G’Day, hope you’re enjoying the Euros! Today, I want to describe how you can control which Microsoft Edge browser extensions can be installed via Microsoft Intune. With this configuration, you’ll be able to block specific edge extensions or only allow specific edge extensions to be installed, for demonstration purposes, we’ll work on the latter, I’ll also show you how you can silently install the approved extensions, let’s get started!
Gather Extension ID’s
To be able to control which Edge Extensions to add to our allow list, we first need to ascertain the extensions ID’s, for this demonstration, I’ll only be allowing the Centro 365 extension, which by the way, is a great extension to have, it gives you a dropdown list for common Microsoft portals, I use it all the time, check it out. Anyway, visit the Microsoft Edge Add-on store, find the add-ons in question that you wish to deploy and copy the ID from the address bar, for Centro 365, this is the following ID ‘ampgmpmlobbbhjoplcbdfcgplbkbmked‘:
Make a note of every ID that you wish to explicitly allow and automatically install.
Creating the Configuration Profile
Now that we have the ID that we want to allow and deny others that are not listed, we need to create a Configuration Profile within Intune, the first setting is to add the ID’s to the allow the list and then we’ll configure the silent installation settings.
Edge Extension Allow List
Go to the MEMAC portal, navigate to Devices, Configuration Profiles and Create Profile:
Then select Windows 10 and later and we’ll use the Settings Catalog for this one:
Give the profile an appropriate Name and Description (You can do a better job than me here!):
Now Add settings from the catalog, look under Microsoft Edge and then Extensions, select Allow specific extensions to be installed and Control which extensions cannot be installed:
Close the Settings picker, now you’ll be presented with the configuration settings, for this, set the Allow specific extensions to be installed to Enabled and add the extension ID discovered earlier to the exemption list, additionally, set to the Control which extensions cannot be installed to Enabled and enter in “*“, this is to block every extension, don’t worry, the allow section will override this for our specific extensions, like so:
Righto, that’s the allow list sorted, let’s now look into the silent installation of that same extension.
Silent Installation of Extensions
Within the same configuration profile created above, add an additional setting, this time called Control which extensions are installed silently from the same area as before of Microsoft Edge and then Extensions:
Close the settings picker, set the Control which extensions are installed silently to Enabled and add the same extension ID’s to the list, like so:
Great, we’re all set to go! Assign this to a test group of users or devices before enabling in prod (as you should do for all new configurations within Intune!) and we’ll check out the results.
Trust but Verify
Now that our Configuration Profile is in place and assigned to a test group, let’s see what our test device looks like.
Centro 365 Extension has been installed
Centro 365 Extension is showing as forced
Unable to install any other Extensions from the Store
From my testing it does appear that previously installed extensions will be disabled, be mindful of this to ensure that the allow extension list field is comprehensive in your environment:
Confirmation of the enabled \ disabled extensions: