Rogue browser extensions are growing as a source of information leakage and cookie stealing.

In a corporate environment it is best practice to take a whitelist approach to browser extensions. Luckily Intune has an inbuild Administrative Template setting to block all browser extensions except those that are explicitly allowed.

  1. Use an existing Administrative template profile or create a new profile by going to Devices > Configuration Profiles > Create profile > Platform (Windows 10 and later) > Profile type Templates > Administrative Templates

  2. Search for a setting called Control which extensions cannot be installed. Device or User targeted depends on your specific scenario. I prefer User targeted.

  3. Set to Enabled with an Extension ID of * to block all extensions.

  4. It is recommended to also configure the settings below

Setting

Recommended State

Value

Blocks external extensions from being installed

Enabled

N/A

Control which extensions cannot be installed

Enabled

*

Allow specific extensions to be installed

N/A

Obtain extension ID’s from Edge or Chrome Extension Store

Control which extensions are installed silently

N/A

Obtain extension ID’s from Edge or Chrome Extension Store