Edge 116.0.1938.62 released, issues with ignored policies for users logged in to user account fixed?

[German]Microsoft has updated the Edge browser to version 116.0.1938.62 as of August 25, 2023. It is a maintenance update that probably fixes an issue with ignored group policies when logging in to the user account and also fixes vulnerabilities.

Edge 116.0.1938.62

EP has mentioned the release of Edge 116.0.1938.62 in this comment (thanks). The release notes for Edge 16.0.1938.62 says that various bugs and performance issues have been fixed. In the security release notes it says that the following vulnerabilities have been fixed:

CVE-2023-36741: Elevation of Privilege; In a web-based attack scenario, an attacker could host a website (or use a compromised website that accepts or hosts user-supplied content) that contains a specially crafted file that could be used to exploit the vulnerability. An attacker who successfully exploited this vulnerability could succeed in executing remote code.

To successfully exploit this vulnerability, an attacker must take additional measures to prepare the target environment before exploiting it. However, an attacker would have no way to force the user to visit the website. Instead, the attacker would have to get the user to click on a link (e.g., in a phishing email) and then get the user to open the specially crafted file.

For the vulnerability, Microsoft sees the exploitability as low. The Edge update also closes vulnerabilities in the Chromium browser mentioned in the blog post Google Chrome 116.0.5845.110/.111.

Ignored policy problem fixed?

In the blog post Edge 116.0.1938.54 released, problems with ignored policies when logging in to user account? I had reported that Edge 116.0.1938.54 may be ignores group policies in corporate environments as soon as the user is logged in with his Microsoft account. German blog reader Gunnar Haslinger had pointed this out to me via email.

Had been introduced by-design

Another anonymous blog reader had then pointed out in this German comment that this was "by-design" and was introduced by Microsoft with Edge 116. The reader had linked to the Techcommunity Microsoft Edge for Business FAQ, dated August 4, 2023. There, it is explained that starting with Edge 116, users should be able to separate their business and personal browsing with a personal profile and take advantage of Edge's full feature set for personal use.

And German bkog reader getfirefox writes in this comment that Edge as of version 116 intentionally ignores quite a few guidelines under certain conditions. In the support post Microsoft Edge Policies from July 11, 2023, the following passage can be found:

Starting with Microsoft Edge version 116, certain policies are not applied to a profile that is signed in with a Microsoft account. For more information, see an individual policy to see if it applies to a profile that is signed in with a Microsoft account.

So this is not a bug or an oversight, but a well-documented planned intention, the reader notes. For Edge profiles that are not linked to a Microsoft account, the corresponding policies continue to work, but for profiles with a Microsoft account, they have intentionally not worked since 116. Unfortunately, that's a whole lot of policies affected by this rewrite.

Microsoft's U turn

Just now Gunnar Haslinger contacted me via email and pointed out the Edge update to version 116.0.1938.62. To this he wrote:

Hello Günter,

Status update on this: Microsoft has realized that the behavior of "ignoring" almost all set policies when using a MSA (Microsoft Account) for profile sync is not accepted by SysAdmins.

Since yesterday evening Edge Stable version 116.0.1938.62 is available and behaves in this regard (at least in the single-MSA sync scenario discussed here) again as expected, the policies are applied again and no longer ignored.

Also solutions like my FakeMDM provider are working again.

My thanks to Gunnar for the hint including links. Anyone else who can confirm this changed behavior?