How to manage deployment for Microsoft's new Edge browser

Microsoft is confident that the new version of Edge is ready for business and home users. Confident enough to guarantee (through its App Assure program) that any sites that work in the current version of Edge (or even in IE 8) will work in the new Edge, and confident enough to start rolling out the stable version of the new Edge quickly, for Windows 7, 8, 10 and macOS.

When you install the stable version of Edge, what you get is a new EDGE.EXE application that replaces the legacy Edge browser completely; if you have Edge pinned to the taskbar, the icon will change to the new blue-green 'wave' Edge icon and it will open the new version of Edge. It won't affect any other browsers you have installed: if Chrome or Firefox are installed, pinned to your taskbar or set as your default browser, they'll still be installed, pinned or set as default; and if you have the canary, developer, or beta versions of Edge they'll still be installed and will still get updates -- but they won't automatically update to the stable channel.

If you want to install the stable version straight away, you can go to the new microsoftedge.com site to get it; that site also has the offline packages for Windows and Mac that IT pros and admins can download to trial and deploy Edge on corporate systems.

About a week later (22 January, or later, depending on whether any last-minute problems show up), a small number of consumer PCs running Home and Pro versions of Windows 10 (version 1803 or later) will start to get the new version of Edge installed automatically through Windows Update. The percentage of PCs getting Edge automatically this way will be smaller than for most Windows updates (Microsoft calls it 'conservative') and it won't grow quickly, so it will be some time before most mainstream consumers see Edge showing up. However, early adopters can get the stable channel as soon as they want after 15 January.

No commercial PCs will get automatically updated to Chromium-based Edge. Enterprise and Server editions of Windows are automatically excluded, and if a PC is managed by Configuration Manager or Intune (or another MDM tool), joined to Azure Active Directory or a domain, updated by WSUS or Windows Update for Business, it won't get the new Edge until the IT admin (or the user) installs it through the usual deployment tools.

There are also ways to block the automatic install on both Windows Home and Pro, or to keep the older Edge browser available as well as the new Edge. You might want to do this if you need it for testing, because you're concerned that Chromium-based Edge might have an impact on system resource or battery life, for example.

SEE: How to protect against 10 common browser threats (free PDF) (TechRepublic)

The simplest option is to use the Blocker Toolkit, which you must run as admin and can use to block or unblock the update to the new Edge, on the local machine or a remote machine on the network. This only blocks the stable channel of the new Edge; you can still have the canary, developer or beta channel of Edge installed while keeping legacy Edge available.

If you want to run the stable channel of the new Edge and legacy Edge side side-by-side, you need to install the new Edge Administrative template and set the 'Allow Microsoft Edge Side by Side' browser experience group policy to Enabled (under Computer Configuration>Administrative Templates>Microsoft Edge Update>Applications) before installing the new version of Edge.

In the future, Edge will be included in Windows 10, but that won't happen out of band; it will be announced as part of a future Feature Update.

Settings and sync

Whether Chromium-based Edge is installed automatically or deliberately, it will copy over the passwords, favourites, saved entries for filling out forms and basic browser settings like what protocols are registered from the legacy version of Edge, as well as switching icons on the desktop or pinned to the taskbar, to make the update seamless. If Chrome or Firefox is installed, users will also be asked if they want to copy passwords, bookmarks, form-fill and settings from there as well, but that's optional. If you do copy information from multiple browsers, Edge will do some intelligent deduplication; if you've visited the same site in both Chrome and legacy Edge, and you've got different passwords saved because you switched browsers and then changed the password for that site, you'll end up with the more recently saved password.

Microsoft has also clarified the way Edge will sync passwords, history and other information between different devices in an enterprise setting. For consumers, that happens through their Microsoft account, but businesses don't want commercial information ending up in personal accounts. For enterprise users, the sync will happen through Azure Active Directory -- not the Enterprise State Roaming (ESR) that legacy Edge uses. If you already use ESR to sync legacy Edge settings, sync will automatically be enabled for the new version of Edge (using AIP and syncing to devices beyond Windows).

Edge AAD sync works with the premium AAD services (P1 and P2) and Azure Information Protection P1 and P2 (which is actually the service used to protect the sync data), including subscriptions like EMS (Enterprise Mobile Security) that include a premium AAD subscription. But it also works with Microsoft 365 E3, E5 and above, and Office 365 E3, E5 and above (plus all EDU subscriptions). That means you can't get enterprise sync with the free Azure AD Basic service, but the vast majority of Microsoft customers will have Office 365 or Microsoft 365 subscriptions that enable Edge sync at no extra cost. Support for syncing on-premises accounts will come in a future release, Microsoft says.

Enterprises can turn sync in Edge off completely for individuals or devices with group policy, or block browser history from being saved or synced, which also prevents the syncing of open tabs. You may also want to consider whether you allow Edge users to download extensions from third-party extension stores, or just from the Microsoft extension store (which has a small but well-vetted selection); enabling third-party stores gives users access to the Google Play store, but also to extensions from other sources.

Edge will continue development, with updates roughly every six weeks. The first major update will be Edge 80, which is expected to release to the Stable channel in early February. This will include an experimental version of the Chromium 80 change that means SameSite cookies only working as first-party cookies, not for cross-site tracking. This will require extensive testing to ensure that all the websites and services you use are ready for the change, so you'll want to try that in the beta of Edge 80 soon.

Microsoft isn't giving a specific date for how long Edge will be supported on Windows 7, or if it will match Google's announced support for Chrome on Windows 7 until 15 July 2021 (possibly because it doesn't want to announce a date that might have to change because it depends on the open-source Chromium project). Instead, the company says "We're going to continue to support Windows 7 users with the new Microsoft Edge."

Supporting applications on Windows 7 isn't a change of policy for Microsoft; Office 365 on Windows 7 will get security updates until January 2023. But Microsoft bringing out a new browser for Windows 7 just as it comes out of extended support doesn't change anything about the end of support for Windows 7 itself; it's just that Microsoft wants anyone who is still using Windows 7 to have a browser that meets modern security requirements.

Also see