- Encrypt email in Outlook with Microsoft 365 - Tue, Dec 6 2022
- Restricting registration to Azure AD MFA from trusted locations with Conditional Access policy - Thu, Nov 24 2022
- Azure AD MFA with number matching and temporary access passes - Tue, Nov 22 2022
These extensions are created as "managed" extensions, which means they cannot be removed or blocked by the end user. This form of deployment is ideal in situations where you need to make sure an extension is deployed, as it is installed as soon as the policy refreshes (every three hours, by default, or when the browser is opened).
Well, the answer is yes. Using Chrome policies, you have the option of using a block list. This is a similar list to an allow list, but will disable an extension that is already installed and prevent its installation if not installed.
As an example, let's look at the extension we deployed in the last post. Windows Accounts is currently installed in Chrome as a managed extension; note that I cannot remove or disable it, as those options are grayed out.
Chrome extension status
Now, I will create the registry entry for disabling the extension. It's in the same format as the install list: a string containing the extension ID.
Extension install block list
When we reload the policies, we see it has been loaded.
Reloading Chrome policies
However, when checking the loaded extensions, we see that Windows Accounts is still present.
This is because it is still present in the ForceInstalllist policy.
Removing forced install Extensionid
After removing the extension ID, I reload the policies and immediately see this message:
Blocked extension message
Why do we need to use the block list? If we had simply removed the extension from the force install list, the extension would no longer have been managed, but would not have been removed.
Now, when we check the extensions section. We can see that the extension is no longer present.
Extension removed
To wrap all of this up into a script is relatively straightforward.
We will adjust our original script to remove the value from the force install list, if present, and create the object in the block list.
<# .DESCRIPTION Adds a Google Chrome extension to the forced install list. Can be used for forcing installation of any Google Chrome extension. Takes existing extensions into account which might be added by other means, such as GPO and MDM. #>
$extensionId = "ppnbnpeolgkicgegkbkbjmhlideopiji"
if(!($extensionId)){
# Empty Extension
$result = "No Extension ID"
}
else{
Write-Information "ExtensionID = $extensionID"
$regKey = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallBlocklist"
$regKeyInstall = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"
if(!(Test-Path $regKey)){
New-Item $regKey -Force
Write-Information "Created Reg Key $regKey"
}
# Remove Extension from Chrome
$extensionsList = New-Object System.Collections.ArrayList
$number = 0
$noMore = 0
do{
$number++
Write-Information "Pass : $number"
try{
$install = Get-ItemProperty $regKey -name $number -ErrorAction Stop
$extensionObj = [PSCustomObject]@{
Name = $number
Value = $install.$number
}
$extensionsList.add($extensionObj) | Out-Null
Write-Information "Extension List Item : $($extensionObj.name) / $($extensionObj.value)"
}
catch{
$noMore = 1
}
}
until($noMore -eq 1)
$extensionCheck = $extensionsList | Where-Object {$_.Value -eq $extensionId}
if($extensionCheck){
$result = "Extension Already Blocked"
Write-Information "Extension Already Blocked"
}else{
$newExtensionId = $extensionsList[-1].name + 1
New-ItemProperty $regKey -PropertyType String -Name $newExtensionId -Value $extensionId
$result = "Installed"
}
# Remove From Install List
if (!(Test-Path $regKeyInstall)) {
New-Item $regKeyInstall -Force
Write-Information "Created Reg Key $regKeyInstall"
}
# Remove Extension from Chrome
$extensionId = $extensionId, ";https://clients2.google.com/service/update2/crx" -join ""
$extensionsInstallList = New-Object System.Collections.ArrayList
$number = 0
$noMore = 0
do {
$number++
Write-Information "Pass : $number"
try {
$install = Get-ItemProperty $regKeyInstall -name $number -ErrorAction Stop
$extensionObj = [PSCustomObject]@{
Name = $number
Value = $install.$number
}
$extensionsInstallList.add($extensionObj) | Out-Null
Write-Information "Extension List Item : $($extensionObj.name) / $($extensionObj.value)"
}
catch {
$noMore = 1
}
}
until($noMore -eq 1)
$extensionCheck = $extensionsInstallList | Where-Object { $_.Value -eq $extensionId }
if ($extensionCheck) {
$result = "Extension Installed - Removing"
Remove-ItemProperty $regKeyInstall -Name $extensionCheck.name -Force
}
}
$resultEverything described in this and the previous article can be completed in Microsoft Edge. You just need to adjust the base registry key path from:
HKLM:\SOFTWARE\Policies\Google\Chrome
To:
HKLM:\SOFTWARE\Policies\Microsoft\Edge
Hi Robert,
Thanks for the write up. From my understanding of this script should also remove the extension from the Chrome extension list (chrome://extension) right?
If it is meant to I can’t seem to get that bit to work. If not how does one remove the extension from the chrome list?
Thanks,
Thai
It should remove it yes.
Has the policy refreshed?
Is it a managed extension that still shows on the forceInstall key?
Ah thanks for your comment. I now understand a bit of why it wasn’t working before.
I was running the remove/block script by as is without having used your add extension script first.
After I ran the add extension script and then followed up with the removal it works as intended.
When I ran this without using the add extension script it would just disable and grey out the ability to enable the extension but doesn’t remove the extension from the list (chrome://extension).
Would you be able to expand on how I could run the removal/block script, and have it also remove the it from the list without going through the add extension script first? Hopefully that makes sense haha.
Hi,
Thanks for the script.
I have followed the instructions,however the extension I m trying to uninstall is still showing but is disabled not removed.
I am missing somthing ?
“Using Chrome policies, you have the option of using a block list. This is a similar list to an allow list, but will disable an extension that is already installed and prevent its installation if not installed.”
Does this apply to user installed extensions or is it only for managed extensions?