Remove or block Chrome extensions with PowerShell

A comment on the previous post about deploying Chrome extensions posed the question of whether PowerShell could be used to remove Chrome extensions.

Author
Recent Posts

Robert Pearman

Robert is a small business specialist from the UK and currently works as a system administrator. He was a Microsoft MVP for eight years and has worked as a technical reviewer for Microsoft Press. You can follow Robert on Twitter and in his blog.

Latest posts by Robert Pearman (see all)

Remove or block Chrome extensions with PowerShell - Thu, May 12 2022
Chrome: Manage extensions with PowerShell - Fri, Apr 15 2022
Azure Conditional Access policies not working in Google Chrome - Tue, Apr 12 2022

These extensions are created as "managed" extensions, which means they cannot be removed or blocked by the end user. This form of deployment is ideal in situations where you need to make sure an extension is deployed, as it is installed as soon as the policy refreshes (every three hours, by default, or when the browser is opened).

Well, the answer is yes. Using Chrome policies, you have the option of using a block list. This is a similar list to an allow list, but will disable an extension that is already installed and prevent its installation if not installed.

As an example, let's look at the extension we deployed in the last post. Windows Accounts is currently installed in Chrome as a managed extension; note that I cannot remove or disable it, as those options are grayed out.

Chrome extension status

Now, I will create the registry entry for disabling the extension. It's in the same format as the install list: a string containing the extension ID.

Extension install block list

When we reload the policies, we see it has been loaded.

Reloading Chrome policies

However, when checking the loaded extensions, we see that Windows Accounts is still present.

This is because it is still present in the ForceInstalllist policy.

Removing forced install Extensionid

After removing the extension ID, I reload the policies and immediately see this message:

Blocked extension message

Why do we need to use the block list? If we had simply removed the extension from the force install list, the extension would no longer have been managed, but would not have been removed.

Now, when we check the extensions section. We can see that the extension is no longer present.

Extension removed

To wrap all of this up into a script is relatively straightforward.

We will adjust our original script to remove the value from the force install list, if present, and create the object in the block list.

<# .DESCRIPTION Adds a Google Chrome extension to the forced install list. Can be used for forcing installation of any Google Chrome extension. Takes existing extensions into account which might be added by other means, such as GPO and MDM. #>
$extensionId = "ppnbnpeolgkicgegkbkbjmhlideopiji"
if(!($extensionId)){
    # Empty Extension
    $result = "No Extension ID"
}
else{
    Write-Information "ExtensionID = $extensionID"
    $regKey = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallBlocklist"
    $regKeyInstall = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"
    if(!(Test-Path $regKey)){
        New-Item $regKey -Force
        Write-Information "Created Reg Key $regKey"
    }
    # Remove Extension from Chrome
    $extensionsList = New-Object System.Collections.ArrayList
    $number = 0
    $noMore = 0
    do{
        $number++
        Write-Information "Pass : $number"
        try{
            $install = Get-ItemProperty $regKey -name $number -ErrorAction Stop
            $extensionObj = [PSCustomObject]@{
                Name = $number
                Value = $install.$number
            }
            $extensionsList.add($extensionObj) | Out-Null
            Write-Information "Extension List Item : $($extensionObj.name) / $($extensionObj.value)"
        }
        catch{
            $noMore = 1
        }
    }
    until($noMore -eq 1)
    $extensionCheck = $extensionsList | Where-Object {$_.Value -eq $extensionId}
    if($extensionCheck){
        $result = "Extension Already Blocked"
        Write-Information "Extension Already Blocked"
    }else{
        $newExtensionId = $extensionsList[-1].name + 1
        New-ItemProperty $regKey -PropertyType String -Name $newExtensionId -Value $extensionId
        $result = "Installed"
    }
    # Remove From Install List
    if (!(Test-Path $regKeyInstall)) {
        New-Item $regKeyInstall -Force
        Write-Information "Created Reg Key $regKeyInstall"
    }
    # Remove Extension from Chrome
    $extensionId = $extensionId, ";https://clients2.google.com/service/update2/crx" -join ""
    $extensionsInstallList = New-Object System.Collections.ArrayList
    $number = 0
    $noMore = 0
    do {
        $number++
        Write-Information "Pass : $number"
        try {
            $install = Get-ItemProperty $regKeyInstall -name $number -ErrorAction Stop
            $extensionObj = [PSCustomObject]@{
                Name  = $number
                Value = $install.$number
            }
            $extensionsInstallList.add($extensionObj) | Out-Null
            Write-Information "Extension List Item : $($extensionObj.name) / $($extensionObj.value)"
        }
        catch {
            $noMore = 1
        }
    }
    until($noMore -eq 1)
    $extensionCheck = $extensionsInstallList | Where-Object { $_.Value -eq $extensionId }
    if ($extensionCheck) {
        $result = "Extension Installed - Removing"
        Remove-ItemProperty $regKeyInstall -Name $extensionCheck.name -Force
    }
}
$result

Everything described in this and the previous article can be completed in Microsoft Edge. You just need to adjust the base registry key path from:

HKLM:\SOFTWARE\Policies\Google\Chrome

To:

HKLM:\SOFTWARE\Policies\Microsoft\Edge

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the PowerShell forum!

Learn PowerShell with our PowerShell guides!