- Office Deployment Tool (ODT): Deploy Office using custom XML files - Thu, Mar 30 2023
- Microsoft Teams freezes: Set cam permissions for conferencing apps - Tue, Mar 21 2023
- Microsoft 365 Apps admin center: Remote Office configuration - Wed, Mar 8 2023
Chrome extensions add functionality to the browser. You are probably more than familiar with them and how to install them. If you want to install extensions for all users on a device or a group of computers in an Active Directory domain, you can set up a GPO or create a registry key with the relevant settings. Chrome's built-in policy manager (chrome://policy) reads the keys and installs the extensions you have set.
You can read more about policies and settings in the support documentation for Chrome. Today, I want to introduce a PowerShell script you can use to install managed extensions.
Each extension, when deployed, creates a property under this registry key:
HKLM:\Software\Policies\Google\Chrome\ExtensionForceInstalllist
Registry location showing extension ID and string value
This key name, ExtensionForceInstalllist, is case sensitive.
The property type is String and should be an integer. The value is the extensionId, which you can get from the Chrome Extension Store, and a URL where updates can be collected, separated by a semicolon.
For example, if you wanted to deploy uBlock Origin to all your Windows devices, you would use:
cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx
Chrome managed extensions
The script is fairly basic, as you would expect. It looks for the base registry key for Chrome, creates it if it is missing, enumerates any already deployed extensions, and then adds the new one at the end of the list.
<# .DESCRIPTION Adds a Google Chrome extension to the forced install list. Can be used for forcing installation of any Google Chrome extension. Takes existing extensions into account which might be added by other means, such as GPO and MDM. #>
param(
[string]$extensionId,
[switch]$info
)
if($info){
$InformationPreference = "Continue"
}
if(!($extensionId)){
# Empty Extension
$result = "No Extension ID"
}
else{
Write-Information "ExtensionID = $extensionID"
$extensionId = "$extensionId;https://clients2.google.com/service/update2/crx"
$regKey = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"
if(!(Test-Path $regKey)){
New-Item $regKey -Force
Write-Information "Created Reg Key $regKey"
}
# Add Extension to Chrome
$extensionsList = New-Object System.Collections.ArrayList
$number = 0
$noMore = 0
do{
$number++
Write-Information "Pass : $number"
try{
$install = Get-ItemProperty $regKey -name $number -ErrorAction Stop
$extensionObj = [PSCustomObject]@{
Name = $number
Value = $install.$number
}
$extensionsList.add($extensionObj) | Out-Null
Write-Information "Extension List Item : $($extensionObj.name) / $($extensionObj.value)"
}
catch{
$noMore = 1
}
}
until($noMore -eq 1)
$extensionCheck = $extensionsList | Where-Object {$_.Value -eq $extensionId}
if($extensionCheck){
$result = "Extension Already Exists"
Write-Information "Extension Already Exists"
}else{
$newExtensionId = $extensionsList[-1].name + 1
New-ItemProperty HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist -PropertyType String -Name $newExtensionId -Value $extensionId
$result = "Installed"
}
}
$result
The next time Chrome refreshes its policy, the new extension is loaded. You can run the script from any elevated PowerShell window using the parameter extensionId.
As an example, here is our Chrome Extensions window, which shows no managed extensions.
Chrome extensions before management is enabled
I now run the script to deploy uBlock Origin and 1Password.
Install managed Chrome extensions
As both of these were already installed in the user context, no new extensions were added; however, the ability to turn the extension off is now gone.
Chrome managed extensions window
If I now deploy the Microsoft Teams extension, you can see it also appears in the Extension window.
Install MS Teams extension
You cannot disable a managed extension; the slider is grayed out
If you want to deploy this through Microsoft Intune, you will need to remove the parameter section and replace it with a static extension ID. Then, when adding the script to Intune, you can name it according to the extension you are installing.
In my next most I will explain how you can block or remove Chrome extensions with PowerShell.
Any way to use this same script to uninstall the extension?
No, as the removal of extensions uses a different policy setting, although it is similar.
You can use the extensioninstallblocklist policy to list extensions you want to remove – they will be disabled if installed, or prevented from being installed.
Thank you. I was thinking of how to rollback (remove) the extension, if something should go wrong or if management wants to remove it down the line. When we submit a “Change” we also need a rollback plan.
This script works great for installing. Thank you very much for that.
Hi,
If I want to install extensions from the local file system how I need to add its path, please?
I create these keys buth the extension doesn’t installed:
HKLM/SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist
1=cchlfgjjhgdoibhfabfonddfjhmocjcg;C:\ProgramData\Edge\update.xml
HKLM/SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallSources
1=files:///C:/ProgramData/Edge/*
I wasn’t aware that functionality existed to be honest with you.
If you go to edge://policy what does it show?
Hi Robert,
It shows nothing special just I set up:
ExtensionInstallForcelist: cchlfgjjhgdoibhfabfonddfjhmocjcg;C:\ProgramData\Edge\update.xml
ExtensionInstallSources:
files:///C:/ProgramData/Edge/*
I try to relocate extension files to another directory, maybe Edge doesn’t reach them in ProgramData.
Thanks for the reply and I’ll let you know about result.
I can install Edge extension from Group Policy. I put the crx, pem and uodates.xml in a file server because the firrwall caused my problem. Then I set up the Allow specific extensions to be installed to the extension ID and the Control which extensions are installed silently to the ID;file://FILESERVER/extension/updates.xml.
Hello, what about reading the existing extensions and showing their properties and status – installed or not installed?
Thanks for the answer.
Petrifo
I’m running this script in PS with a batch file. The batch file calls the PS with -extensionID ########. It doesn’t add the extension. I also found another article about just adding a reg key in Chrome/Extensions. That reg add batch file works, it adds the reg key but still no extension.
If I want this to be added during startup, preferably as an AD GPO, how would I go about that?
This is the parameter for the ext:
-extensionId adbmigeicoagiffcfmkkgmhogkpmgndp
Difficult to say without seeing the bat file.
Does it work without the bat file? What extension is it, are you sure it is the correct extension id?
I’m not exactly sure what I’m seeing above. Is it a DOS CMD that is trying to run the PS? If so, I used cd to change to where my powershell.exe is, and moved your PS script to that folder.
Then in a CMD box, I used CD to change to that directory. I’m not quite sure what ‘.\Install’ is…I keep getting a reply that it is not recognized as a cmdlet, etc….
What I want to do is execute your PS with the parameter of -extensionID ####.
I cannot get the syntax correct. My hope is to automate the script, perhaps through a batch file but I cannot get the script above to execute at all.
So are you running the script though a CMD above? If so, do you need to CD to where powershell is and also put the script there?
I have it somewhat sorted out. Running it again (after a syntax error), it added the registry key. When I open Chrome, there is no new extension added.
That is where I am at this point.
I did see the same results as above in the powershell box example above…just no extension. It states that ‘after a chrome refresh’….what does that imply?
I found a syntax error and repaired it. It runs and gives the same result in the example above. It installed the registry key successfully. There is no extension listed. In order to add the extension manually, you first have to enable Developer Mode. I don’t know if that’s standard or not, or if that has to be added to the script. Either way, the PS adds the registry key but nothing more.
By the way, the extension is adbmigeicoagiffcfmkkgmhogkpmgndp
It is intended to stop the tab from pausing when not focused (plus other things chrome pauses it for). Its added in the registry fine and looking at chrome policy it shows up in the list under ExtensionInstallForcelist. I just don’t see it as an extension “box” as they appear above.
The Chrome Ext is not on the Chrome Store. We can’t publish it there. I’m really at a standstill about the script…in that it writes to the reg, I can see it in chrome/policy/ExtensionInstallForcelist, just no box in the extensions.
What am I missing to get the box to appear? I have setup files on C:\DisableAutoDiscardTabChrome. _locales, background.js, manifest.json, .vs