A comment on the previous post about deploying Chrome extensions posed the question of whether PowerShell could be used to remove Chrome extensions.

These extensions are created as "managed" extensions, which means they cannot be removed or blocked by the end user. This form of deployment is ideal in situations where you need to make sure an extension is deployed, as it is installed as soon as the policy refreshes (every three hours, by default, or when the browser is opened).

Well, the answer is yes. Using Chrome policies, you have the option of using a block list. This is a similar list to an allow list, but will disable an extension that is already installed and prevent its installation if not installed.

As an example, let's look at the extension we deployed in the last post. Windows Accounts is currently installed in Chrome as a managed extension; note that I cannot remove or disable it, as those options are grayed out.

Chrome extension status

Chrome extension status

Now, I will create the registry entry for disabling the extension. It's in the same format as the install list: a string containing the extension ID.

Extension install block list

Extension install block list

When we reload the policies, we see it has been loaded.

Reloading Chrome policies

Reloading Chrome policies

However, when checking the loaded extensions, we see that Windows Accounts is still present.

This is because it is still present in the ForceInstalllist policy.

Removing forced install Extensionid

Removing forced install Extensionid

After removing the extension ID, I reload the policies and immediately see this message:

Blocked extension message

Blocked extension message

Why do we need to use the block list? If we had simply removed the extension from the force install list, the extension would no longer have been managed, but would not have been removed.

Now, when we check the extensions section. We can see that the extension is no longer present.

Extension removed

Extension removed

To wrap all of this up into a script is relatively straightforward.

We will adjust our original script to remove the value from the force install list, if present, and create the object in the block list.

<# .DESCRIPTION Adds a Google Chrome extension to the forced install list. Can be used for forcing installation of any Google Chrome extension. Takes existing extensions into account which might be added by other means, such as GPO and MDM. #>
$extensionId = "ppnbnpeolgkicgegkbkbjmhlideopiji"
if(!($extensionId)){
    # Empty Extension
    $result = "No Extension ID"
}
else{
    Write-Information "ExtensionID = $extensionID"
    $regKey = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallBlocklist"
    $regKeyInstall = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"
    if(!(Test-Path $regKey)){
        New-Item $regKey -Force
        Write-Information "Created Reg Key $regKey"
    }
    # Remove Extension from Chrome
    $extensionsList = New-Object System.Collections.ArrayList
    $number = 0
    $noMore = 0
    do{
        $number++
        Write-Information "Pass : $number"
        try{
            $install = Get-ItemProperty $regKey -name $number -ErrorAction Stop
            $extensionObj = [PSCustomObject]@{
                Name = $number
                Value = $install.$number
            }
            $extensionsList.add($extensionObj) | Out-Null
            Write-Information "Extension List Item : $($extensionObj.name) / $($extensionObj.value)"
        }
        catch{
            $noMore = 1
        }
    }
    until($noMore -eq 1)
    $extensionCheck = $extensionsList | Where-Object {$_.Value -eq $extensionId}
    if($extensionCheck){
        $result = "Extension Already Blocked"
        Write-Information "Extension Already Blocked"
    }else{
        $newExtensionId = $extensionsList[-1].name + 1
        New-ItemProperty $regKey -PropertyType String -Name $newExtensionId -Value $extensionId
        $result = "Installed"
    }
    # Remove From Install List
    if (!(Test-Path $regKeyInstall)) {
        New-Item $regKeyInstall -Force
        Write-Information "Created Reg Key $regKeyInstall"
    }
    # Remove Extension from Chrome
    $extensionId = $extensionId, ";https://clients2.google.com/service/update2/crx" -join ""
    $extensionsInstallList = New-Object System.Collections.ArrayList
    $number = 0
    $noMore = 0
    do {
        $number++
        Write-Information "Pass : $number"
        try {
            $install = Get-ItemProperty $regKeyInstall -name $number -ErrorAction Stop
            $extensionObj = [PSCustomObject]@{
                Name  = $number
                Value = $install.$number
            }
            $extensionsInstallList.add($extensionObj) | Out-Null
            Write-Information "Extension List Item : $($extensionObj.name) / $($extensionObj.value)"
        }
        catch {
            $noMore = 1
        }
    }
    until($noMore -eq 1)
    $extensionCheck = $extensionsInstallList | Where-Object { $_.Value -eq $extensionId }
    if ($extensionCheck) {
        $result = "Extension Installed - Removing"
        Remove-ItemProperty $regKeyInstall -Name $extensionCheck.name -Force
    }
}
$result

Everything described in this and the previous article can be completed in Microsoft Edge. You just need to adjust the base registry key path from:

HKLM:\SOFTWARE\Policies\Google\Chrome

To:

HKLM:\SOFTWARE\Policies\Microsoft\Edge

3 Comments
  1. Thai 3 weeks ago

    Hi Robert,

    Thanks for the write up. From my understanding of this script should also remove the extension from the Chrome extension list (chrome://extension) right?
    If it is meant to I can’t seem to get that bit to work. If not how does one remove the extension from the chrome list?

    Thanks,
    Thai

    • Author
      Robert Pearman 3 weeks ago

      It should remove it yes.

      Has the policy refreshed?
      Is it a managed extension that still shows on the forceInstall key?

      • Thai 3 weeks ago

        Ah thanks for your comment. I now understand a bit of why it wasn’t working before.
        I was running the remove/block script by as is without having used your add extension script first.
        After I ran the add extension script and then followed up with the removal it works as intended.
        When I ran this without using the add extension script it would just disable and grey out the ability to enable the extension but doesn’t remove the extension from the list (chrome://extension).
        Would you be able to expand on how I could run the removal/block script, and have it also remove the it from the list without going through the add extension script first? Hopefully that makes sense haha.

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account