- Remove or block Chrome extensions with PowerShell - Thu, May 12 2022
- Chrome: Manage extensions with PowerShell - Fri, Apr 15 2022
- Azure Conditional Access policies not working in Google Chrome - Tue, Apr 12 2022
These extensions are created as "managed" extensions, which means they cannot be removed or blocked by the end user. This form of deployment is ideal in situations where you need to make sure an extension is deployed, as it is installed as soon as the policy refreshes (every three hours, by default, or when the browser is opened).
Well, the answer is yes. Using Chrome policies, you have the option of using a block list. This is a similar list to an allow list, but will disable an extension that is already installed and prevent its installation if not installed.
As an example, let's look at the extension we deployed in the last post. Windows Accounts is currently installed in Chrome as a managed extension; note that I cannot remove or disable it, as those options are grayed out.
Now, I will create the registry entry for disabling the extension. It's in the same format as the install list: a string containing the extension ID.
When we reload the policies, we see it has been loaded.
However, when checking the loaded extensions, we see that Windows Accounts is still present.
This is because it is still present in the ForceInstalllist policy.
After removing the extension ID, I reload the policies and immediately see this message:
Why do we need to use the block list? If we had simply removed the extension from the force install list, the extension would no longer have been managed, but would not have been removed.
Now, when we check the extensions section. We can see that the extension is no longer present.
To wrap all of this up into a script is relatively straightforward.
We will adjust our original script to remove the value from the force install list, if present, and create the object in the block list.
<# .DESCRIPTION Adds a Google Chrome extension to the forced install list. Can be used for forcing installation of any Google Chrome extension. Takes existing extensions into account which might be added by other means, such as GPO and MDM. #> $extensionId = "ppnbnpeolgkicgegkbkbjmhlideopiji" if(!($extensionId)){ # Empty Extension $result = "No Extension ID" } else{ Write-Information "ExtensionID = $extensionID" $regKey = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallBlocklist" $regKeyInstall = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist" if(!(Test-Path $regKey)){ New-Item $regKey -Force Write-Information "Created Reg Key $regKey" } # Remove Extension from Chrome $extensionsList = New-Object System.Collections.ArrayList $number = 0 $noMore = 0 do{ $number++ Write-Information "Pass : $number" try{ $install = Get-ItemProperty $regKey -name $number -ErrorAction Stop $extensionObj = [PSCustomObject]@{ Name = $number Value = $install.$number } $extensionsList.add($extensionObj) | Out-Null Write-Information "Extension List Item : $($extensionObj.name) / $($extensionObj.value)" } catch{ $noMore = 1 } } until($noMore -eq 1) $extensionCheck = $extensionsList | Where-Object {$_.Value -eq $extensionId} if($extensionCheck){ $result = "Extension Already Blocked" Write-Information "Extension Already Blocked" }else{ $newExtensionId = $extensionsList[-1].name + 1 New-ItemProperty $regKey -PropertyType String -Name $newExtensionId -Value $extensionId $result = "Installed" } # Remove From Install List if (!(Test-Path $regKeyInstall)) { New-Item $regKeyInstall -Force Write-Information "Created Reg Key $regKeyInstall" } # Remove Extension from Chrome $extensionId = $extensionId, ";https://clients2.google.com/service/update2/crx" -join "" $extensionsInstallList = New-Object System.Collections.ArrayList $number = 0 $noMore = 0 do { $number++ Write-Information "Pass : $number" try { $install = Get-ItemProperty $regKeyInstall -name $number -ErrorAction Stop $extensionObj = [PSCustomObject]@{ Name = $number Value = $install.$number } $extensionsInstallList.add($extensionObj) | Out-Null Write-Information "Extension List Item : $($extensionObj.name) / $($extensionObj.value)" } catch { $noMore = 1 } } until($noMore -eq 1) $extensionCheck = $extensionsInstallList | Where-Object { $_.Value -eq $extensionId } if ($extensionCheck) { $result = "Extension Installed - Removing" Remove-ItemProperty $regKeyInstall -Name $extensionCheck.name -Force } } $result
Everything described in this and the previous article can be completed in Microsoft Edge. You just need to adjust the base registry key path from:
HKLM:\SOFTWARE\Policies\Google\Chrome
To:
HKLM:\SOFTWARE\Policies\Microsoft\Edge