – including Microsoft Edge itself. Users enjoy streamlined access to the same powerful AI tools and web-based services, including Bing Chat, without having to open a browser window, increasing productivity no matter where they are in Windows. More features and options are planned for future versions of Microsoft Edge. Administrators can control the availability of this feature using the StandaloneHubsSidebarEnabled policy.
In addition, the new policy ThrottleNonVisibleCrossOriginIframes has been introduced. This enables throttling of non-visible cross-origin iframes. Furthermore, the EventPathEnabled policy has been categorized as obsolete.
The colleagues from deskmodder.de report here that the new Security Baselin has been released, but is consistent with version 114.
Is Edge ignoring 116.0.1938.54 policies?
Two hours ago, Gunnar Haslinger contacted me via email about the problem with Edge ignoring policies when logged in with your personal Microsoft account. He wrote:
Edge v116 "Problem": Microsoft Edge Policies are ignored when logged in with personal Microsoft account
Servus Günter,
Since yesterday 08/21/2023 afternoon Microsoft is rolling out the latest major release v116 of its Edge browser.
And in connection with this, unfortunately for many SysAdmins an unexpected change comes into effect: Microsoft Edge Policies are ignored when logged in with a personal Microsoft account.
I think this is what numerous admins are struggling with at the moment, and it's catching them on the wrong foot.
I have summarized the issue here. You may want to share this info with your community outreach. I unfortunately had to go the hard way and "debug" for a few hours first until I understood the context.
Best regards,
Gunnar
My thanks to Gunnar for the hint and the link to his description. Anyone else who has made these observations or can confirm that so?
Advertising
Advertising
Looks like the email author has found a temporary workaround for the stable release:
source: https://techcommunity.microsoft.com/t5/enterprise/edge-116-beta-policies-are-blocked-if-mdm-managed-amp/m-p/3905749/highlight/true#M5379
Sadly this workaround lacks sync-functionality. If you still like to allow your users to sync e.g. their favorites by using an MSA thats not possible any more.
Edge 116.0.1938.62 released 8/25 as a security update:
https://www.deskmodder.de/blog/2023/08/26/microsoft-edge-116-0-1938-62-korrigiert-6-sicherheitsluecken-und-117-0-2045-9-im-beta-kanal/
https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnote-stable-channel#version-1160193862-august-25-2023
https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security#august-25-2023
maybe this new build also contains bug fixes for the problems Gunnar has experienced
Yes, the issue has been fixed – I'm planning a post.
Edge 116.0.1938.62 released, issues with ignored policies for users logged in to user account fixed?