General:

Extensions can be a big hassle. Extensions are not applied, blocked or not applied at all. Thus input for a new article.
In this article, I will describe all the steps to implement extensions for both Google Chrome and Microsoft Edge Chromium via group policies. Also, the implementation of Edge Chromium extensions via Ivanti Workspace Control.

At the end of this article, I will give you my tips. 

 

Settings in the Google Chrome policy

 

Step 1: Download admx template files

First, you have to download the policy template from The Chromium Projects. Extract the content from the 'admx' folder to C:\Windows\PolicyDefinitions.

 

Step 2: Create Group Policy Object (GPO)

Create a GPO 'User - Browser Google Chrome' in the correct OU. Under security filtering make sure that the user and computer groups are mentioned.

The GPO settings. In the group DEMO\COMP - Apply GPO all the computers are mentioned where the GPO should be applied on. In the group DEMO\Roaming profile users all the users who have a roaming profile are mentioned.  

 

Step 3: Configure the policy

You can set a policy in two different ways:

  • Via the administrative templates -> Google -> Google Chrome
  • Via Group Policy Preferences 

We have the following objectives:

  • All extensions are blocked, except the ones that are explicitly allowed: 
    • Adobe Acrobat 15.1.3.3 for all users
    • Adblock Plus - free ad blocker - but only if you are member of the group DEMO\Demo - Browser - AdBlocker Policy
    • Nimbus Screenshot & Screen Video Recorder - but only if you are member of the group DEMO\Demo - Browser - Nimbus Policy
  • If you are removed from one of the extension groups, the extension should be removed.

Approach:

  • The setting to block all extensions is set via the option 'Configure extension installation blocklist'. It will configure the registry keys under Software\Policies\Google\Chrome\ExtensionInstallblocklist.
  • The setting to configure the list of the explicitly allowed extensions is set via the option 'Configure the list of force-installed apps and extensions'. It will configure the registry keys under Software\Policies\Google\Chrome\ExtensionInstallforcelist.
  • The setting to configure the install source location is set via the option 'Configure extension, app, and user script install sources'. It will configure the registry keys under Software\Policies\Google\Chrome\ExtensionInstallSources.
After that, you can find the policy settings under 'User Configuration' -> 'Policies' -> 'Administrative Templates' -> 'Google' -> 'Google Chrome'. Under 'Extensions' configure the following:

Here you mention that all the extensions are blocked.

The AppID from the automatically installed extension: Adobe Acrobat 15.1.3.3

And the update URL where the extension can be downloaded from. 

 

An appid can be found in Google Chrome under 'chrome://extensions' and with 'developer mode' enabled:

You find all the AppId's after ID. 

 

Step 4: Item level targeting 

As mentioned before in the objectives, the extensions 'Adblock Plus' and 'Nimbus' should only be installed if a user is member of an AD group. That can be done with Item-level targeting on a group policy preference:

Only the users who are allowed to use Adblocker can use this extension.

The setting Run in logged-on user's security context (user policy option) must be unselected. Otherwise, the setting is not set due to a permission issue.

The setting Remove this item when no longer applied removes the registry setting if the user is removed from the AD group.

Under Item-level targeting the AD group that is used is mentioned. Use the button to find the group. It is mandatory that the SID is filled in, otherwise, this will not work.

 

Only the users who are allowed to use Nimbus Screenshot can use this extension.

The setting Run in logged-on user's security context (user policy option) must be unselected. Otherwise, the setting is not set due to a permission issue.

The setting Remove this item when no longer applied removes the registry setting if the user is removed from the AD group.

Under Item-level targeting the AD group that is used is mentioned. Use the button to find the group. It is mandatory that the SID is filled in, otherwise, this will not work.

 

If a user is removed from the group, the addon is removed as well.

The user is allowed to use all the extensions.

The user is removed from the group DEMO\Demo - Browser - Nimbus Policy.

 

If you browse to chrome://policy you see all the settings that are applied:

The policies that are applied. This is very useful for troubleshooting. 

Step 5: Override extensions on machine-wide level

An extension defined under HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome takes precedence over the one that is defined in HKEY_CURRENT_USER.

In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist the extension 'Right Click Translate' is enabled. As all the other extensions are blocked, only this one is effective:

The HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionForcelist is used.

All the extensions are blocked, except Right Click Translate. 

The policies that are applied. You see that there is a conflict: the HKLM setting overrules the HKCU setting. 

 

Settings in the Edge Chromium policy

 

Step 1: Download admx template files.

Microsoft Edge Chromium works the same way as Google Chrome. You can download the Edge policy from Download and deploy Microsoft Edge for business. Extract the zip file and place the ADMX files in C:\Windows\PolicyDefinitions. After that, you can find the policy settings under 'User Configuration' -> 'Policies' -> 'Administrative Templates' -> 'Microsoft Edge'.

 

Step 2: Create Group Policy Object (GPO)

Create a GPO 'User - Browser Edge Chromium' in the correct OU. Under security filtering make sure that the users and computer groups are mentioned.

The GPO settings. In the group DEMO\COMP - Apply GPO all the computers are mentioned where the GPO should be applied on. In the group DEMO\Roaming profile users all the users who have a roaming profile are mentioned.  

 

Step 3: Configure the policy

You can set a policy in two different ways:

  • Via the administrative templates -> Microsoft Edge
  • Via Group Policy Preferences 

We have the following objectives:

  • All extensions are blocked, except the ones that are explicitly allowed: 
    • Adobe Acrobat 15.1.3.3 for all users
    • Adblock Plus - free ad blocker - but only if you are member of the group DEMO\Demo - Browser - AdBlocker Policy
    • Nimbus Screenshot & Screen Video Recorder - but only if you are member of the group DEMO\Demo - Browser - Nimbus Policy
  • If you are removed from one of the extension groups, the extension should be removed.

Approach:

  • The setting to block all extensions is set via the option 'Configure extension installation blocklist'. It will configure the registry keys under Software\Policies\Microsoft\Edge\ExtensionInstallblocklist.
  • The setting to configure the list of the explicitly allowed extensions is set via the option 'Configure the list of force-installed apps and extensions'. It will configure the registry keys under Software\Policies\Microsoft\Edge\ExtensionInstallforcelist.
  • The setting to configure the install source location is set via the option 'Configure extension, app, and user script install sources'. It will configure the registry keys under Software\Policies\Microsoft\Edge\ExtensionInstallSources.
After that, you can find the policy settings under 'User Configuration' -> 'Policies' -> 'Administrative Templates' -> 'Microsoft Edge'. Under 'Extensions' configure the following:

A '*' means all.

The AppID from the automatically installed extension Adobe Acrobat 15.1.3.3. I found out that it is mandatory to add the update URL as well. Otherwise, the setting is not applied.

And the update URL. In Edge, it is now possible to use the Google Chrome web store as well. 

 

Step 4: Item level targeting

As mentioned before in the objectives, the extensions 'Adblock Plus' and 'Nimbus' should only be installed if a user is member of an AD group. That can be done with Item-level targeting on a group policy preference:

Only the users who are allowed to use Adblocker can use this extension.

The setting Run in logged-on user's security context (user policy option) must be unselected. Otherwise, the setting is not set due to a permission issue.

The setting Remove this item when no longer applied removes the registry setting if the user is removed from the AD group.

Under Item-level targeting the AD group that is used is mentioned. Use the button to find the group. It is mandatory that the SID is filled in, otherwise, this will not work.

Only the users who are allowed to use Nimbus Screenshot can use this extension.

The setting Run in logged-on user's security context (user policy option) must be unselected. Otherwise, the setting is not set due to a permission issue.

The setting Remove this item when no longer applied removes the registry setting if the user is removed from the AD group.

Under Item-level targeting the AD group that is used is mentioned. Use the button to find the group. It is mandatory that the SID is filled in, otherwise, this will not work.

 

If a user is removed from the group, the addon is removed as well.

The user is allowed all the extensions. Also, the user has no option to disable an extension. 

The user is removed from the group DEMO\Demo - Browser - AdBlocker Policy.

 

If you browse to edge://policy you see all the settings that are applied.

This is very useful when it comes to troubleshooting. 

 

Step 5: Override extensions on machine wide level

An extension defined under HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge takes precedence on the one that is defined in HKEY_CURRENT_USER.

In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist the extension 'Right Click Translate' is enabled. As all the other extensions are blocked, only this one is effective:

The HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge\ExtensionForcelist is used.

All the extensions are blocked, except Right Click Translate.

The policies that are applied. You see that there is a conflict: the HKLM setting overrules the HKCU setting. 

 

Configure Edge Chromium Extensions via Ivanti Workspace Control

You can also configure the extensions via Ivanti Workspace Control. You configure the shortcut via Edit Application -> Configuration. Then you can either add 'User Registry Setting' or 'User Registry Policy'. In this example, I will use both options. 

 

Step 1: Add the policy file

Add msedge.admx file. This should only be done once.

Select User Registry Policy

If the policy is not already loaded into Ivanti, it should be installed first.

Click Add

Browse to msedge.admx in c:\windows\policydefinitions

Click Ok

Step 2: Configure the policy

We have the following objectives:

  • All extensions are blocked, except the ones that are explicitly allowed: 
    • Adobe Acrobat 15.1.3.3 for all users
    • Adblock Plus - free ad blocker - but only if you are member of the group DEMO\Demo - Browser - AdBlocker Policy
    • Nimbus Screenshot & Screen Video Recorder - but only if you are member of the group DEMO\Demo - Browser - Nimbus Policy
  • If you are removed from one of the extension groups, the extension should be removed.
Now, you can configure the policy settings. Expand 'Both' -> 'Microsoft Edge' -> 'Extensions' and configure the options as per screen prints below:

Click Show and add a '*'. Then all the extensions are blocked.

Click Ok

Under Configure extension and user script install sources add https://clients2.google.com/service/update2/crx/*

Click on View resulting registry to see what the registry settings are. This is not needed but can be useful to find out where the settings are applied in the registry. 

And the result

 

Step 3: Configure who can use the extension (sort of item level targeting)

 

Under 'Registry Settings' we can configure registry settings, including who can use that particular setting.

Now, it is configured who may use the extension. 

Click User Registry Setting

Add the key for Adobe Acrobat 15.1.3.3.

Add the second key for Adblock Plus - free ad blocker.

And specify the AD group that should get this setting applied. 

The third key for Nimbus Screenshot & Screen Video Recorder. 

And specify the AD group that should get this setting applied. 

 

Step 4: See the results on the client 

As the user is member of the Adblocker and Nimbus policy groups, both extensions are enabled by default. Any other addon is blocked by the same policy.

All the extensions are visible

And the extension Google Translate in Right Click cannot be installed. And that is one of the desired objectives. 

 

My tips:

  • Configure extensions via the HKEY_CURRENT_USER\Software\Policies. Then you are more in control.
  • If you configure the extensions via HKEY_CURRENT_USER\Software\Policies then your configuration is multi-user compliant. 
  • Never use HKEY_LOCAL_MACHINE\Software\Policies to configure extensions as it will override all the configuration that is done via HKEY_CURRENT_USER\Software\Policies

As always, there can be situations that a different approach is needed.