diff --git a/edgeenterprise/microsoft-edge-policies.md b/edgeenterprise/microsoft-edge-policies.md
index 59ed23821..337e6045e 100644
--- a/edgeenterprise/microsoft-edge-policies.md
+++ b/edgeenterprise/microsoft-edge-policies.md
@@ -3,7 +3,7 @@ title: "Microsoft Edge Browser Policy Documentation"
ms.author: stmoody
author: dan-wesley
manager: venkatk
-ms.date: 10/04/2024
+ms.date: 10/11/2024
audience: ITPro
ms.topic: reference
ms.service: microsoft-edge
@@ -34,8 +34,11 @@ The following table lists the new and deprecated policies that are in this artic
| Policy Name | Caption |
|:-----|:-----|
-|[EdgeEntraCopilotPageContext](#edgeentracopilotpagecontext)|Control access to page content for Entra ID Profiles accessing Microsoft Copilot with Enterprise Data Protection (EDP) from the Microsoft Edge sidebar|
-|[CopilotCDPPageContext](#copilotcdppagecontext)|Control Copilot with Commercial Data Protection access to page context for Microsoft Entra ID profiles (deprecated)|
+|[ExtensionsPerformanceDetectorEnabled](#extensionsperformancedetectorenabled)|Extensions Performance Detector enabled|
+|[PrivateNetworkAccessRestrictionsEnabled](#privatenetworkaccessrestrictionsenabled)|Specifies whether to apply restrictions to requests to more private network endpoints|
+|[NewBaseUrlInheritanceBehaviorAllowed](#newbaseurlinheritancebehaviorallowed)|Allows enabling the feature NewBaseUrlInheritanceBehavior (deprecated)|
+|[RSAKeyUsageForLocalAnchorsEnabled](#rsakeyusageforlocalanchorsenabled)|Check RSA key usage for server certificates issued by local trust anchors (deprecated)|
+|[UserAgentClientHintsGREASEUpdateEnabled](#useragentclienthintsgreaseupdateenabled)|Control the User-Agent Client Hints GREASE Update feature (deprecated)|
## Available policies
@@ -304,6 +307,7 @@ These tables list all of the browser-related group policies available in this re
|[EfficiencyMode](#efficiencymode)|Configure when efficiency mode should become active|
|[EfficiencyModeEnabled](#efficiencymodeenabled)|Efficiency mode enabled|
|[EfficiencyModeOnPowerEnabled](#efficiencymodeonpowerenabled)|Enable efficiency mode when the device is connected to a power source|
+|[ExtensionsPerformanceDetectorEnabled](#extensionsperformancedetectorenabled)|Extensions Performance Detector enabled|
|[PerformanceDetectorEnabled](#performancedetectorenabled)|Performance Detector Enabled|
|[PinBrowserEssentialsToolbarButton](#pinbrowseressentialstoolbarbutton)|Pin browser essentials toolbar button|
|[StartupBoostEnabled](#startupboostenabled)|Enable startup boost|
@@ -342,6 +346,7 @@ These tables list all of the browser-related group policies available in this re
|-|-|
|[InsecurePrivateNetworkRequestsAllowed](#insecureprivatenetworkrequestsallowed)|Specifies whether to allow websites to make requests to any network endpoint in an insecure manner.|
|[InsecurePrivateNetworkRequestsAllowedForUrls](#insecureprivatenetworkrequestsallowedforurls)|Allow the listed sites to make requests to more-private network endpoints from in an insecure manner|
+|[PrivateNetworkAccessRestrictionsEnabled](#privatenetworkaccessrestrictionsenabled)|Specifies whether to apply restrictions to requests to more private network endpoints|
### [*Proxy server*](#proxy-server-policies)
|Policy Name|Caption|
@@ -650,7 +655,7 @@ These tables list all of the browser-related group policies available in this re
|[NavigationDelayForInitialSiteListDownloadTimeout](#navigationdelayforinitialsitelistdownloadtimeout)|Set a timeout for delay of tab navigation for the Enterprise Mode Site List|
|[NetworkPredictionOptions](#networkpredictionoptions)|Enable network prediction|
|[NetworkServiceSandboxEnabled](#networkservicesandboxenabled)|Enable the network service sandbox|
-|[NewBaseUrlInheritanceBehaviorAllowed](#newbaseurlinheritancebehaviorallowed)|Allows enabling the feature NewBaseUrlInheritanceBehavior|
+|[NewBaseUrlInheritanceBehaviorAllowed](#newbaseurlinheritancebehaviorallowed)|Allows enabling the feature NewBaseUrlInheritanceBehavior (deprecated)|
|[NewPDFReaderEnabled](#newpdfreaderenabled)|Microsoft Edge built-in PDF reader powered by Adobe Acrobat enabled|
|[NonRemovableProfileEnabled](#nonremovableprofileenabled)|Configure whether a user always has a default profile automatically signed in with their work or school account|
|[OrganizationLogoOverlayOnAppIconEnabled](#organizationlogooverlayonappiconenabled)|Allow your organization's logo from Microsoft Entra to be overlaid on the Microsoft Edge app icon of a work profile|
@@ -673,7 +678,7 @@ These tables list all of the browser-related group policies available in this re
|[QuicAllowed](#quicallowed)|Allow QUIC protocol|
|[QuickSearchShowMiniMenu](#quicksearchshowminimenu)|Enables Microsoft Edge mini menu|
|[QuickViewOfficeFilesEnabled](#quickviewofficefilesenabled)|Manage QuickView Office files capability in Microsoft Edge|
-|[RSAKeyUsageForLocalAnchorsEnabled](#rsakeyusageforlocalanchorsenabled)|Check RSA key usage for server certificates issued by local trust anchors|
+|[RSAKeyUsageForLocalAnchorsEnabled](#rsakeyusageforlocalanchorsenabled)|Check RSA key usage for server certificates issued by local trust anchors (deprecated)|
|[ReadAloudEnabled](#readaloudenabled)|Enable Read Aloud feature in Microsoft Edge|
|[RedirectSitesFromInternetExplorerPreventBHOInstall](#redirectsitesfrominternetexplorerpreventbhoinstall)|Prevent install of the BHO to redirect incompatible sites from Internet Explorer to Microsoft Edge|
|[RedirectSitesFromInternetExplorerRedirectMode](#redirectsitesfrominternetexplorerredirectmode)|Redirect incompatible sites from Internet Explorer to Microsoft Edge|
@@ -760,7 +765,7 @@ These tables list all of the browser-related group policies available in this re
|[UploadFromPhoneEnabled](#uploadfromphoneenabled)|Enable upload files from mobile in Microsoft Edge desktop|
|[UrlDiagnosticDataEnabled](#urldiagnosticdataenabled)|URL reporting in Edge diagnostic data enabled|
|[UserAgentClientHintsEnabled](#useragentclienthintsenabled)|Enable the User-Agent Client Hints feature (obsolete)|
-|[UserAgentClientHintsGREASEUpdateEnabled](#useragentclienthintsgreaseupdateenabled)|Control the User-Agent Client Hints GREASE Update feature|
+|[UserAgentClientHintsGREASEUpdateEnabled](#useragentclienthintsgreaseupdateenabled)|Control the User-Agent Client Hints GREASE Update feature (deprecated)|
|[UserAgentReduction](#useragentreduction)|Enable or disable the User-Agent Reduction|
|[UserDataDir](#userdatadir)|Set the user data directory|
|[UserDataSnapshotRetentionLimit](#userdatasnapshotretentionlimit)|Limits the number of user data snapshots retained for use in case of emergency rollback|
@@ -11777,6 +11782,70 @@ Learn more about efficiency mode: [https://go.microsoft.com/fwlink/?linkid=21739
```
+ [Back to top](#microsoft-edge---policies)
+
+ ### ExtensionsPerformanceDetectorEnabled
+
+ #### Extensions Performance Detector enabled
+
+
+
+ #### Supported versions:
+
+ - On Windows and macOS since 131 or later
+
+ #### Description
+
+ This policy controls if users can access the Extensions Performance Detector Recommended Action feature in Browser Essentials. This feature alerts extension users if their extensions are causing performance regressions in the browser and allows them to take action to resolve the issue.
+
+If you enable or don't configure this policy, users will receive Extensions Performance Detector notifications from Browser Essentials. When there is an active alert, users will be able to view the impact of extensions on their browser's performance and make an informed decision to disable impacting extensions. The detector will exclude browser-managed extensions, such as Google Docs offline, component extensions, and organization-managed extensions (ie. extensions that cannot be disabled).
+
+If you disable this policy, users will not receive notifications or be able to view the Extensions Performance Detector Recommended Action.
+
+ #### Supported features:
+
+ - Can be mandatory: Yes
+ - Can be recommended: Yes
+ - Dynamic Policy Refresh: Yes
+ - Per Profile: Yes
+ - Applies to a profile that is signed in with a Microsoft account: No
+
+ #### Data Type:
+
+ - Boolean
+
+ #### Windows information and settings
+
+ ##### Group Policy (ADMX) info
+
+ - GP unique name: ExtensionsPerformanceDetectorEnabled
+ - GP name: Extensions Performance Detector enabled
+ - GP path (Mandatory): Administrative Templates/Microsoft Edge/Performance
+ - GP path (Recommended): Administrative Templates/Microsoft Edge - Default Settings (users can override)/Performance
+ - GP ADMX file name: MSEdge.admx
+
+ ##### Windows Registry Settings
+
+ - Path (Mandatory): SOFTWARE\Policies\Microsoft\Edge
+ - Path (Recommended): SOFTWARE\Policies\Microsoft\Edge\Recommended
+ - Value Name: ExtensionsPerformanceDetectorEnabled
+ - Value Type: REG_DWORD
+
+ ##### Example value:
+
+```
+0x00000001
+```
+
+ #### Mac information and settings
+
+ - Preference Key Name: ExtensionsPerformanceDetectorEnabled
+ - Example value:
+``` xml
+
+```
+
+
[Back to top](#microsoft-edge---policies)
### PerformanceDetectorEnabled
@@ -13641,6 +13710,77 @@ SOFTWARE\Policies\Microsoft\Edge\InsecurePrivateNetworkRequestsAllowedForUrls\2
```
+ [Back to top](#microsoft-edge---policies)
+
+ ### PrivateNetworkAccessRestrictionsEnabled
+
+ #### Specifies whether to apply restrictions to requests to more private network endpoints
+
+
+
+ #### Supported versions:
+
+ - On Windows and macOS since 130 or later
+
+ #### Description
+
+ Specifies whether to apply restrictions to requests to more private
+network endpoints
+
+When this policy is Enabled, any time when a warning is supposed to be displayed in the DevTools due to Private Network Access checks failing, the request is blocked.
+
+When this policy is Disabled or unset, all Private Network Access warnings are not enforced and the requests are not blocked.
+
+See https://wicg.github.io/private-network-access/ for Private Network Access restrictions.
+
+Note: A network endpoint is more private than another if:
+1) Its IP address is localhost and the other is not.
+2) Its IP address is private and the other is public.
+
+ #### Supported features:
+
+ - Can be mandatory: Yes
+ - Can be recommended: No
+ - Dynamic Policy Refresh: Yes
+ - Per Profile: No
+ - Applies to a profile that is signed in with a Microsoft account: Yes
+
+ #### Data Type:
+
+ - Boolean
+
+ #### Windows information and settings
+
+ ##### Group Policy (ADMX) info
+
+ - GP unique name: PrivateNetworkAccessRestrictionsEnabled
+ - GP name: Specifies whether to apply restrictions to requests to more private network endpoints
+ - GP path (Mandatory): Administrative Templates/Microsoft Edge/Private Network Request Settings
+ - GP path (Recommended): N/A
+ - GP ADMX file name: MSEdge.admx
+
+ ##### Windows Registry Settings
+
+ - Path (Mandatory): SOFTWARE\Policies\Microsoft\Edge
+ - Path (Recommended): N/A
+ - Value Name: PrivateNetworkAccessRestrictionsEnabled
+ - Value Type: REG_DWORD
+
+ ##### Example value:
+
+```
+0x00000001
+```
+
+ #### Mac information and settings
+
+ - Preference Key Name: PrivateNetworkAccessRestrictionsEnabled
+ - Example value:
+``` xml
+
+```
+
+
[Back to top](#microsoft-edge---policies)
## Proxy server policies
@@ -33534,9 +33674,9 @@ This policy is intended to give enterprises flexibility to disable the network s
### NewBaseUrlInheritanceBehaviorAllowed
- #### Allows enabling the feature NewBaseUrlInheritanceBehavior
+ #### Allows enabling the feature NewBaseUrlInheritanceBehavior (deprecated)
-
+ >DEPRECATED: This policy is deprecated. It is currently supported but will become obsolete in a future release.
#### Supported versions:
@@ -33550,6 +33690,10 @@ If you disable this policy, it prevents users or Microsoft Edge variations from
If you enable or don't configure this policy, it allows enabling NewBaseUrlInheritanceBehavior.
+This policy is being deprecated because the feature NewBaseUrlInheritanceBehaviorAllowed has been removed.
+
+This policy will be obsolete in release 133.
+
#### Supported features:
- Can be mandatory: Yes
@@ -33567,7 +33711,7 @@ If you enable or don't configure this policy, it allows enabling NewBaseUrlInher
##### Group Policy (ADMX) info
- GP unique name: NewBaseUrlInheritanceBehaviorAllowed
- - GP name: Allows enabling the feature NewBaseUrlInheritanceBehavior
+ - GP name: Allows enabling the feature NewBaseUrlInheritanceBehavior (deprecated)
- GP path (Mandatory): Administrative Templates/Microsoft Edge/
- GP path (Recommended): N/A
- GP ADMX file name: MSEdge.admx
@@ -35030,9 +35174,9 @@ If you disable this policy, these files will be downloaded to be viewed.
### RSAKeyUsageForLocalAnchorsEnabled
- #### Check RSA key usage for server certificates issued by local trust anchors
+ #### Check RSA key usage for server certificates issued by local trust anchors (deprecated)
-
+ >DEPRECATED: This policy is deprecated. It is currently supported but will become obsolete in a future release.
#### Supported versions:
@@ -35040,24 +35184,38 @@ If you disable this policy, these files will be downloaded to be viewed.
#### Description
- The X.509 key usage extension declares how the key in a certificate can be
+ This policy is deprecated because RSAKeyUsageForLocalAnchorsEnabled feature has been removed.
+
+This policy will be removed in version 133.
+
+The X.509 key usage extension declares how the key in a certificate can be
used. These instructions ensure certificates aren't used in an unintended
context, which protects against a class of cross-protocol attacks on HTTPS and
other protocols. HTTPS clients must verify that server certificates match the
connection's TLS parameters.
-If this policy is enabled,
+Starting in Microsoft Edge 124, this
+check is always enabled.
+
+Microsoft Edge 123 and earlier have the
+following behavior:
+
+If this policy is set to enabled,
Microsoft Edge will perform this key
check. This helps prevent attacks where an attacker manipulates the browser into
interpreting a key in ways that the certificate owner did not intend.
-If this policy is set to disabled or not configured,
+If this policy is set to disabled,
Microsoft Edge will skip this key check in
HTTPS connections that negotiate TLS 1.2 and use an RSA certificate that
chains to a local trust anchor. Examples of local trust anchors include
policy-provided or user-installed root certificates. In all other cases, the
check is performed independent of this policy's setting.
+If this policy is not configured,
+Microsoft Edge will behave as if the
+policy is enabled.
+
This policy is available for administrators to preview the behavior of a
future release, which will enable this check by default. At that point, this
policy will remain temporarily available for administrators that need more
@@ -35087,7 +35245,7 @@ include both in RSA certificates meant for HTTPS.
##### Group Policy (ADMX) info
- GP unique name: RSAKeyUsageForLocalAnchorsEnabled
- - GP name: Check RSA key usage for server certificates issued by local trust anchors
+ - GP name: Check RSA key usage for server certificates issued by local trust anchors (deprecated)
- GP path (Mandatory): Administrative Templates/Microsoft Edge/
- GP path (Recommended): N/A
- GP ADMX file name: MSEdge.admx
@@ -40891,9 +41049,9 @@ If you enable or don't configure this policy, the User-Agent Client Hints featur
### UserAgentClientHintsGREASEUpdateEnabled
- #### Control the User-Agent Client Hints GREASE Update feature
+ #### Control the User-Agent Client Hints GREASE Update feature (deprecated)
-
+ >DEPRECATED: This policy is deprecated. It is currently supported but will become obsolete in a future release.
#### Supported versions:
@@ -40907,7 +41065,7 @@ When enabled, the User-Agent Client Hints GREASE Update feature aligns the User-
If this policy is enabled or not configured, the User-Agent GREASE algorithm from the specification will be used. If the policy is disabled, the prior User-Agent GREASE algorithm will be used.
-This policy is a temporary measure and will be removed in a future release.
+This policy will be removed in release 133. This policy is deprecated as the updated GREASE algorithm has been on by default since Microsoft Edge version 102.
#### Supported features:
@@ -40926,7 +41084,7 @@ This policy is a temporary measure and will be removed in a future release.
##### Group Policy (ADMX) info
- GP unique name: UserAgentClientHintsGREASEUpdateEnabled
- - GP name: Control the User-Agent Client Hints GREASE Update feature
+ - GP name: Control the User-Agent Client Hints GREASE Update feature (deprecated)
- GP path (Mandatory): Administrative Templates/Microsoft Edge/
- GP path (Recommended): N/A
- GP ADMX file name: MSEdge.admx
diff --git a/edgeenterprise/microsoft-edge-webview-policies.md b/edgeenterprise/microsoft-edge-webview-policies.md
index 3d6357a98..92e1ea8df 100644
--- a/edgeenterprise/microsoft-edge-webview-policies.md
+++ b/edgeenterprise/microsoft-edge-webview-policies.md
@@ -3,7 +3,7 @@ title: "Microsoft Edge WebView2 Policy Documentation"
ms.author: stmoody
author: dan-wesley
manager: venkatk
-ms.date: 10/04/2024
+ms.date: 10/11/2024
audience: ITPro
ms.topic: reference
ms.service: microsoft-edge
@@ -23,6 +23,15 @@ For information about an additional set of policies used to control how and when
> [!NOTE]
> This article applies to Microsoft Edge version 87 or later.
+## New policies
+
+The following table lists the deprecated policies that are in this article update.
+
+| Policy Name | Caption |
+|:-----|:-----|
+|[NewBaseUrlInheritanceBehaviorAllowed](#newbaseurlinheritancebehaviorallowed)|Allows enabling the feature NewBaseUrlInheritanceBehavior (deprecated)|
+|[RSAKeyUsageForLocalAnchorsEnabled](#rsakeyusageforlocalanchorsenabled)|Check RSA key usage for server certificates issued by local trust anchors (deprecated)|
+
## Available policies
These tables list all of the group policies available in this release of Microsoft Edge WebView2. Use the links in the table to get more details about specific policies.
@@ -54,9 +63,9 @@ These tables list all of the group policies available in this release of Microso
|[ExperimentationAndConfigurationServiceControl](#experimentationandconfigurationservicecontrol)|Control communication with the Experimentation and Configuration Service|
|[ForcePermissionPolicyUnloadDefaultEnabled](#forcepermissionpolicyunloaddefaultenabled)|Controls whether unload event handlers can be disabled.|
|[HttpAllowlist](#httpallowlist)|HTTP Allowlist|
-|[NewBaseUrlInheritanceBehaviorAllowed](#newbaseurlinheritancebehaviorallowed)|Allows enabling the feature NewBaseUrlInheritanceBehavior|
+|[NewBaseUrlInheritanceBehaviorAllowed](#newbaseurlinheritancebehaviorallowed)|Allows enabling the feature NewBaseUrlInheritanceBehavior (deprecated)|
|[NewPDFReaderWebView2List](#newpdfreaderwebview2list)|Enable built-in PDF reader powered by Adobe Acrobat for WebView2|
-|[RSAKeyUsageForLocalAnchorsEnabled](#rsakeyusageforlocalanchorsenabled)|Check RSA key usage for server certificates issued by local trust anchors|
+|[RSAKeyUsageForLocalAnchorsEnabled](#rsakeyusageforlocalanchorsenabled)|Check RSA key usage for server certificates issued by local trust anchors (deprecated)|
@@ -668,9 +677,9 @@ SOFTWARE\Policies\Microsoft\Edge\WebView2\HttpAllowlist = "[*.]example.org"
### NewBaseUrlInheritanceBehaviorAllowed
- #### Allows enabling the feature NewBaseUrlInheritanceBehavior
+ #### Allows enabling the feature NewBaseUrlInheritanceBehavior (deprecated)
-
+ >DEPRECATED: This policy is deprecated. It is currently supported but will become obsolete in a future release.
#### Supported versions:
@@ -684,6 +693,10 @@ If you disable this policy, it prevents users or Microsoft Edge variations from
If you enable or don't configure this policy, it allows enabling NewBaseUrlInheritanceBehavior.
+This policy is being deprecated because the feature NewBaseUrlInheritanceBehaviorAllowed has been removed.
+
+This policy will be obsolete in release 133.
+
#### Supported features:
- Can be mandatory: Yes
@@ -699,7 +712,7 @@ If you enable or don't configure this policy, it allows enabling NewBaseUrlInher
##### Group Policy (ADMX) info
- GP unique name: NewBaseUrlInheritanceBehaviorAllowed
- - GP name: Allows enabling the feature NewBaseUrlInheritanceBehavior
+ - GP name: Allows enabling the feature NewBaseUrlInheritanceBehavior (deprecated)
- GP path (Mandatory): Administrative Templates/Microsoft Edge WebView2/
- GP path (Recommended): N/A
- GP ADMX file name: MSEdgeWebView2.admx
@@ -785,9 +798,9 @@ SOFTWARE\Policies\Microsoft\Edge\WebView2\NewPDFReaderWebView2List = {"name": "*
### RSAKeyUsageForLocalAnchorsEnabled
- #### Check RSA key usage for server certificates issued by local trust anchors
+ #### Check RSA key usage for server certificates issued by local trust anchors (deprecated)
-
+ >DEPRECATED: This policy is deprecated. It is currently supported but will become obsolete in a future release.
#### Supported versions:
@@ -795,24 +808,38 @@ SOFTWARE\Policies\Microsoft\Edge\WebView2\NewPDFReaderWebView2List = {"name": "*
#### Description
- The X.509 key usage extension declares how the key in a certificate can be
+ This policy is deprecated because RSAKeyUsageForLocalAnchorsEnabled feature has been removed.
+
+This policy will be removed in version 133.
+
+The X.509 key usage extension declares how the key in a certificate can be
used. These instructions ensure certificates aren't used in an unintended
context, which protects against a class of cross-protocol attacks on HTTPS and
other protocols. HTTPS clients must verify that server certificates match the
connection's TLS parameters.
-If this policy is enabled,
+Starting in Microsoft Edge 124, this
+check is always enabled.
+
+Microsoft Edge 123 and earlier have the
+following behavior:
+
+If this policy is set to enabled,
Microsoft Edge will perform this key
check. This helps prevent attacks where an attacker manipulates the browser into
interpreting a key in ways that the certificate owner did not intend.
-If this policy is set to disabled or not configured,
+If this policy is set to disabled,
Microsoft Edge will skip this key check in
HTTPS connections that negotiate TLS 1.2 and use an RSA certificate that
chains to a local trust anchor. Examples of local trust anchors include
policy-provided or user-installed root certificates. In all other cases, the
check is performed independent of this policy's setting.
+If this policy is not configured,
+Microsoft Edge will behave as if the
+policy is enabled.
+
This policy is available for administrators to preview the behavior of a
future release, which will enable this check by default. At that point, this
policy will remain temporarily available for administrators that need more
@@ -840,7 +867,7 @@ include both in RSA certificates meant for HTTPS.
##### Group Policy (ADMX) info
- GP unique name: RSAKeyUsageForLocalAnchorsEnabled
- - GP name: Check RSA key usage for server certificates issued by local trust anchors
+ - GP name: Check RSA key usage for server certificates issued by local trust anchors (deprecated)
- GP path (Mandatory): Administrative Templates/Microsoft Edge WebView2/
- GP path (Recommended): N/A
- GP ADMX file name: MSEdgeWebView2.admx