Block/whitelist edge extensions using Intune

In this blog post, we will see how to block or whitelist Edge extensions using Intune. This will give you greater control over which extensions can be used on your organization’s devices, helping to keep your data secure and your employees productive.

Allowing users to install extensions in browsers can cause a security risk and user may unknowingly Install a malicious extension which could be harmful for the device or organization. Therefore, as an Intune administrator, we should control the extensions which are allowed to be installed by the end users.

A best practice is to block all extension installation and allow only specific extensions which are approved by administrator. This way you can make sure that the extensions which are in use are safe and are regularly updated.

If you are managing your organization devices using Microsoft Intune, then you can create a device configuration profile with settings to allow and block extensions for Microsoft Edge and apply this profile to the target devices.

We would be using Microsoft Edge ADMX template settings to configure block/whitelist of extensions. For creating a block list or whitelist of extensions, Extension ID is required. First we need to find that and then proceed with creating device configuration profile. Let’s check the steps:

Block/Whitelisting in Edge as well via Intune ?
You can use this step by step guide on how to create a block/whitelist using Intune for Microsoft edge brower: Block/whitelist Chrome Extensions Using Intune.

How to find Extension ID in Edge

First thing you need to do is to find the Extensions ID which you want to whitelist. We will use the Extension IDs when creating a policy in intune to create a block list and allow list of extensions.

Please find below steps which will help you find the extension ID.

  • Launch Microsoft Edge browser.
  • Click on three dots on the top right hand side corner.
  • Click on Extensions.
Microsoft Edge Extensions under settings
  • Click on Manage extensions and then click on the link “Get extensions for Microsoft Edge
Get extensions for Microsoft Edge
  • Search for the Extension which you want to whitelist. Let’s take an example as Adobe Acrobat. Search for the Extension and then click on it.
Search for Extensions in Edge
  • On the top of the page, In Address bar of the browser you should be able to find the Extension ID which is a part of the URL. Just copy the extension ID and paste it in a notepad.
Find Extension ID in Microsoft Edge browser
  • Similarly, search for all other extensions which you want to whitelist and then copy the Extension ID’s in a notepad somewhere. We will need all these extension ID’s later at the time of creating a policy in Intune.

Create Device Configuration Profile

Next step is to create a device configuration profile in Intune. Let’s check the steps:

  • Login on Microsoft Intune admin center.
  • Go to Devices Configuration profiles > + Create profile.
  • Select Platform as Windows 10 and later.
  • Profile type as Templates.
  • Click on Administrative Templates > Create.
If you are unable to find Microsoft Edge ADMX template in Intune, you can refer for help using my other blog post which provides detailed steps by step guide on how you can Import ADMX file in Intune.

Basics Tab

  • Provide a Name of the profile: Block/Whitelist Microsoft Edge Extensions
  • Description: This custom device configuration profile which can be used for blocking or whitelisting microsoft edge extensions

Configuration Settings

  • Go to Computer Configuration > Microsoft Edge > Extensions folder.
  • Search for the setting “Control which extensions cannot be installed
  • Select Enabled radio button.
  • Extension IDs the user should be prevented from installing (or * for all) – Add * in the text box and then click on OK to save.
Instead of blocking all extensions using a wild card character *. You can also provide the extension IDs to block only specific extensions in Microsoft Edge.
Control which extensions cannot be installed Edge Intune
  • Search for setting “Allow specific extensions to be installed” and click on Enabled.
  • In Extension IDs to exempt from the block list text box, provide one Extention IDs per row which you want to whitelist. In our example, we want to whitelist Adobe Acrobat extension therefore we provided the extension ID of Adobe Acrobat.
Allow specific extensions to be installed Edge Intune

Assignments

Create an Azure AD Security group which contains users or devices where this device configuration profile needs to be deployed. Please note that if you add users into the list, Block/Whitelist Microsoft Edge Extensions policy will be applied on all of the users devices joined to Azure and Enrolled into Intune. If you want to deploy it to specific devices then you should add devices in the Azure AD security group not users.

To deploy it on all end user devices, You can click on + Add all devices to target all devices which are enrolled into Intune.

Review + Create

On Review + Create tab, review the device configuration profile and click on Create. As soon as you click on create button, The device configuration profile will be created and process to create apply block/whitelist edge extensions policy will begin on the targeted devices.

Block/Whitelist Microsoft Edge Extensions Policy

Intune Policy Refresh Cycle

The Device will Sync / Check in to start deployment of this new device configuration profile. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the download and installation process. You can also use Powershell to force initiate Intune refresh cycle.

Also, you can restart the device first which also starts the device check-in process. Manual sync is not mandatory on user’s devices as the device check-in process happens automatically. But if you are testing the application on a test device then this can speed up your testing and can save some time.

End user Experience

Now, let’s check whats happening on the end user device. After this policy has been deployed successfully. You can launch Edge browser to test if Installation of all extensions in MS Edge browser is blocked and only specific extension which is Adobe acrobat is allowed as per the whitelist.

There were already few extensions Installed in Microsoft Edge. As soon as the policy has been applied which blocks all extensions except Adobe acrobat. A pop-up message will appear on the top right hand side corner with a message “Some extensions are not allowed“. The following extensions are blocked by your administrator.

This policy blocked all other extensions except Adobe acrobat as per the whitelist.

Some extensions are not allowed

Let’s now see if we are able to install any other extension in Edge. I tried to install Nord VPN browser extension and received an error “Your admin has blocked <extension name> for Privacy and Security – App ID <AppID>“.

Your admin has blocked <extension name> for Privacy and Security - App ID <AppID>

Conclusion

In this blog post, we have seen how to easily create Block list and Whitelist of extentions using Intune for Microsoft Edge browser. There is no need to use OMA-URI settings, you can use Edge ADMX settings to create a block list and whitelist of Edge extensions and apply it to the end user devices.

Leave a Comment