Sunday, December 8, 2024
Intune

Control Edge Extensions via Intune

G’Day, hope you’re enjoying the Euros! Today, I want to describe how you can control which Microsoft Edge browser extensions can be installed via Microsoft Intune. With this configuration, you’ll be able to block specific edge extensions or only allow specific edge extensions to be installed, for demonstration purposes, we’ll work on the latter, I’ll also show you how you can silently install the approved extensions, let’s get started!

Gather Extension ID’s

To be able to control which Edge Extensions to add to our allow list, we first need to ascertain the extensions ID’s, for this demonstration, I’ll only be allowing the Centro 365 extension, which by the way, is a great extension to have, it gives you a dropdown list for common Microsoft portals, I use it all the time, check it out. Anyway, visit the Microsoft Edge Add-on store, find the add-ons in question that you wish to deploy and copy the ID from the address bar, for Centro 365, this is the following ID ‘ampgmpmlobbbhjoplcbdfcgplbkbmked‘:

Gathering the ID's to control the Edge extension installations via Intune.

Make a note of every ID that you wish to explicitly allow and automatically install.

Creating the Configuration Profile

Now that we have the ID that we want to allow and deny others that are not listed, we need to create a Configuration Profile within Intune, the first setting is to add the ID’s to the allow the list and then we’ll configure the silent installation settings.

Edge Extension Allow List

Go to the MEMAC portal, navigate to Devices, Configuration Profiles and Create Profile:

Creating the configuration profile to control edge extensions within Intune.

Then select Windows 10 and later and we’ll use the Settings Catalog for this one:

Give the profile an appropriate Name and Description (You can do a better job than me here!):

Now Add settings from the catalog, look under Microsoft Edge and then Extensions, select Allow specific extensions to be installed and Control which extensions cannot be installed:

Close the Settings picker, now you’ll be presented with the configuration settings, for this, set the Allow specific extensions to be installed to Enabled and add the extension ID discovered earlier to the exemption list, additionally, set to the Control which extensions cannot be installed to Enabled and enter in “*“, this is to block every extension, don’t worry, the allow section will override this for our specific extensions, like so:

Righto, that’s the allow list sorted, let’s now look into the silent installation of that same extension.

Silent Installation of Extensions

Within the same configuration profile created above, add an additional setting, this time called Control which extensions are installed silently from the same area as before of Microsoft Edge and then Extensions:

Close the settings picker, set the Control which extensions are installed silently to Enabled and add the same extension ID’s to the list, like so:

Great, we’re all set to go! Assign this to a test group of users or devices before enabling in prod (as you should do for all new configurations within Intune!) and we’ll check out the results.

Trust but Verify

Now that our Configuration Profile is in place and assigned to a test group, let’s see what our test device looks like.

Centro 365 Extension has been installed

Centro 365 Extension is showing as forced

Unable to install any other Extensions from the Store

Important Notes

From my testing it does appear that previously installed extensions will be disabled, be mindful of this to ensure that the allow extension list field is comprehensive in your environment:

Confirmation of the enabled \ disabled extensions:

9 thoughts on “Control Edge Extensions via Intune

  • Is it possible to deploy extensions from the Chrome Web Store in to Edge with Intune or is this exclusive to extensions from Edge’s store?

    • Hi Nik,

      Yes, this is possible, but not recommended as the chrome extensions wouldn’t of been tested in the edge browser and a Google account might be needed for the extension to function.

      You’d need to gather the ID from the Google Chrome extension store and then make the following entry into the extension lists that I listed, replace the ID at the start of the text:

      ‘google Chrome Extension ID’;https://clients2.google.com/service/update2/crx

      Thanks!

  • If I want to push out a specific add-on but allow users to install other’s which setting should I use?

    • Hi Joe,

      Once you have the extension ID, you’ll need to only follow the ‘Silent Installation of Extensions’ section of the blog post only to silently deploy the add-on without restrictions.

      Thanks,
      Alex.

  • Hello Alex, thank you for this material. I find it so useful. However, I wish to deploy extensions from the Chrome Web Store in to Edge with Intune. I read the steps you explained earlier but I don’t understand. Could you please clarify the step?

    “” and then make the following entry into the extension lists that I listed, replace the ID at the start of the text:

    ‘google Chrome Extension ID’;https://clients2.google.com/service/update2/crx “”

    Thank you in advance for your feedback

  • Is there a way to add the extension as disabled and allow the user to enable if required?

    • You could try silently installing but not adding it to the allow list using the above policies and see what happens, but not sure what problem you’re trying to solve by doing this, I would recommend either allowing the extensions and / or silently installing if authorised within your environment.

  • Hello,

    I am attempting to push specific extensions to one group of employees while still pushing a group of extensions to all devices. Is there a way to achieve this without causing a conflict in Intune?

Comments are closed.