When we are starting to test a new browser in our organization we also need an how we are configuring the browser both from a end user and a security perspective. If your end user has one browser on there device that are not managed, then in my experience that is also the browser that the end user will use as there primary browser to surf the internet and doing there everyday work in the company.
Why is it important to know what extensions that your end user has on there corporate devices??
It does not require admin privileged to install extensions and there can be malicious code inside the extensions or the extensions can get access to corporate data or identity,
You also need to understand that with Microsoft Edge based on chromium you can install first part extensions from the Microsoft Store or you can use a 3. part store like Chrome web store.
So in this blog post you will learn how to use Intune to manage browser extensions for Edge browser.
If your browser does not have a extensions policy then the end user can install browser extensions as they see fit. That can be fine in some companies but in other companies they need to have full control over what extensions that are allowed to be installed.
To help the end user get the extensions that you are allowing them to use in your company – you can automatic deploy the extensions with a policy.
On your test device you can install the extensions both for testing but also to get the information you need to deploy it automatic with a policy.
First the Microsoft Store find the extension you want to install
I have found the Office browser extension in Microsoft Store for the new Edge browser, if you have been using extensions on the build in Edge browser in Windows 10 you will see that it is many of the same extensions.
- Click Get
You can also get extensions from a 3 part store like Chrome web store by default 3 part stores are disabled and you as a end user need to do a manual action
- Enable : Allow extensions from other stores
- Click Allow
Then you can use 3 part. extension stores, in this case I just searched for Microsoft extensions in Chrome web Store
- Search for Microsoft
- Click on Microsoft Teams Screen sharing
Then you can click Add to Chrome and
Then you have the two extensions installed.
If you don’t want the end user to install the extensions on there devices you can install the extensions automatic in a policy. But fist you need the strings where the extensions are stored online. There is different URLs for Microsoft and Chrome
For Microsoft it is : https://extensionwebstorebase.edgesv.net/v1/crx
For Chrome web store it is : https://clients2.google.com/service/update2/crx
A easy way of finding the unique identifier for the extensions is to:
- Enable Developer Mode
- Get the ID for Office extension from Microsoft Store
- Get the ID for Microsoft Teams Screen sharing extension from Chrome web store
Save this information – you are going to need it when creating the policy.
Now to creating a Edge policy in Intune:
Start Microsoft 365 Device Management portal
- Click Device Configuration
- Click Profiles
- Click Add
Do to Edge being a win32 app, we have GPO settings to configure Edge, and in Intune that is Administrative Templates. You need to have Edge version 77 or never installed for the policy to be applying.
In “What’s new in Microsoft Intune – Week of August 26, 2019” Configure Microsoft Edge settings using administrative templates for Windows 10 and newer was announced.
Microsoft Edge settings apply to:
Microsoft Edge version 77 and later.
Windows 10 RS4 and newer with KB 4512509 installed
Windows 10 RS5 and newer with KB 4512534 installed
Windows 10 19H1 and newer with KB 4512941 installed
- Enter Name : ADMX – Edge Browser Extensions
- Select Platform : Windows 10 and later
- Select Profile type : Administrative Templates
In this blog post I will configure 3 different settings there is many more setting that you can look into configure in your own environment.
The easy way to filter on what policy you can set is to click all products in the top left corner
- Select Edge version 77 or newer
The first policy I set is : “Control which extensions cannot be installed”
I Use “*” to block all extensions that aren’t explicitly listed in the allow list.
With this policy I control 100% what extensions is installed on my managed devices.
- Click Control which extensions cannot be installed
- Click Enable
- Enter *
The second policy I set is : “Control which extensions are installed silently”
In the policy setting I force the installation that I have tested previous in this blog post, you need the information that you found earlier.
- Click Control which extensions are installed silently
- Click Enable
- Enter the complete string for the installation path
gggmmkjegpiggikcnhidnjjhmicpibll;https://extensionwebstorebase.edgesv.net/v1/crx
dhheiegalgcabbcobinipgmhepkkeidk;https://clients2.google.com/service/update2/crx
The third policy I set is : “Allow specific extensions to be installed”
In the policy setting I specify the extension that I have tested previous in this blog post, you need the information that you found earlier. When you block all extensions by setting the ‘ExtensionInstallBlockList’ policy to “*,” users can only install extensions defined in this policy.
- Click Allow specific extensions to be installed
- Click Enable
- Enter the extensions id
gggmmkjegpiggikcnhidnjjhmicpibll
dhheiegalgcabbcobinipgmhepkkeidk
Now you are ready to deploy to policy to a test group.
Now for the end user experience:
When you are entering edge://extensions/ in the Edge browser you can see the all the extensions removal is grayed out.
If you are trying to install a extension from Microsoft Store you will get the message: “An Error has occurred”
- Click Get
- Click Close
If you are trying to install a extension from Chrome web store you will get the message: “Oooops”
- Click Add to Chrome
- Click Close
If you enter edge://policy/ in the Edge browser you can see all the policy that the IT admin has deployed to the end user and in this case you can also see the 3 browser extension policy that is deployed to this device
Happy testing
Read more:
Deploy Microsoft edge dev for business as a msi with intune
Mobile-First Cloud-First 
Hi Per
Thanks for a great post and excellent article. I tried to do exactly as per your policy, however it seems for the policy ( Control which extensions are installed silently) , it seems that the only way the extension from Edge store will work is by using the extension name only eg. by using this bbcinlkgjjkejfdpemiealijmmooekmp instead of using this https://microsoftedge.microsoft.com/addons/detail/bbcinlkgjjkejfdpemiealijmmooekmp.
Also the policy states this “For Windows devices that aren’t joined to a Microsoft Active Directory domain, forced installation is limited to extensions available in the Microsoft Store.” now. So i am correct to understand that you now cannot add chrome store extensions via this policy anymore? I tried to add a couple of chrome extensions via this policy but they all failed. I entered them in this format (https://chrome.google.com/webstore/detail/printerlogic-extension-v1/bfgjjammlemhdcocpejaompfoojnjjfn;http://clients2.google.com/service/update2/crx)
Are you aware of how i could get chrome extensions silently installed via any policy for Edge Chromium?
Thanks
Harry
I have tested it an it works fine for mw
Can you perhaps screenshot the setting you applied so I can compare my policy? You are using the device setting and not user setting in that policy right?
I have updated the blogpost with more accurately URL
Too bad that the Office extension does not have SSO, but it requires end user intervention. kinda lame
Hello Per, thank you for the great post. Is it possible to deploy the extension but make it possible for the user to deactivate it (not uninstall, just deactivate). I see that the users are not able to deactivate the extensions, the toggle is greyed out.
No, there is no way of doing that.
I will suggest that you create a uservoice on this https://microsoftedge.uservoice.com/
Is it possible to configure settings of an extension with intune?
Such as ‘Can only access some websites’ not ‘all websites’?
Ty,
AndKan