How to apply Edge profile INCLUDING search engine preferences and extensions?

pieterdezwart

pieterdezwart

New Member

The question is clear. I copied my Edge profile from C:\Users\[MYUSERNAME]\AppData\Local\Microsoft and added it to the Default user profile (happens during setupcomplete.cmd execution with a simple xcopy command). I also exported and imported the HKEY_CURRENT_USER\Software\Microsoft\Edge\PreferenceMACs\Default registry key. The user profile loads just fine after installing and creating an account, but because of some retarded Microsoft decision Microsoft Edge decides to remove my default search engine as well as my extensions (they are included in the backup from the AppData folder but get removed as soon as I start Edge).


How can I prevent this from happening? I can live without the extensions because there's another way to install them automatically (even though there's no reason for Microsoft to remove them), but one thing I can't live with is Microsoft shoving their inferior search engine down everyone's throats and forcing me to manually change this on every machine I copy the profile to.
 
You can't. I tried too via sysprep/ gpo (on pro11) but default searchengine will always go to Bing nomather how you change the image.
You've to configure that on a installed build. Even on a sysprep!
For Home/ Pro it's not possible.
On entreprise connected to a main server it's possible via GPO.
 
You can add extensions by regedit trick.. For example apply this reg to download and install adguard and free download manager at first launch of microsoft edge....


Windows Registry Editor Version 5.00

; AdGuard
[HKEY_LOCAL_MACHINE\Software\Microsoft\Edge\Extensions\bgnkhhnnamicmpeenaelnjfhikgbkllg]
"update_url"="https://clients2.google.com/service/update2/crx"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Edge\Extensions\bgnkhhnnamicmpeenaelnjfhikgbkllg]
"update_url"="https://clients2.google.com/service/update2/crx"

; Free Download Manager
[HKEY_LOCAL_MACHINE\Software\Microsoft\Edge\Extensions\ahmpjcflkgiildlgicmcieglgoilbfdp]
"update_url"="https://clients2.google.com/service/update2/crx"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Edge\Extensions\ahmpjcflkgiildlgicmcieglgoilbfdp]
"update_url"="https://clients2.google.com/service/update2/crx"
 
It will work for any extension. Just get the signature of extension and replace in 2 places..
this trick also works for google chrome or any chromium based browser with minor changes in reg entry
for PopUpOff its probably; elacdkdmimelpnkbccdanmnabhajdccm since its on the link itself...

; Random Extension For Edge
[HKEY_LOCAL_MACHINE\Software\Microsoft\Edge\Extensions\bgnkhhnnamicmpeenaelnjfhikgbkllg]
"update_url"="https://clients2.google.com/service/update2/crx"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Edge\Extensions\bgnkhhnnamicmpeenaelnjfhikgbkllg]
"update_url"="https://clients2.google.com/service/update2/crx"

; Random Extension For Google Chrome
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\bgnkhhnnamicmpeenaelnjfhikgbkllg]
"update_url"="https://clients2.google.com/service/update2/crx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\bgnkhhnnamicmpeenaelnjfhikgbkllg]
"update_url"="https://clients2.google.com/service/update2/crx"

On google chrome, u can see signatures of installed extensions
1664049456058.png 1664049477151.png
 
Thanks for the replies. I know about the extension method and if there's no fix I will use that instead, but that still doesn't solve my problem with the search engine. There has to be a way, because when a profile with Google as the default search engine is copied to a different user on the same system, the search engine does get applied as it should. Somehow we need to find a way to trick Microsoft Edge into believing the profile is running on the same system it came from.
 
pieterdezwart said:
Thanks for the replies. I know about the extension method and if there's no fix I will use that instead, but that still doesn't solve my problem with the search engine. There has to be a way, because when a profile with Google as the default search engine is copied to a different user on the same system, the search engine does get applied as it should. Somehow we need to find a way to trick Microsoft Edge into believing the profile is running on the same system it came from.
Click to expand...
You can always use enterprise msi and deploy it with config file... https://github.com/MicrosoftDocs/Edge-Enterprise but i believe you want to replace your consumer default installation's config... for that i don't know a valid working way
 
Edge for Enterprise is normal Edge. That's just the marketing term for when you use their installer, instead of allowing WU or CU to install it.
 
It doesn't matter if all profile settings is captured in Preference file on location: C:\Users\USER\AppData\Local\Microsoft\Edge\User Data.
If want to control the search engine in EDGE you've to be on a connected entreprise server to do that.
Searchengine for EDGE can't be changed on HOME and PRO nor via GPO or copied profile settings/ synchronization to a new/ other install.
 
For anyone looking for an answer, I solved the problem by using the following reg file to apply the default search engine (Google) and install the extension I want (uBlock Origin):

https://dezwart.frl/edgeGoogleanduBlock.reg

The extension part is the same as mentioned before, but I'd like to explain a few things about the default search engine part.

It basically comes down to the following:
  • The Enrollments/Provisioning reg keys trick Edge into thinking Windows is MDM-managed, which Microsoft deems necessary to be able to apply policies to Edge.
  • The default search engine is applied using policies

If you want to use my solution, please note you MUST apply this reg file during setupcomplete.cmd. If you integrate the reg file with NTLite it will mess up Windows Security, leaving realtime protection turned on forever with no way to disable it. I have no idea why this happens, but it does.

Background info: https://hitco.at/blog/apply-edge-policies-for-non-domain-joined-devices/
 

Attachments

  • edgeGoogleanduBlock.reg
    1.7 KB
Thank you, seems as a decent solution for pro editions... i will stick with home+chrome since adguard adapted to V3 manifest changes.
 
pieterdezwart said:
For anyone looking for an answer, I solved the problem by using the following reg file to apply the default search engine (Google) and install the extension I want (uBlock Origin):

https://dezwart.frl/edgeGoogleanduBlock.reg

The extension part is the same as mentioned before, but I'd like to explain a few things about the default search engine part.

It basically comes down to the following:
  • The Enrollments/Provisioning reg keys trick Edge into thinking Windows is MDM-managed, which Microsoft deems necessary to be able to apply policies to Edge.
  • The default search engine is applied using policies

If you want to use my solution, please note you MUST apply this reg file during setupcomplete.cmd. If you integrate the reg file with NTLite it will mess up Windows Security, leaving realtime protection turned on forever with no way to disable it. I have no idea why this happens, but it does.

Background info: https://hitco.at/blog/apply-edge-policies-for-non-domain-joined-devices/
Click to expand...
Read the url info and edited the different regs into one.

The reg file can be applied with NTL and working on final install.
Using W11PRO 22621.521 and applied it on a 22621.608 with latest NTl 2.3.8.8945 works on a final install keeping Defender realtime option off/ on possible even Defender Tamper gets locked (as mentioned) witch NTL Setttings option don't.

The FAKE MDM regs one2one seems to generate a lot of other regpost in [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments].

When adding a reg file to NTL on Registry tab before Apply - my experience is, it doesn't work all the time exept looking at the right section and rightclick all 4 hives in right window and push edit (mounted NTL hive open) and close it.
Repeat that on all 4 hives in NTL before do Apply.

In my example i added Adguard and PopupOff as extensions but only PopupOff showed up as extension.
Adguard was applied but i have to make it manually show it in EDGE?
 

Attachments

  • 1_Tamper blocked - realtime OK for turnoff-on.png
    1_Tamper blocked - realtime OK for turnoff-on.png
    58.3 KB
  • 2_Default search provider_OK.png
    2_Default search provider_OK.png
    42.9 KB
  • EDGE_2_GOOGLE_PLUS_EXTENSIONS.reg
    1.8 KB
Last edited:
Just to add - a suspicion from file "2_Default search provider_OK" is locked and change is not possible.
I think that's coz i already changed that setting in GPO applied despite it's not being implementable before the FAKE MDM hack.
so maybe it is only necessary and add the Fake MDM enrollment to make GPO settings work on PRO and up?
 

Attachments

  • 1_EDGE_FAKE_MDM_ENROLLMENT.reg
    576 bytes
crypticus said:
You can add extensions by regedit trick.. For example apply this reg to download and install adguard and free download manager at first launch of microsoft edge....


Windows Registry Editor Version 5.00

; AdGuard
[HKEY_LOCAL_MACHINE\Software\Microsoft\Edge\Extensions\bgnkhhnnamicmpeenaelnjfhikgbkllg]
"update_url"="https://clients2.google.com/service/update2/crx"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Edge\Extensions\bgnkhhnnamicmpeenaelnjfhikgbkllg]
"update_url"="https://clients2.google.com/service/update2/crx"

; Free Download Manager
[HKEY_LOCAL_MACHINE\Software\Microsoft\Edge\Extensions\ahmpjcflkgiildlgicmcieglgoilbfdp]
"update_url"="https://clients2.google.com/service/update2/crx"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Edge\Extensions\ahmpjcflkgiildlgicmcieglgoilbfdp]
"update_url"="https://clients2.google.com/service/update2/crx"
Click to expand...
This is really nice, shame though that it only shows a prompt to activate just one extension if multiple are defined, the rest have to be enabled manually on the addons screen.
 
pieterdezwart said:
For anyone looking for an answer, I solved the problem by using the following reg file to apply the default search engine (Google) and install the extension I want (uBlock Origin):

https://dezwart.frl/edgeGoogleanduBlock.reg

The extension part is the same as mentioned before, but I'd like to explain a few things about the default search engine part.

It basically comes down to the following:
  • The Enrollments/Provisioning reg keys trick Edge into thinking Windows is MDM-managed, which Microsoft deems necessary to be able to apply policies to Edge.
  • The default search engine is applied using policies

If you want to use my solution, please note you MUST apply this reg file during setupcomplete.cmd. If you integrate the reg file with NTLite it will mess up Windows Security, leaving realtime protection turned on forever with no way to disable it. I have no idea why this happens, but it does.

Background info: https://hitco.at/blog/apply-edge-policies-for-non-domain-joined-devices/
Click to expand...

This does force tamper protection to an off state, which ironically some of us were trying to do anyway, not sure if there is any other side effects, but is indeed handy for using restricted policies.
 
garlin said:
Tamper Protection can be disabled by default, but it must be integrated into the image from Registry. Any attempts to change the value after system startup is ignored, and it can only be updated through the Security Center UI.
Click to expand...
Well this is new, in other discussions on here it was concluded was no safe way to do it hence the option for it in ntlite being broken. I will test this, so I have to add it to the registry section in ntlite right?

--

Tested it, the protection stays enabled (Windows 10 21H2), I might have tried this in the past as I know I tried many ways suggested, none of which disabled it cleanly. So on my image fakemdm is the only way to automate it, albeit not allowing it to be enabled again.
 
Last edited:
You must log in or register to reply here.
Back
Top