Print this chapterPrint this chapter

DISABLE ENCRYPTED CLIENT HELLO (ECH) IN COMMON WEB BROWSERS

2. Disable Encrypted Client Hello - Microsoft Edge

NOTE: The below steps should be taken as a guide only. Talk Straight & Schools Broadband have looked at common browsers and methods to disable specific features. The software vendor of these web browsers may change how you access these settings at any point and therefore this information may not always be up to date.

Encrypted Client Hello (ECH) is a security feature designed to encrypt the "Client Hello" portion of the TLS handshake, improving privacy by preventing interception of certain metadata (e.g., hostname). However, if you need to disable it in Chrome or Edge for specific reasons, follow these steps:

For Microsoft Edge (Standalone)

(UPDATE - The edge://flags method is no longer supported)

Edge is based on Chromium, so the process is similar to Chrome:

  • Open Edge settings:
    • In the address bar, type edge://flags and press Enter.
  • Search for "Encrypted ClientHello":
    • Use the search bar to find the Encrypted Client Hello option.
  • Disable the feature:
    • If the option is present, set it to Disabled using the dropdown menu.
  • Restart Edge:
    • Click Relaunch to apply the changes.


Microsoft Edge via Group Policy (standalone)

The following steps have been adapted from this Microsoft learning article on configuring Microsoft Edge policy settings on Windows - https://learn.microsoft.com/en-us/deployedge/configure-microsoft-edge

Steps:

  • Download and Install Edge ADMX Templates:
    • Extract and copy the .admx files to C:\Windows\PolicyDefinitions.
  • Open Group Policy Management Editor:
    • Press Win + R, type gpedit.msc, and press Enter.
  • Navigate to Edge Policies:
    • Go to Administrative Templates > Microsoft Edge.
  • Search for the ECH Setting:
    • Look for a policy related to "Encrypted ClientHello" or TLS features.
    • If available, disable it.

  • Apply and Deploy:
    • Save changes and update policies with gpupdate /force.


Using Registry Settings

If the Group Policy templates don't have explicit settings for ECH, you can try modifying registry settings directly.

For Edge:

  • Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge
  • Key: Similar to Chrome, look for a key like EncryptedClientHelloEnabled and set it to 0.


Centralised Deployment

For large-scale environments:

  • Use tools like Microsoft Endpoint Manager (Intune) or Active Directory Group Policy to deploy the changes across multiple systems.
  • Create a custom .adm template if specific ECH settings are not readily available in the ADMX templates.

IMPORTANT NOTES
  • As ECH is a relatively new feature, explicit policies for enabling/disabling it might not yet exist in some versions of the browser templates.
  • Ensure that your browser versions and ADMX templates are up-to-date to access the latest settings.