In this article, you will learn how you can manage extensions in Google's web browser Chrome in your organization. With the help of a PowerShell script, you can install Chrome managed extensions in your network either through Intune or any RMM software that supports scripts.
Avatar

Chrome extensions add functionality to the browser. You are probably more than familiar with them and how to install them. If you want to install extensions for all users on a device or a group of computers in an Active Directory domain, you can set up a GPO or create a registry key with the relevant settings. Chrome's built-in policy manager (chrome://policy) reads the keys and installs the extensions you have set.

You can read more about policies and settings in the support documentation for Chrome. Today, I want to introduce a PowerShell script you can use to install managed extensions.

Each extension, when deployed, creates a property under this registry key:
HKLM:\Software\Policies\Google\Chrome\ExtensionForceInstalllist

Registry location showing extension ID and string value

Registry location showing extension ID and string value

This key name, ExtensionForceInstalllist, is case sensitive.

The property type is String and should be an integer. The value is the extensionId, which you can get from the Chrome Extension Store, and a URL where updates can be collected, separated by a semicolon.

For example, if you wanted to deploy uBlock Origin to all your Windows devices, you would use:

cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx

Chrome managed extensions

Chrome managed extensions

The script is fairly basic, as you would expect. It looks for the base registry key for Chrome, creates it if it is missing, enumerates any already deployed extensions, and then adds the new one at the end of the list.

<# .DESCRIPTION Adds a Google Chrome extension to the forced install list. Can be used for forcing installation of any Google Chrome extension. Takes existing extensions into account which might be added by other means, such as GPO and MDM. #>
param(
    [string]$extensionId,
    [switch]$info
)
if($info){
    $InformationPreference = "Continue"
}
if(!($extensionId)){
    # Empty Extension
    $result = "No Extension ID"
}
else{
    Write-Information "ExtensionID = $extensionID"
    $extensionId = "$extensionId;https://clients2.google.com/service/update2/crx"
    $regKey = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"
    if(!(Test-Path $regKey)){
        New-Item $regKey -Force
        Write-Information "Created Reg Key $regKey"
    }
    # Add Extension to Chrome
    $extensionsList = New-Object System.Collections.ArrayList
    $number = 0
    $noMore = 0
    do{
        $number++
        Write-Information "Pass : $number"
        try{
            $install = Get-ItemProperty $regKey -name $number -ErrorAction Stop
            $extensionObj = [PSCustomObject]@{
                Name = $number
                Value = $install.$number
            }
            $extensionsList.add($extensionObj) | Out-Null
            Write-Information "Extension List Item : $($extensionObj.name) / $($extensionObj.value)"
        }
        catch{
            $noMore = 1
        }
    }
    until($noMore -eq 1)
    $extensionCheck = $extensionsList | Where-Object {$_.Value -eq $extensionId}
    if($extensionCheck){
        $result = "Extension Already Exists"
        Write-Information "Extension Already Exists"
    }else{
        $newExtensionId = $extensionsList[-1].name + 1
        New-ItemProperty HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist -PropertyType String -Name $newExtensionId -Value $extensionId
        $result = "Installed"
    }
}
$result

The next time Chrome refreshes its policy, the new extension is loaded. You can run the script from any elevated PowerShell window using the parameter extensionId.

As an example, here is our Chrome Extensions window, which shows no managed extensions.

Chrome extensions before management is enabled

Chrome extensions before management is enabled

I now run the script to deploy uBlock Origin and 1Password.

Install managed Chrome extensions

Install managed Chrome extensions

As both of these were already installed in the user context, no new extensions were added; however, the ability to turn the extension off is now gone.

Chrome managed extensions window

Chrome managed extensions window

If I now deploy the Microsoft Teams extension, you can see it also appears in the Extension window.

Install MS Teams extension

Install MS Teams extension

You cannot disable a managed extension; the slider is grayed out

You cannot disable a managed extension; the slider is grayed out

If you want to deploy this through Microsoft Intune, you will need to remove the parameter section and replace it with a static extension ID. Then, when adding the script to Intune, you can name it according to the extension you are installing.

In my next most I will explain how you can block or remove Chrome extensions with PowerShell.

avatar
15 Comments
  1. Avatar
    Jan Eya 2 years ago

    Any way to use this same script to uninstall the extension?

    • Avatar Author

      No, as the removal of extensions uses a different policy setting, although it is similar.

      You can use the extensioninstallblocklist policy to list extensions you want to remove – they will be disabled if installed, or prevented from being installed.

      • Avatar
        Jan Eya 2 years ago

        Thank you. I was thinking of how to rollback (remove) the extension, if something should go wrong or if management wants to remove it down the line. When we submit a “Change” we also need a rollback plan.

        This script works great for installing. Thank you very much for that.

  2. Avatar
    Sanyi 1 year ago

    Hi,
    If I want to install extensions from the local file system how I need to add its path, please?
    I create these keys buth the extension doesn’t installed:

    HKLM/SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist
    1=cchlfgjjhgdoibhfabfonddfjhmocjcg;C:\ProgramData\Edge\update.xml

    HKLM/SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallSources
    1=files:///C:/ProgramData/Edge/*

    • Avatar Author

      I wasn’t aware that functionality existed to be honest with you.

      If you go to edge://policy what does it show?

      • Avatar
        Sanyi 1 year ago

        Hi Robert,
        It shows nothing special just I set up:
        ExtensionInstallForcelist: cchlfgjjhgdoibhfabfonddfjhmocjcg;C:\ProgramData\Edge\update.xml
        ExtensionInstallSources:
        files:///C:/ProgramData/Edge/*

        I try to relocate extension files to another directory, maybe Edge doesn’t reach them in ProgramData.
        Thanks for the reply and I’ll let you know about result.

        • Avatar
          SANYI 10 months ago

          I can install Edge extension from Group Policy. I put the crx, pem and uodates.xml in a file server because the firrwall caused my problem. Then I set up the Allow specific extensions to be installed to the extension ID and the Control which extensions are installed silently to the ID;file://FILESERVER/extension/updates.xml.

  3. Avatar
    Petrifo 1 year ago

    Hello, what about reading the existing extensions and showing their properties and status – installed or not installed?
    Thanks for the answer.
    Petrifo

  4. Avatar
    Rich 10 months ago

    I’m running this script in PS with a batch file. The batch file calls the PS with -extensionID ########. It doesn’t add the extension. I also found another article about just adding a reg key in Chrome/Extensions. That reg add batch file works, it adds the reg key but still no extension.
    If I want this to be added during startup, preferably as an AD GPO, how would I go about that?
    This is the parameter for the ext:
    -extensionId adbmigeicoagiffcfmkkgmhogkpmgndp

    • Avatar Author

      Difficult to say without seeing the bat file.

      Does it work without the bat file? What extension is it, are you sure it is the correct extension id?

      • Avatar
        Rich 10 months ago

        I’m not exactly sure what I’m seeing above. Is it a DOS CMD that is trying to run the PS? If so, I used cd to change to where my powershell.exe is, and moved your PS script to that folder.
        Then in a CMD box, I used CD to change to that directory. I’m not quite sure what ‘.\Install’ is…I keep getting a reply that it is not recognized as a cmdlet, etc….
        What I want to do is execute your PS with the parameter of -extensionID ####.
        I cannot get the syntax correct. My hope is to automate the script, perhaps through a batch file but I cannot get the script above to execute at all.
        So are you running the script though a CMD above? If so, do you need to CD to where powershell is and also put the script there?

      • Avatar
        Rich 10 months ago

        I have it somewhat sorted out. Running it again (after a syntax error), it added the registry key. When I open Chrome, there is no new extension added.
        That is where I am at this point.
        I did see the same results as above in the powershell box example above…just no extension. It states that ‘after a chrome refresh’….what does that imply?

      • Avatar
        Rich 10 months ago

        I found a syntax error and repaired it. It runs and gives the same result in the example above. It installed the registry key successfully. There is no extension listed. In order to add the extension manually, you first have to enable Developer Mode. I don’t know if that’s standard or not, or if that has to be added to the script. Either way, the PS adds the registry key but nothing more.

      • Avatar
        Rich 10 months ago

        By the way, the extension is adbmigeicoagiffcfmkkgmhogkpmgndp
        It is intended to stop the tab from pausing when not focused (plus other things chrome pauses it for). Its added in the registry fine and looking at chrome policy it shows up in the list under ExtensionInstallForcelist. I just don’t see it as an extension “box” as they appear above.

      • Avatar
        Rich 10 months ago

        The Chrome Ext is not on the Chrome Store. We can’t publish it there. I’m really at a standstill about the script…in that it writes to the reg, I can see it in chrome/policy/ExtensionInstallForcelist, just no box in the extensions.

        What am I missing to get the box to appear? I have setup files on C:\DisableAutoDiscardTabChrome. _locales, background.js, manifest.json, .vs

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account