- Encrypt email in Outlook with Microsoft 365 - Tue, Dec 6 2022
- Restricting registration to Azure AD MFA from trusted locations with Conditional Access policy - Thu, Nov 24 2022
- Azure AD MFA with number matching and temporary access passes - Tue, Nov 22 2022
Chrome extensions add functionality to the browser. You are probably more than familiar with them and how to install them. If you want to install extensions for all users on a device or a group of computers in an Active Directory domain, you can set up a GPO or create a registry key with the relevant settings. Chrome's built-in policy manager (chrome://policy) reads the keys and installs the extensions you have set.
You can read more about policies and settings in the support documentation for Chrome. Today, I want to introduce a PowerShell script you can use to install managed extensions.
Each extension, when deployed, creates a property under this registry key:
HKLM:\Software\Policies\Google\Chrome\ExtensionForceInstalllist
Registry location showing extension ID and string value
This key name, ExtensionForceInstalllist, is case sensitive.
The property type is String and should be an integer. The value is the extensionId, which you can get from the Chrome Extension Store, and a URL where updates can be collected, separated by a semicolon.
For example, if you wanted to deploy uBlock Origin to all your Windows devices, you would use:
cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx
Chrome managed extensions
The script is fairly basic, as you would expect. It looks for the base registry key for Chrome, creates it if it is missing, enumerates any already deployed extensions, and then adds the new one at the end of the list.
<# .DESCRIPTION Adds a Google Chrome extension to the forced install list. Can be used for forcing installation of any Google Chrome extension. Takes existing extensions into account which might be added by other means, such as GPO and MDM. #>
param(
[string]$extensionId,
[switch]$info
)
if($info){
$InformationPreference = "Continue"
}
if(!($extensionId)){
# Empty Extension
$result = "No Extension ID"
}
else{
Write-Information "ExtensionID = $extensionID"
$extensionId = "$extensionId;https://clients2.google.com/service/update2/crx"
$regKey = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"
if(!(Test-Path $regKey)){
New-Item $regKey -Force
Write-Information "Created Reg Key $regKey"
}
# Add Extension to Chrome
$extensionsList = New-Object System.Collections.ArrayList
$number = 0
$noMore = 0
do{
$number++
Write-Information "Pass : $number"
try{
$install = Get-ItemProperty $regKey -name $number -ErrorAction Stop
$extensionObj = [PSCustomObject]@{
Name = $number
Value = $install.$number
}
$extensionsList.add($extensionObj) | Out-Null
Write-Information "Extension List Item : $($extensionObj.name) / $($extensionObj.value)"
}
catch{
$noMore = 1
}
}
until($noMore -eq 1)
$extensionCheck = $extensionsList | Where-Object {$_.Value -eq $extensionId}
if($extensionCheck){
$result = "Extension Already Exists"
Write-Information "Extension Already Exists"
}else{
$newExtensionId = $extensionsList[-1].name + 1
New-ItemProperty HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist -PropertyType String -Name $newExtensionId -Value $extensionId
$result = "Installed"
}
}
$result
The next time Chrome refreshes its policy, the new extension is loaded. You can run the script from any elevated PowerShell window using the parameter extensionId.
As an example, here is our Chrome Extensions window, which shows no managed extensions.
Chrome extensions before management is enabled
I now run the script to deploy uBlock Origin and 1Password.
Install managed Chrome extensions
As both of these were already installed in the user context, no new extensions were added; however, the ability to turn the extension off is now gone.
Chrome managed extensions window
If I now deploy the Microsoft Teams extension, you can see it also appears in the Extension window.
Install MS Teams extension
You cannot disable a managed extension; the slider is grayed out
If you want to deploy this through Microsoft Intune, you will need to remove the parameter section and replace it with a static extension ID. Then, when adding the script to Intune, you can name it according to the extension you are installing.
In my next most I will explain how you can block or remove Chrome extensions with PowerShell.
Any way to use this same script to uninstall the extension?
No, as the removal of extensions uses a different policy setting, although it is similar.
You can use the extensioninstallblocklist policy to list extensions you want to remove – they will be disabled if installed, or prevented from being installed.
Thank you. I was thinking of how to rollback (remove) the extension, if something should go wrong or if management wants to remove it down the line. When we submit a “Change” we also need a rollback plan.
This script works great for installing. Thank you very much for that.
Hi,
If I want to install extensions from the local file system how I need to add its path, please?
I create these keys buth the extension doesn’t installed:
HKLM/SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist
1=cchlfgjjhgdoibhfabfonddfjhmocjcg;C:\ProgramData\Edge\update.xml
HKLM/SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallSources
1=files:///C:/ProgramData/Edge/*
I wasn’t aware that functionality existed to be honest with you.
If you go to edge://policy what does it show?
Hi Robert,
It shows nothing special just I set up:
ExtensionInstallForcelist: cchlfgjjhgdoibhfabfonddfjhmocjcg;C:\ProgramData\Edge\update.xml
ExtensionInstallSources:
files:///C:/ProgramData/Edge/*
I try to relocate extension files to another directory, maybe Edge doesn’t reach them in ProgramData.
Thanks for the reply and I’ll let you know about result.
Hello, what about reading the existing extensions and showing their properties and status – installed or not installed?
Thanks for the answer.
Petrifo