In this article, you will learn how you can manage extensions in Google's web browser Chrome in your organization. With the help of a PowerShell script, you can install Chrome managed extensions in your network either through Intune or any RMM software that supports scripts.

Chrome extensions add functionality to the browser. You are probably more than familiar with them and how to install them. If you want to install extensions for all users on a device or a group of computers in an Active Directory domain, you can set up a GPO or create a registry key with the relevant settings. Chrome's built-in policy manager (chrome://policy) reads the keys and installs the extensions you have set.

You can read more about policies and settings in the support documentation for Chrome. Today, I want to introduce a PowerShell script you can use to install managed extensions.

Each extension, when deployed, creates a property under this registry key:
HKLM:\Software\Policies\Google\Chrome\ExtensionForceInstalllist

Registry location showing extension ID and string value

Registry location showing extension ID and string value

This key name, ExtensionForceInstalllist, is case sensitive.

The property type is String and should be an integer. The value is the extensionId, which you can get from the Chrome Extension Store, and a URL where updates can be collected, separated by a semicolon.

For example, if you wanted to deploy uBlock Origin to all your Windows devices, you would use:

cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx

Chrome managed extensions

Chrome managed extensions

The script is fairly basic, as you would expect. It looks for the base registry key for Chrome, creates it if it is missing, enumerates any already deployed extensions, and then adds the new one at the end of the list.

<# .DESCRIPTION Adds a Google Chrome extension to the forced install list. Can be used for forcing installation of any Google Chrome extension. Takes existing extensions into account which might be added by other means, such as GPO and MDM. #>
param(
    [string]$extensionId,
    [switch]$info
)
if($info){
    $InformationPreference = "Continue"
}
if(!($extensionId)){
    # Empty Extension
    $result = "No Extension ID"
}
else{
    Write-Information "ExtensionID = $extensionID"
    $extensionId = "$extensionId;https://clients2.google.com/service/update2/crx"
    $regKey = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"
    if(!(Test-Path $regKey)){
        New-Item $regKey -Force
        Write-Information "Created Reg Key $regKey"
    }
    # Add Extension to Chrome
    $extensionsList = New-Object System.Collections.ArrayList
    $number = 0
    $noMore = 0
    do{
        $number++
        Write-Information "Pass : $number"
        try{
            $install = Get-ItemProperty $regKey -name $number -ErrorAction Stop
            $extensionObj = [PSCustomObject]@{
                Name = $number
                Value = $install.$number
            }
            $extensionsList.add($extensionObj) | Out-Null
            Write-Information "Extension List Item : $($extensionObj.name) / $($extensionObj.value)"
        }
        catch{
            $noMore = 1
        }
    }
    until($noMore -eq 1)
    $extensionCheck = $extensionsList | Where-Object {$_.Value -eq $extensionId}
    if($extensionCheck){
        $result = "Extension Already Exists"
        Write-Information "Extension Already Exists"
    }else{
        $newExtensionId = $extensionsList[-1].name + 1
        New-ItemProperty HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist -PropertyType String -Name $newExtensionId -Value $extensionId
        $result = "Installed"
    }
}
$result

The next time Chrome refreshes its policy, the new extension is loaded. You can run the script from any elevated PowerShell window using the parameter extensionId.

As an example, here is our Chrome Extensions window, which shows no managed extensions.

Chrome extensions before management is enabled

Chrome extensions before management is enabled

I now run the script to deploy uBlock Origin and 1Password.

Install managed Chrome extensions

Install managed Chrome extensions

As both of these were already installed in the user context, no new extensions were added; however, the ability to turn the extension off is now gone.

Chrome managed extensions window

Chrome managed extensions window

If I now deploy the Microsoft Teams extension, you can see it also appears in the Extension window.

Install MS Teams extension

Install MS Teams extension

You cannot disable a managed extension; the slider is grayed out

You cannot disable a managed extension; the slider is grayed out

If you want to deploy this through Microsoft Intune, you will need to remove the parameter section and replace it with a static extension ID. Then, when adding the script to Intune, you can name it according to the extension you are installing.

In my next most I will explain how you can block or remove Chrome extensions with PowerShell.

avatar
6 Comments
  1. Jan Eya 3 months ago

    Any way to use this same script to uninstall the extension?

    • Author
      Robert Pearman 3 months ago

      No, as the removal of extensions uses a different policy setting, although it is similar.

      You can use the extensioninstallblocklist policy to list extensions you want to remove – they will be disabled if installed, or prevented from being installed.

      • Jan Eya 3 months ago

        Thank you. I was thinking of how to rollback (remove) the extension, if something should go wrong or if management wants to remove it down the line. When we submit a “Change” we also need a rollback plan.

        This script works great for installing. Thank you very much for that.

  2. Sanyi 3 weeks ago

    Hi,
    If I want to install extensions from the local file system how I need to add its path, please?
    I create these keys buth the extension doesn’t installed:

    HKLM/SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist
    1=cchlfgjjhgdoibhfabfonddfjhmocjcg;C:\ProgramData\Edge\update.xml

    HKLM/SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallSources
    1=files:///C:/ProgramData/Edge/*

    • Author
      Robert Pearman 3 weeks ago

      I wasn’t aware that functionality existed to be honest with you.

      If you go to edge://policy what does it show?

      • Sanyi 3 weeks ago

        Hi Robert,
        It shows nothing special just I set up:
        ExtensionInstallForcelist: cchlfgjjhgdoibhfabfonddfjhmocjcg;C:\ProgramData\Edge\update.xml
        ExtensionInstallSources:
        files:///C:/ProgramData/Edge/*

        I try to relocate extension files to another directory, maybe Edge doesn’t reach them in ProgramData.
        Thanks for the reply and I’ll let you know about result.

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account