Anyone have any updated tricks to force Edge to no...
# _general
n
Anyone have any updated tricks to force Edge to not even check for updates? I have every single policy available configured, yet MicrosoftEdgeUpdate.exe or MicrosoftEdgeUpdateBroker.exe runs when you go to Help/About and throws the UAC prompt. In the past, these policies would never even allow the update process to get that far, but now I can't seem to prevent this behavior unless I disable UAC entirely.
s
I don't know if this is best practice, but I always install "Edge for Business" on the base image, then disable the related update services, and tasks inside of the task scheduler. When updating, flip them back on, and bam, good to go.
I also use the GPOs to disable the update policies as well on top of all that, just to be safe.
n
That's exactly what I'm doing. My install script disabled all services, deletes all scheduled tasks, and we use GPO to enforce the services... damn thing still attempts to check for updates anyway. The wildest part of this is, if I enter creds into the UAC prompt with rights, it goes away and you see the expected "Updates are disabled via policy" in Edge.
The UAC prompt is basically only for launching the damn update process in general.
And it's only when the .exe is called in the background. If I launch those processes manually via File Explorer, no UAC prompt, and they exit immediately.
s
That is odd. Is there a chance that anything else is playing in to the mix? I've done a ton of deployments this way, and never had any issues.
n
If there is, I don't see it in ProcMon.
b
In addition to what Stephen is doing we rename the 2 update.exe's Nick mentioned when we seal our images.
n
I thought of doing that, as well. Guess I might as well test it out to see what the behavior is like.
Microsoft makes it so easy to hate them.
💯 1
I basically see the same error in Edge that I do when I cancel the UAC prompts:
With UAC disabled, the message is something like "Edge is checking in the background", so not really an error message. Honestly thinking of leaving it like that, because it's better than this. Even though neither are a big deal - updates never actually check or install.
b
I think this is what we see too, I'd have to check with the team as I haven't been involved for a while. It doesn't prevent a user from working, so we considered it a win.
n
If you don't mind, please do ask. Ruling out our environment would allow me to push back and stop wasting my time on such a dumb task.
s
Keep in mind, that if you go to "About" it will always create the UAC prompts, even with all the update stuff is disabled.
But users shouldn't be going there lol
n
I was going to look at blocking edge://about, but the admx says it's not recommended.
FWIW, with UAC disabled, this is what the users would see in About:
image.png
b
We have UAC enabled and see:
n
Tall ask, but any chance you have the HKLM\Software\Policies\Microsoft\EdgeUpdate reg settings? There has to be a reason why we're seeing something different, because what you see is the expected outcome on that page.
b
This is our Edge install script:
Copy code
$var_Install_Exec = "msiexec.exe" 
$var_Install_Arg = "/i MicrosoftEdgeEnterpriseX64.msi DONOTCREATEDESKTOPSHORTCUT=TRUE DONOTCREATETASKBARSHORTCUT=TRUE /qn" 
$proc = Start-Process -FilePath $var_Install_Exec -ArgumentList $var_Install_Arg -WorkingDirectory $PSScriptRoot -Wait -PassThru Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}" -Name "StubPath" -Force 

#Fixing the Microsoft Edge tile background color so that it matches the other Windows 10 tiles 
Remove-Item "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest.xml" -Force 
$Shell = New-Object -ComObject ("WScript.Shell") 
$Shortcut = $Shell.CreateShortcut("C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk") 
$Shortcut.IconLocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
$Shortcut.Save() 

Get-ScheduledTask -TaskName MicrosoftEdgeUpdate* | Disable-ScheduledTask | Out-Null 
$Services = "edgeupdate","edgeupdatem","MicrosoftEdgeElevationService" 
ForEach ($Service in $Services){ Set-Service -Name $Service -StartupType Disabled Stop-Service -Name $Service -Force }
And the following reg keys:
n
I swear to god your script is almost line by line what I wrote years ago, right down to the shortcut change
b
prob stole it from you hahahaha
n
Actually, it IS mine, haha.
😂 1
That's awesome
One more ask, can you see what your UAC settings are in RSOP? I wonder if you have a different config than ours that works
b
image.png
n
Got the full key? There are like 7 different values there
b
image.png
n
Appreciate it! I'm going to try and replicate it and see if I get the same result. Thank you!
b
Good luck!
n
Damn, still getting UAC prompts when going to help/about.
l
If you set the service "edgeupdatem" to manual and keep the rest of the edge services disabled you will not get any UAC prompts. The process "MicrosoftEdgeUpdate.exe" will however run briefly when you go to the About page but it will result in a message that says "Updates are managed by your organisation."
n
Interesting, I'll give that a shot now.
well son of a... that did it
Thank you!
I should say, it worked in my UAC disabled image. Rolling back to the UAC enabled one now to validate.
That worked in my UAC enabled image, too. This makes no sense whatsoever, but I am now in your debt.
s
#TeamworkMakesTheDreamwork 🙂 hahaha
n
When we finally riot against MS, I'll volunteer to be on the front lines
💯 2
🎯 2