76 stories
·
1 follower

Certificate Revocation in Microsoft Edge

1 Comment and 2 Shares

When you visit a HTTPS site, the server must present a certificate, signed by a trusted third-party (a Certificate Authority, aka CA), vouching for the identity of the bearer. The certificate contains an expiration date, and is considered valid until that date arrives. But what if the CA later realizes that it issued the certificate in error? Or what if the server’s private key (corresponding to the public key in the certificate) is accidentally revealed?

Enter certificate revocation. Revocation allows the trusted third-party to indicate to the client that a particular certificate should no longer be considered valid, even if it’s unexpired.

There are several techniques to implement revocation checking, and each has privacy, reliability, and performance considerations. Back in 2011, I wrote a long post about how Internet Explorer handles certificate revocation checks.

Back in 2018, the Microsoft Edge team decided to match Chrome’s behavior by not performing online OCSP or CRL checks for most certificates by default.

Wait, What? Why?

The basic arguments are that HTTPS certificate revocation checks:

  • Impair performance (tens of milliseconds to tens of seconds in latency)
  • Impair privacy (CAs could log what you’re checking and know where you went)
  • Are too unreliable to hard-fail (too many false positives on downtime or network glitches)
  • Are useless against most threats when soft-fail (because an active MITM can block the check)

For more context about why Chrome stopped using online certificate revocation checks many years ago, see these posts from the Chromium team explaining their thinking:

Note: Revocation checks still happen

Chromium still performs online OCSP/CRL checks for Extended Validation certificates only, in soft-fail mode. If the check fails (e.g. offline OCSP responder) the certificate is just treated as a regular TLS certificate without the EV treatment. Users are very unlikely to ever notice because the EV treatment, now buried deep in the security UX, is virtually invisible. Notably, however, there is a performance penalty– if your Enterprise blackholes or slowly blocks access to a major CA’s OCSP responder, TLS connections from Chromium will be 🐢 very slow.

Even without online revocation checks, Chromium performs offline checks in two ways.

  1. It calls the Windows Certificate API (CAPI) with an “offline only” flag, such that revocation checks consult previously-cached CRLs (e.g. if Windows had previously retrieved a CRL), and certificate distrust entries deployed by Microsoft
  2. It plugs into CAPI an implementation of CRLSets, a Google/Microsoft deployed list of popular certificates that should be deemed revoked.

On Windows, Chromium uses the CAPI stack to perform revocation checks. I would expect this check to behave identically to the Internet Explorer check (which also relies on the Windows CAPI stack). Specifically, I don’t see any attempt to set dwUrlRetrievalTimeout away from the default. How CAPI2 certificate revocation works. Sometimes it’s useful to enable CAPI2 diagnostics.

CRLSets are updated via the Component Updater; if the PC isn’t ever on the Internet (e.g. an air-gapped network), the CRLSet will only be updated when a new version of the browser is deployed. (Of course, in an environment without access to the internet at large, revocation checking is even less useful.)

After Chromium moves to use its own built-in verifier, it will perform certificate revocation checks using its own revocation checker. Today, that checker supports only HTTP-sourced CRLs (the CAPI checker also supports HTTPS, LDAP, and FILE).

Group Policy Options

Chromium (and thus Edge and Chrome) support two Group Policies that control the behavior of revocation checking.

The EnableOnlineRevocationChecks policy enables soft-fail revocation checking for certificates. If the certificate does not contain revocation information, the certificate is deemed valid. If the revocation check does not complete (e.g. inaccessible CA), the certificate is deemed valid. If the certificate revocation check successfully returns that the certificate was revoked, the certificate is deemed invalid.

The RequireOnlineRevocationChecksForLocalAnchors policy allows hard-fail revocation checking for certificates that chain to a private anchor. A “private anchor” is not a “public Certificate Authority”, but instead e.g. the Enterprise root your company deployed to its PCs for either its internal sites or its Monster-in-the-Middle MITM network traffic inspection proxy). If the certificate does not contain revocation information, the certificate is deemed invalid. If the revocation check does not complete (e.g. inaccessible CA), the certificate is deemed invalid. If the certificate revocation check successfully returns that the certificate was revoked, the certificate is deemed invalid.

Other browsers

Note: This section may be outdated!

Here’s an old survey of cross-browser revocation behavior.

By default, Firefox still queries OCSP servers for certificates that have a validity lifetime over 10 days. If you wish, you can require hard-fail OCSP checking by navigating to about:config and toggling security.OCSP.require to true. See this wiki for more details.

For the now-defunct Internet Explorer, you can set a Feature Control registry DWORD to convert the usual soft-fail into a slightly-less-soft fail:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WARN_ON_SEC_CERT_REV_FAILED

iexplore.exe=1

Edge Legacy did not have any option for non-silent failure for revocation checks.



Read the whole story
spongbeaux
8 days ago
reply
Excellent write up
Share this story
Delete

Microsoft starts testing new Windows 11 taskbar UI changes

1 Comment
Photo by Becca Farsace / The Verge

Microsoft is experimenting with new UI changes to the Windows 11 taskbar. The software giant is testing out bringing back the familiar search bar from Windows 10, alongside notification badges for the Widgets section in Windows 11.

Windows 11 currently ships with a search button on the taskbar, which can be disabled and only shows the search logo. Microsoft is now testing three different search taskbar visual changes. One experiment is the usual search icon, while two others include a small or large search bar in the taskbar. Microsoft is looking for feedback on the changes before they’re rolled out more broadly, and the tests are part of Microsoft’s new experimental Windows 11 features, which does mean they might not ship.

...

Continue reading…

Read the whole story
spongbeaux
27 days ago
reply
But all I want is taskbar ungrouping back!
Share this story
Delete

My war on animation

1 Comment
A character holds up a glowing “Pause” icon towards floating browser windows circling above them. The windows are displaying a video “Play” icon.
Illustration by Alex Castro / The Verge

We are surrounded by a world of motion and I would like to get off of it

Imagine entering a house with an endless series of doors and corridors. Behind some of those doors are the most delightful things imaginable: feasts straight out of Redwall, unicorns, an endless supply of scenic vistas, and unionized workplaces. Behind other doors, however, are grotesque and terrifying jack-in-the-boxes that pop up the minute you crack the door open, blasting up to fill the entire frame, dangling lasciviously on rusty springs as a creaky, vaguely circus-themed song plays.

That’s what navigating the internet is like for me. Every time I click a link, I have to ask myself if it’s going to be Bozo the clown or something delightful and captivating that I will be happy to have encountered.

All of us find the internet stimulating, but I find it extremely stimulating, specifically when it comes to animated and moving content — and not in a good way. Something about the wiring of my brain makes it difficult to process animations or repetitive movements, like the blinker you’ve left on for the last five miles, turning them into an accessibility issue: a website with animated content is difficult and sometimes impossible to use because the movement becomes all I can think about.

I never met a digital animation I liked, and their use is only increasing. GIFs, sure, but also cutesy little ornamental doodles you probably don’t notice. The weirdly nauseating loop of the Boomerang effect on Instagram. The once-again en vogue giant animated cursors that chase you. Autoplay video, of course, especially when it follows you down the page. Flashing ads, the perennial bane of our collective internet existence. Parallax scrolling for all your sexy data viz and prestige immersive feature needs. Bouncing menus jiggling for your attention. The little “loading” animation at the edge of a background tab.

We are surrounded by a world of motion and I would like to get off of it.

No medical professional (neurological, ophthalmological, or otherwise) has been able to adequately explain or treat whatever my brain does when it encounters animations. Yet I am constantly navigating around the desperate desire to avoid them — ducking out of Zooms when people start running animations on their PowerPoints, using every ad, image, and element blocker known to man and a few besides, militantly opposing even a whiff of animation on any project where I have creative input. At times, it feels like a losing battle, one over the first time someone added an “under construction” to their GeoCities site in the 1990s.

This is a place that honestly isn’t very much fun to be, and it’s not because I resent having to approach the internet like a minefield. It’s because I know the internet loves animations and uses them in incredibly creative ways that stretch beyond Steve Wilhite’s wildest dreams (even if he did pronounce GIF wrong). They’ve become an entire syntax of communication; many a fine dunk below a ratioed tweet consists of a single GIF. Animation can also both enrich and simplify the display of data. It’s a culture I want to participate in and also one I don’t want to put down.

I can block anything ending in .gif, but it usually renders buttons nonoperative. I can load a site without styles, but usually, the result is not very enjoyable to use. I can block ads, but then it deprives the nice websites I like to read (and write for) of revenue. There is, of course, a way to bridge this divide, and bizarrely, one of my allies is Twitter, which struck a decisive blow when it allowed users to freeze autoplay on all moving content, including GIFs. Users who love them can post them; users who don’t simply see a still frame. What’s good for reducing server load is also good for the case exceptions such as mine.


Access issues like these are weird, in multiple senses of the word. If someone explains that some animations at certain frame rates or with flashing features can cause seizures, people have a frame of reference. It doesn’t always mean they’ll respect the risk, but it does mean they understand it. When I say that animations in general across the board are “incredibly disruptive,” it sounds, bluntly, like nonsense. If you’re reading and thinking, This sounds exaggerated and I don’t believe it, you are not the first. Like other unusual access needs, sensitivity to animation tends to get dismissed or denied because: Come on, who can’t handle one little animated GIF? Are you seriously telling me that auto-refreshing content can make you hurl? I bet you watch TV, what do you have to say about that? (I can do small screens at home; in movie theaters, it is overwhelming.)

It’s a feeling familiar to other disabled people with “weird” access issues. Some people with ADHD, along with some autistics, like to wear headphones nearly everywhere they go, and listen to music to help themselves focus. People with severe chemical sensitivity may not be able to walk into older buildings, stores that stock strongly-scented products or structures with new carpets and paint. Migraineurs may not be able to work in bright environments or use screens. A person with severe anxiety might need a disability placard for their car so they can get in and out of businesses more quickly.

This isn’t just about animated content. The internet and the world at large have a huge accessibility problem and people tend to think that adhering to documented standards (and sometimes using dodgy third-party tools) will address it, when as my case clearly illustrates, no documentation can cover every possible scenario. Access requires a conversation with the disability community. No place can be all things to all people and any series of design choices will result in inaccessibility for some number of users, with people giving contradictory feedback in the discovery phase. Unfortunately, there’s no checklist to solve this, and accessibility is something that constantly evolves and shifts. It also provides cool opportunities, though, a chance to design something really unique and interesting that stands out and shows that access is beautiful, not just practical. As dance company Kinetic Light illustrates with stunning performances actively integrating access tools such as ramps and wheelchairs along with audio description that is part of the work, access can be art.

When it comes to web access, there are two approaches, starting with functional tools that we can use to configure the internet to meet our needs while other users can ah “enjoy” the horrors you visit upon them. Another is to think about user experience more creatively and comprehensively. I’m not the only one who struggles with parallax scrolling, for example, and not just because it moves in troubling ways. It can also be tough for screen readers to work with, particularly when it’s being used for something like a graphics-heavy display of data. Other people just find it annoying, which seems fair. Could there be an alternative plain or clean version of the same data, presented with the same care? Could you build rapport and trust with disabled users to encourage them to collaborate with you? Rather than viewing access as an imposition that narrows your options, think of it as an invitation to think outside the box.

Developers make decisions about how inaccessibility might manifest and how it might be mitigated. You could warn me that there’s an access issue ahead, but what if there’s something cool in there? You could simply mitigate the issue by giving me more control over it, allowing me to decide if, how, and when I want to interact with it. As a grownup, I can and want to make my own decisions.

Truthfully that’s all I, and many other disabled web users, desire: To be on the inside looking out, for once.

Read the whole story
spongbeaux
28 days ago
reply
I've been advocating no-animation and instant responses as an option for years... (Flash and Silverlight had a lot to answer for)
Share this story
Delete

I'd play all the fake games Valve made up for the Steam Summer Sale

1 Comment

I swear I saw the logo for Small Claims Court and just thought, yeah, that seems like an indie game. Turns out it wasn't, it was one of several pieces of "fake game art" created by Valve artist Claire Hummel as part of the Steam summer sale. Now that the sale is over, Hummel shared all of the made-up key art on Twitter, and it's all great.

Read more

Read the whole story
spongbeaux
32 days ago
reply
Bastards! Also very hard to find all the clued titles when you are looking for a real matching game!
Share this story
Delete

Announcing Windows 11 Insider Preview Build 25145

1 Comment
Hello Windows Insiders, today we are releasing Windows 11 Insider Preview Build 25145 to the Dev Channel.

TL;DR

  • This build includes a few new features rolling out including an update for Narrator Braille driver support, OneDrive storage alert and subscription management in Settings, and Local Administrator Password Solution.
  • As always, the build includes a good set of fixes that improve the overall experience for Insiders on their PCs.
  • We also fixed the issue causing Surface Pro X devices to hit a black screen when attempting to resume from hibernate.

What’s new in Build 25145

Narrator Braille Driver Solution

Braille devices will continue working while switching between Narrator and third-party screen readers as narrator will automatically change Braille drivers. Prerequisites: You must remove Narrator’s current braille support if it is already installed by following the steps below:
  1. Open Settings.
  2. Go to Apps > Optional features > Installed features.
  3. Search for Accessibility - Braille support.
  4. Expand Accessibility - Braille support and uninstall the feature.
Install new narrator braille support:
  1. Go to Settings > Accessibility > Narrator > Braille.
  2. Select the more button.
  3. Download braille from this new window by selecting the Download and install braille button.
  4. After braille is installed, then return to Settings > Accessibility > Narrator > Braille.
  5. Select the braille display driver used by your third-party screen reader from the “Braille display driver” option. This only needs to be done once.
Refer to the detailed documentation to learn more about the braille driver solution. Additional Resources: Please refer to the Narrator User Guide for additional information on supported braille displays and braille functionality in Narrator. FEEDBACK: Please file feedback in Feedback Hub (WIN + F) under Accessibility > Narrator.

Bringing OneDrive storage alert and subscription management in Settings 

In March, we enhanced the Microsoft 365 subscription management experience in Windows 11 Settings and added the ability to view your payment method on your Microsoft 365 subscription in Accounts within Settings. [caption id="attachment_175705" align="alignnone" width="1024"]The OneDrive Standalone 100GB subscription management experience is live on Accounts page in Settings. The OneDrive Standalone 100GB subscription management experience is live on Accounts page in Settings.[/caption] Starting with today’s build, we have begun enabling OneDrive Standalone 100GB subscriptions in the Accounts page within Settings, similar to the Microsoft 365 subscriptions. This will allow you to view your recurring billing, payment method, and OneDrive storage usage within Windows 11. Additionally, if you are close to or above your OneDrive storage limit, you will be informed on the same page. [caption id="attachment_175706" align="alignnone" width="1024"]Banner shown on Account settings page alerting you about your storage usage. Banner shown on Account settings page alerting you about your storage usage.[/caption] [We are beginning to roll those features out, so the experience isn’t available to all Insiders just yet as we plan to monitor feedback and see how it lands before pushing it out to everyone.] FEEDBACK: Please file feedback in Feedback Hub (WIN + F) under Settings > Settings Homepage.

Local Administrator Password Solution

The legacy Local Administrator Password Solution product (aka “LAPS”) is now a native part of Windows and includes many new features:
[caption id="attachment_175710" align="alignnone" width="1024"]Easily manage the new LAPS group policy settings via Group Policy Editor. Easily manage the new LAPS group policy settings via Group Policy Editor.[/caption] Feature documentation is not yet available, however if you have used the legacy LAPS product then many of the features in this new version will be familiar to you. Here is a short how-to to help you get started on the basic Active Directory domain-joined client scenario:
  1. Extend your Active Directory schema by running the Update-LapsADSchema cmdlet in the new LAPS PowerShell module.
  2. Add the necessary permissions on your computer’s OU by running the Set-LapsADComputerSelfPermission cmdlet.
  3. Add a new LAPS Group Policy object and enable the “Configure password backup directory” setting and configure it to backup the password to “Active Directory”.
  4. The domain-joined client will process the policy at the next GPO refresh interval. Run “gpupdate /target:computer /force” to avoid waiting. (The Invoke-LapsPolicyProcessing cmdlet may be used for this same purpose.)
  5. Once the domain-joined client has backed up a new password (look for the 10018 event in the event log – see below screenshot), run the Get-LapsADPassword cmdlet to retrieve the newly stored password (by default you must be running as a domain administrator).
To get to this new Group Policy, open the Group Policy editor and navigate to Computer Configuration > Administrative Templates > System > LAPS. You can retrieve detailed status via the new built in event logging: [caption id="attachment_175711" align="alignnone" width="1024"]Easily track the outcome of all LAPS operations in the event log. Easily track the outcome of all LAPS operations in the event log.[/caption] Note: the feature is fully functional for Active Directory domain-joined clients, but Azure Active Directory support is limited for now to a small set of Insiders. We will make an announcement once Azure Active Directory support is more broadly available. FEEDBACK: Please file feedback in Feedback Hub (WIN + F) under Security and Privacy > Attack Surface Reduction.

Changes and Improvements

[General]

  • Every Microsoft customer should be able to use our products knowing we will protect their privacy and give them the information and tools needed to easily make privacy decisions with confidence. The new App usage history features, which began rolling out to Insiders with Build 25140, gives users a 7-day history of resource access for Location, Camera, Microphone, Phone Calls, Messaging, Contacts, Pictures, Videos, Music library, Screenshots and apps through the Settings experience. You can find this new information under Settings > Privacy & security > App permissions (simply click on one of the app permissions categories such as microphone and look at “Recent activity”).

[Suggested Actions]

  • Suggested Actions, which began rolling out with Build 25115, is now available to all Windows Insiders in the in the U.S., Canada, and Mexico.

[File Explorer]

  • Middle clicking a folder in the body of File Explorer will now open it in a new tab.

Fixes

[General]

  • Fixed an issue causing Windows Insiders on Surface Pro X devices to hit a black screen when attempting to resume from hibernate.
  • Fixed a bugcheck that some Insiders were experiencing with SYSTEM_THREAD_EXCEPTION_NOT_HANDLED related to USBs.
  • Fixed a bugcheck with error 0x1CA SYNTHETIC_WATCHDOG_TIMEOUT that could happen sporadically on some PCs after left idling for some time. This could happen when a laptop lid was closed, making it appear that the laptop had rebooted while sleeping.
  • Fixed an issue from the last two builds that was leading to InventorySvc consuming an unexpectedly high volume of memory the longer it was running.

[File Explorer]

  • The row of tabs should now be included in the keyboard focus cycle when pressing Tab or F6. Once focus is in the tab row, you can use left or right arrow keys to navigate through them.
  • Fixed an issue where the tab order when using CTRL + Tab would be wrong if you’d rearranged the tabs in File Explorer.

[Start]

  • Narrator will now read the dialog that opens when uninstalling an app from its context menu in Start and those options correctly.
  • The animation when selecting the More button in Start's Recommended section in right-to-left (RTL) languages should now appear correctly.

[Taskbar]

  • When dismissing notification center using your keyboard, its closing animation will now show correctly.

[Settings]

  • Typing a number in the Settings search box when using an Arabic display language should no longer show boxes.
  • Fixed an issue causing Settings to crash when going to Bluetooth & Devices > Printers & Scanners in the last few builds.
  • Fixed a couple crashes that some Insiders were experiencing in the last few builds when opening the Wi-Fi section of Quick Settings, or after connecting or disconnecting from networks in the Wi-Fi section in Quick Settings.
  • Fixed an issue that was causing the Wi-Fi option in Quick Settings and the Wi-Fi section in Settings to sometimes take a few seconds to appear.
  • Using touch to rearrange the items in Quick Settings when in edit mode should no longer lead to Quick Settings unexpectedly dismissing sometimes.

[Input]

  • Added the SOM currency sign (U+20C0) to the Courier New font family.

[Task Manager]

  • Pressing CTRL + Page Up and CTRL + Page Down should work again now to navigate through pages in Task Manager.

[Other]

  • Fixed a rare issue that could lead to certain apps to sporadically crash on launch.
NOTE: Some fixes noted here in Insider Preview builds from the Dev Channel may make their way into the servicing updates for the released version of Windows 11.

Known issues

[General]

  • We are investigating reports that the Mica material and Acrylic blur effect is not rendering correct in OS surfaces like the Start menu, Notification Center and other areas.
  • We’re investigating reports that shutting down via the Start menu isn’t working for some Insiders and is unexpectedly rebooting instead.
  • Some games that use Easy Anti-Cheat may crash or cause your PC to bugcheck.

[File Explorer]

  • The up arrow is misaligned in File Explorer tabs. This will be fixed in a future update.
  • We’re investigating reports that launching File Explorer in certain ways when using dark mode (for example, from the command line) is showing the body of File Explorer unexpectedly in light mode.

[Widgets]

  • We’re working on the fix for an issue causing Widgets preferences (temperature units and pinned widgets) to unexpectedly get reset to default.

[Live captions]

  • Certain apps in full screen (e.g., video players) prevent live captions from being visible.
  • Certain apps positioned near the top of the screen and closed before live captions is run will re-launch behind the live captions window positioned at top. Use the system menu (ALT + Spacebar) while the app has focus to move the app’s window further down.

Changes for IT administrators

We're making changes to how IT admins enroll devices in the Windows diagnostic data processor configuration option. In a future Insider Preview build in the Dev Channel, devices with diagnostic data turned on and joined to an AAD tenant with billing address in the EU or EFTA, will be enrolled in the Windows diagnostic data processor configuration. During this initial rollout, the following conditions apply to devices in the Dev Channel that are joined to an Azure AD tenant with a billing address outside of the EU or EFTA:
  • Devices can't be enabled for the Windows diagnostic data processor configuration at this time.
  • The processor configuration will be disabled in any devices that were previously enabled.
  • Microsoft will act as the controller for Windows diagnostic data in accordance with the Microsoft Privacy Statement and the Data Protection Addendumterms won't apply.
It's recommended Insiders on these devices pause flighting if these changes aren't acceptable. Learn more at https://aka.ms/configwddenterprise.

For developers

You can download the latest Windows Insider SDK at aka.ms/windowsinsidersdk. SDK NuGet packages are now also flighting at NuGet Gallery | WindowsSDK which include: These NuGet packages provide more granular access to the SDK and better integrate in CI/CD pipelines.

About the Dev Channel

The Dev Channel receives builds that represent long lead work from our engineers with features and experiences that may never get released as we try out different concepts and get feedback. It is important to remember that the builds we release to the Dev Channel should not be seen as matched to any specific release of Windows and the features included may change over time, be removed, or replaced in Insider builds or may never be released beyond Windows Insiders to general customers. For more information, please read this blog post about how we plan to use the Dev Channel to incubate new ideas, work on long lead items, and control the states of individual features. These aren’t always stable builds, and sometimes you will see issues that block key activities or require workarounds. It is important to make sure you read the known issues listed in our blog posts as we document many of these issues with each flight. Build numbers are higher in the Dev Channel than the Windows 11 preview builds in the Beta and Release Preview Channels. You will not be able to switch from the Dev Channel to the Beta or Release Preview Channels without doing a clean install back to the released version of Windows 11 currently. ALSO: Because the Dev and Beta Channels represent parallel development paths from our engineers, there may be cases where features and experiences show up in the Beta Channel first. The desktop watermark you see at the lower right corner of your desktop is normal for these pre-release builds.

Important Insider Links

Thanks, Amanda & Brandon EDITOR'S NOTE: Updated text for app usage history features mentioned under Changes and Improvements and [General].
Read the whole story
spongbeaux
48 days ago
reply
LAPS for AAD!? Finally!
Share this story
Delete

Internet Explorer 11 has retired and is officially out of support—what you need to know

1 Comment

After 25+ years of helping people use and experience the web, Internet Explorer (IE) is officially retired and out of support as of today, June 15, 2022. To many millions of you, thank you for using Internet Explorer as your gateway to the internet. For our readers in Japan and Korea, please find translations here: 日本語: https://blogs.windows.com/japan/2022/06/15/internet-explorer-11-is-no-longer-supported/ 한국어: https://blogs.windows.com/wp-content/uploads/prod/sites/2/2022/06/Internet-Explorer-11-서비스-중단-및-공식-지원-종료에-따른-안내.pdf As a user, my first experience with IE was version 3, and my view of what was possible on the internet was transformed by the introduction of Dynamic HTML in IE4 and the introduction of AJAX in IE6. When I got the opportunity to join the IE7 team, I leapt on it, and have been a part of the Microsoft browser journey in some form ever since. Internet Explorer’s reputation today is, deservedly, one of a product from an older era—quirky in behavior and lacking the security of a modern browser. But its contributions to the evolution of the web have been remarkable, from helping to make the web truly interactive with DHTML and AJAX to hardware-accelerated graphics to innovations in touch/pen browsing. Working on the retirement of Internet Explorer has been a constant reminder of its importance; every day we work with customers who have built their businesses on Internet Explorer. To work on a product with such broad impact has been nothing but humbling—our story in many ways is the story of the internet and what it has allowed people and organizations around the world to do. https://youtu.be/FltYI3fwigQ But the web has evolved and so have browsers. Incremental improvements to Internet Explorer couldn’t match the general improvements to the web at large, so we started fresh. Microsoft Edge is a faster, more secure and modern browser—the best browser for Windows—designed for today’s internet. But we haven’t forgotten that some parts of the web still rely on Internet Explorer’s specific behaviors and features, which is why Microsoft Edge comes with Internet Explorer mode (IE mode). Regardless of the site or standard—old or new—you can access what you need in Microsoft Edge with new modern features to make your time online even better.

So, what happens now for everyday users?

Example IE to Edge redirection message

Example message informing users they are being redirected to Microsoft Edge

Over the next few months, opening Internet Explorer will progressively redirect users to our new modern browser, Microsoft Edge with IE mode. Users will still see the Internet Explorer icon on their devices (such as on the taskbar or in the Start menu) but if they click to open Internet Explorer, Microsoft Edge will open instead with easy access to IE mode. Eventually, Internet Explorer will be disabled permanently as part of a future Windows Update, at which point the Internet Explorer icons on users’ devices will be removed. As part of this redirection process, users will have their data like favorites, passwords and settings imported from Internet Explorer—this will help make the transition to Microsoft Edge both familiar and simple. If a user wants to delete or manage their data at any point after, they can always do so in Microsoft Edge from the Settings menu. https://www.youtube.com/embed/XEXHQTSHblg Some websites only work with Internet Explorer—these websites might be built on older internet technology and not function properly while using a modern browser. Understanding this, we’ve built Microsoft Edge with IE mode. To help users get started with IE mode, the redirection process will add a “Reload in IE mode” button (see below) to their toolbar in Microsoft Edge. That way, if they encounter a website that may not work correctly—or if they visit a website that asks them to open the site using Internet Explorer—they can easily click the button to open the page in IE mode. Microsoft Edge will even ask them if they’d like the page to open in IE mode next time automatically! Microsoft Edge will check in with the user every 30 days to make sure they still need IE mode for the site. As more and more sites get updated to modern standards, users will need to use IE mode less and the modern rendering engine more. Reload in IE mode button in the Microsoft Edge toolbar

Reload in IE mode button in the Microsoft Edge toolbar

Check out the video below on how to use the button or learn more here. https://www.youtube.com/embed/XECwMHeanU0

Businesses can automate IE mode for their users

If you’re an IT professional and your organization uses older, legacy sites as part of your normal business processes, you can easily automate IE mode so that those pages launch in IE mode automatically for your users. Today’s retirement covers all currently supported versions of Windows 10 Home, Pro, Enterprise, Edu and IoT (Internet Explorer is already removed from Windows 11). Internet Explorer will not be immediately removed on all these versions today but will be progressively redirected to Microsoft Edge on all these devices over the next few months (just like for everyday users) to give our customers time to find any sites they potentially missed and complete their transition. After this redirection phase, Internet Explorer will be permanently disabled on devices via a future Windows Update. For certain versions of Windows currently in-support and used in critical environments, we will continue to support Internet Explorer on those versions until they go out of support. These include all currently in-support Windows 10 LTSC releases (including IoT) and all Windows Server versions, as well as Windows 10 China Government Edition, Windows 8.1, and Windows 7 with Extended Security Updates (ESUs). Future versions of these editions will not include Internet Explorer. Developers who rely on the underlying MSHTML (Trident) platform and COM controls on Windows will also continue to be supported on all Windows platforms. And of course, we have committed to supporting IE mode in Microsoft Edge through at least 2029. As a business, you can set up IE mode to use a site list, where you can catalog those sites that require Internet Explorer and have them load automatically in IE mode. You can store this site list locally, or in the cloud through the Microsoft 365 admin center, and any site on the list will load for your users in IE mode. This is the recommended approach if you’re a business that manages your devices and has legacy requirements. We have help along the way if you experience compatibility issues when testing your websites in IE mode. You can get no-cost remediation assistance for those issues from our App Assure compatibility experts by submitting a request for assistance or by emailing us at ACHELP@microsoft.com. Once you’ve finished setting up IE mode and testing your sites, you can use the DisableIE policy as the final step to redirect your users from IE to Microsoft Edge so they can start using IE mode. Learn how to set up IE mode here or explore the FAQ.

The easiest thing to do is to start using Microsoft Edge today

Instead of waiting to be redirected to Microsoft Edge, the easiest thing to do is to get started with Microsoft Edge today. If you’re using Windows, you can open Microsoft Edge from the Windows Start menu or by clicking the Microsoft Edge icon if you see it on your desktop or taskbar. Microsoft Edge icon on the Windows 11 taskbar and in the Start menu

Microsoft Edge icon on the Windows 11 taskbar and in the Start menu

If it’s your first-time using Microsoft Edge, you’ll be guided through a quick set up process that includes importing your data—complete this, and you’re set. If you’ve opened Microsoft Edge before and need to import your data from Internet Explorer, follow the steps in the video provided in the section above. The best part? Once you’re set up in Microsoft Edge, you’ll be ready to use it when you upgrade to Windows 11. While Internet Explorer is not available on Windows 11, Microsoft Edge is the best browser for Windows, and it includes IE mode, so all you’ll need to do is sign into Microsoft Edge and get to browsing! Microsoft Edge is also available on other platforms, including macOS, iOS, Android and Linux. Download here.

The future of Internet Explorer is in Microsoft Edge

If you have ever used IE to explore the internet, we want to share our deepest thanks for being a part of this journey with us. You’ve used it to build apps to support your businesses and to connect with people around the world; in doing so, you have been instrumental in how the web has progressed. While we bid farewell to Internet Explorer, Microsoft Edge stands ready to be your new everyday browser for work, life and everything in between. With IE mode, Microsoft Edge offers unmatched compatibility for the internet, whether the website was built 10 years or 10 days ago. The future of Internet Explorer is in Microsoft Edge, giving you a faster, more secure and more modern browser. Browse on, internet explorers.

Additional resources for IT Pros

  1. Watch a video with demos to understand IE mode: https://aka.ms/IEmodewebinar For more videos, see the IE mode playlist: https://aka.ms/IEmodePlaylist
  2. Set up IE mode with a guided tool: https://aka.ms/configureIEmode Includes guidance on how to inventory your sites: https://aka.ms/IEmodeDiscovery
  3. For tips on common scenarios, read this troubleshooting guide: https://aka.ms/IEmodeTSG
  4. To test IE mode, consider using IE Driver: https://aka.ms/IEmodeDriver
  5. Wrap up IE retirement, with Disable IE Policy: https://aka.ms/IEtoEdgeBlog7
  6. Still have questions? Try the FAQ: https://aka.ms/IEmodeFAQ
Read the whole story
spongbeaux
55 days ago
reply
Good summary of zombIE mode in Edge
Share this story
Delete
Next Page of Stories