MS Edge in app layered VDI with User Layers

[Brad Pelletier]

We have been struggling with managing Edge in a non-persistent, randomly assigned VDI environment with persistent user layers for many months. The issues started when Edge was included with Windows 10. We currently are on build 21H2. We frequently have users with different versions of MS Edge on their VDI, and we occasionally have users that have side by side errors when launching it. Also, users occasionally see their Edge settings missing (like extensions and favorites.) We have tried a multitude of combinations of local and domain GPOs as well as service and task management to try to control the problem, but it hasn’t worked.

Citrix has finally helped to address the issue with this support article.

App Layering: How to configure Edge in an App Layering Environment (citrix.com)

However, the article does not explain what the expected behavior of a machine built with these rules should exhibit.

We have machines that are built to the exact specifications of the article but it seems like Edge is not optimal. For the most part, it seems like the Edge version is properly controlled by the version included in the OS layer, which is good. In this case, v101.0.1210.53 is what we expect to be installed and it is correct.

The services’ startup types match “disabled,” which is what is prescribed in the Citrix article on the machine.

 

Also, the scheduled tasks are disabled as they are supposed to be.

Finally, this is the content of the file at "C:\Program Files\Unidesk\Uniservice\UserExclusions\EdgeExclusions.txt"

 

The problem behavior is as follows. If users go to about:edge, they get an UAC prompt asking for admin credentials. Our users don’t have admin rights by design.

When the user cancels this prompt, Edge throws an error.

The questions are:

1.       Is this expected behavior for a machine built to the specs of the article?

2.       And, if so, how can we suppress the error and hide the UAC prompt?

[Brad Pelletier]

The answer is that the Support article is missing crucial information.

 

It says:

Step 5:
Turn off the automatic updates:
Open GPEDIT
Navigate to Local Computer Policy→Computer Configuration→Administrative Templates→Applications 
In the GPO Editor:
Set Allow Installation default to Enabled
Set the Install Policy to Manual Updates Only

 

 

It should say:

Step 5:
Turn off the automatic updates:
Open GPEDIT
Navigate to Local Computer Policy→Computer Configuration→Administrative Templates→Applications 
In the GPO Editor:
Set Allow Installation default to Enabled and set the policy to “updates disabled.”
Set the Install Policy to Manual Updates Only

 

 

The article doesn’t specify what to set the policy setting to, and the default value is not “updates disabled.”
 

[Jordan Barnartt]

Hi Brad,

 

We dealt with the issue prior to Citrix releasing this article, and while we came up with many of the same steps, some of what we did is different:

• We did not configure the Edge policies in the Local GPO editor because they do not have any effect unless you are connected to a domain.  We do have them set on our domain GP though.
• I found that the scheduled tasks and services didn't remain disabled in many instances.  I'm not sure if this was a result of Windows re-enabling them somehow or something captured in our App Layers or User Layers or something else.  I solved this issue by creating a scheduled task, which at every logon disables the tasks and services (I've attached the script).  It doesn't seem to disable them always in an actual session with a user layer, but that's fine because of the GPO.  It prevents Edge from updating in app layers, which is what we needed it to do.
• To update Edge in the OS Layer, we do the following:
  • Open Microsoft Edge.
  • Start the Microsoft Edge Elevation Service, and set the both Microsoft Edge Update Services (edgeupdate and edgeupdateatem) to Manual.
  • Select the three horizontal dots > Help and feedback > About Microsoft Edge.
  • The program will automatically check for updates.

  • Compare version to https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnote-stable-channel.

  • Close Edge.

  • Stop and disable the Microsoft Edge Elevation Service and both Microsoft Edge Update Services (edgeupdate and edgeupdateatem).

• In a session, if a user goes to About Microsoft Edge, they do get a UAC prompt, but once they close it it doesn't come back up.  I haven't had anyone mention it, as I don't think its a page users often need to access.

Cheers,

 

Jordan

Disable_Edge_Updates.txt

[Stefano Gelmini]

 

Hello everyone, I solved it by setting the services like this

 

 

good job! Stefano Gelmini

 

Get-ScheduledTask -TaskName MicrosoftEdgeUpdate* | Disable-ScheduledTask | Out-Null  

$Services = "MicrosoftEdgeElevationService","edgeupdate","edgeupdatem"

 ForEach ($Service in $Services) {
 Set-Service -Name $Service -StartupType Manual
 Start-Service -Name MicrosoftEdgeElevationService 
 }

 

[Jonathan Matz1709163963]

This is kind of late but the simple solution is this.  Do exactly as the support article says here:

https://support.citrix.com/article/CTX399422/app-layering-how-to-configure-edge-in-an-app-layering-environment

 

For the deployed desktops setup group policy to stop Edge Updates AND also have group policy set the edgeupdatem service to manual instead of disabled.

 

This will fix the UAC prompts and Edge won't update when users are using the desktops.