MS Edge to disallow "Apps" option from the Settings menu

Question

I'm trying to figure out a way to disable the Apps option from the Microsoft Edge Settings and more (Alt+F4) drop down menu as can be done with Collections and Share options where it shows Managed by your organization. Via registry, group policy, PowerShell command, etc.

Question(s)

• Is there a way to make Apps restricted here so it's greyed out as Managed by your organization, or a registry setting, or security a configuration that will disallow it from being selected?
• Or a way to disallow Install this site as an app from adding new sites in the list?

Visual pointers and other detail...

Open up Edge and do this to you see it in action with whatever site you are on when you select the options, it'll make an app for it and launch the URL in a kiosk type window when selected.

The problem is when the Apps option is pressed, it brings up the prompt to Install this site as an app and that allows the creation of an entry in the All apps and pins of its menu area.

What I've done and tried...

• The URL of edge://* is blocked via the group policy setting of Block access to a list of URLs in User Configuration | Policies | Administrative Templates | Microsoft Edge.

  • When you click on Manage Apps from the Apps option it does block that but I need to prevent the Install this site as an app action when pressed.

• In the same User Configuration | Policies | Administrative Templates | Microsoft Edge group policy path, it's also set as...

  • [{"url": "https://www.mycoolsite.com/","default_launch_container": "tab"}]
  • Disabled for the Allow Pin to taskbar wizard
    • Both of these were made effective but it still allows other sites to be added via the Install this site as an app option.

• Looked through every policy settings one-by-one and not seeing anything relevant so this may very well be a human error and oversight issue.

• Tons of Googling research to see if there's a registry key that can have restrictive permissions set to disallow the Apps option from the menu.

• Downloaded and installed the latest policy definitions and also confirmed I'm on the latest stable version of Edge [88.0.705.74] too via Download and deploy Microsoft Edge.

Answer 1

I'm not satisfied with this solution but it's what I have to work with until I find a better solution or a new "stable" policy template is released that allows such restrictions to PWAs on Microsoft Edge (Chromium) which would be ideal for this particular environment still.

I use PowerShell FileSystemAccessRule Constructors to deny full control of the \Web Applications directory within the specific users profile ~\AppData\Local\Microsoft\Edge\User Data\Default path.

• Because other MS Edge policy definition lockdown settings the MS Edge profile on this machine will always use the ~\User Data\Default path for that part and cannot be changed
• The username will be standard or else all parts will resolve via environmental variables

PowerShell

$Folder = "C:\Users\CoolUser\AppData\Local\Microsoft\Edge\User Data\Default\Web Applications";
If ( !(Test-Path $Folder) ) { New-Item -ItemType Directory -Force -Path $Folder };
$acl = Get-Acl $Folder;
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$env:USERDOMAIN\cooluser","FullControl","ContainerInherit,ObjectInherit","None","Deny");
$acl.SetAccessRule($AccessRule);
$acl | Set-Acl $Folder;

Post the PowerShell ACL restriction (screen print)

You can manually set these permissions to deny full control or less restrictive deny rules to the folder and it may very well still do the job. Just set the permissions to propagate to all child files and folders beneath too.

---

How this solution works

Once the ACL NTFS folder permission restrictions are in place, this is what happens when you try Install this site as an app from the MS Edge Settings drop down menu.

1. Select Apps -> Install this site as an app

   

2. Now if\when the Install app Edge dialogue menu pops up and Install is pressed, it does not install the app, nor does it add an entry to the All apps and pins area.

   

3. If you go to Apps -> Install this site as an app you'll see it didn't add the site and just allows you to select the option to do so over and over again.