Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article discusses how IT admins can manage WebView2 applications and the WebView2 Runtime. A developer can integrate the WebView2 component into their app, and then deploy the self-updating Evergreen WebView2 Runtime (along with the app) onto user devices, to power the latest WebView2 features of the app and get the latest security improvements.
Feedback from IT admins and developers is welcome, through the WebView2Feedback repo.
Group policies for WebView2
IT admins can use group policy objects (GPO) to configure policy settings for WebView2. The following policies are relevant to WebView2.
Update policies
Microsoft Edge - Update policies are available for IT admins to manage the installing and updating aspects of the WebView2 Runtime. The Microsoft Edge browser and WebView2 Runtime are updated using the same update mechanism. The policy applies to both Microsoft Edge and the WebView2 Runtime, unless the policy is channel-specific, such as Update and Update (WebView).
To configure update policies for Microsoft Edge (and the WebView2 Runtime), see Configure Microsoft Edge policy settings on Windows devices, in the Microsoft Edge Enterprise documentation.
Suppressing WebView2 Runtime updates
An IT admin can suppress updating of the WebView2 Runtime, if auto-updating needs to be suppressed for a short time. After the time period, updating of the WebView2 Runtime resumes. The UpdatesSuppressed policy allows an IT admin to set the time during each day at which to suppress auto-update for both Microsoft Edge and the WebView2 Runtime. This enables an IT admin to configure preferences and proxies once for both the browser and the WebView2 Runtime, to control their network bandwidth and traffic, or for other purposes.
However, users should not stop updating their WebView2 Runtime; users should not remain on an older version of the WebView2 Runtime. Using older versions of the WebView2 Runtime isn't recommended. Security updates and servicing updates are only available on the latest Stable channel release (Edge Stable) and the latest Beta channel release (Edge Beta). If you use older releases of the Microsoft WebView2 Runtime, you won't receive the latest quality and security updates.
Evergreen Runtime is recommended, rather than a fixed version
Using the Evergreen WebView2 Runtime is recommended, unless business-critical requirements necessitate using a fixed version of the WebView2 Runtime. Using the Evergreen WebView2 Runtime:
- Helps minimize exposure to known vulnerabilities.
- Ensures timely security improvements.
- Ensures that WebView2 benefits from continuous security updates that are delivered through Microsoft Edge releases.
For details about security fixes in Microsoft Edge (which apply to WebView2 as well), see Release notes for Microsoft Edge Security Updates, in the Microsoft Edge Enterprise documentation.
See also:
Rapid Response to Chromium vulnerabilities
To help maintain a secure browsing environment, Microsoft Edge addresses Chromium engine-level vulnerabilities soon after the vulnerabilities are disclosed.
Security fixes address vulnerabilities such as:
- Remote code execution – Mitigates risks of arbitrary code execution via malicious content.
- Privilege escalation – Reduces chances of unauthorized system access.
- Information disclosure and spoofing – Protects sensitive data, and helps prevent phishing attacks.
Microsoft Edge Lifecycle Policy
Microsoft WebView2 follows the Modern Lifecycle Policy.
See:
- Modern Lifecycle Policy, in the Modern Lifecycle Policy documentation.
- Microsoft Edge Lifecycle Policy, in the Microsoft Edge Enterprise documentation.
Browser policies
Microsoft Edge - Policies doesn't apply to WebView2 applications. This is by design, because apps and browsers have different use cases, and IT admins might not be aware of what applications use WebView2.
Applying browser policies on WebView2 would have unintended consequences. For example, IT admins can block JavaScript in the browser, and that would break WebView2 apps that use JavaScript. To prevent that, browser policies are separate from WebView2 policies.
WebView2-specific policies
Microsoft Edge WebView2 - Policies are available to for you to manage WebView2 directly. However, we recommend that WebView2 app developers implement their own group policies to manage the use of WebView2, because it's easier for administrators to manage the app instead of managing WebView2 directly.
Windows Server Update Services (WSUS)
Windows Server Update Services (WSUS) enables IT admins to deploy the latest Microsoft product updates. You can use WSUS to fully manage the distribution of updates of WebView2 that are released through Microsoft Update to computers on your network.
See Windows Server Update Services (WSUS) overview.
The recommended way of receiving WebView2 updates is by using the default Microsoft Edge updater. Any modification of update and servicing paths should be done with caution.
WebView2 deployment and update using Configuration Manager
In Configuration Manager, WebView2 options exist under the Microsoft Edge Management node.
See Update Microsoft Edge in Microsoft Edge Management, in the App management documentation.
See also
- Distribute your app and the WebView2 Runtime - Evergreen vs. fixed version of the WebView2 Runtime.
Microsoft Edge Enterprise documentation:
- Microsoft Edge Lifecycle Policy
- Microsoft Edge release schedule
- Release notes for Microsoft Edge Security Updates
- Configure Microsoft Edge policy settings on Windows devices
- Microsoft Edge - Policies
- Microsoft Edge - Update policies
- Microsoft Edge WebView2 - Policies
Modern Lifecycle Policy documentation:
App management documentation:
- Update Microsoft Edge in Microsoft Edge Management.
Windows Server Management documentation:
GitHub:
- WebView2Feedback repo.