This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 44%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERL%3C/text%3E%3C/svg%3E)
Hi!
I am working with the ADMX Chrome polices and, for exemple, "disable notifications" is working fine for all my users. In other hand I tried to deploy the "block extensions" and I always have errors when I try to assing the policies to my users. Anyone have any idea??
This is the two policies that I tried:
Name: ExtensionInstallBlacklist
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallBlacklist
Data type: String
Value: <enabled/> <data id="ExtensionInstallBlacklistDesc" value="1*"/>Name: ExtensionInstallWhitelist
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallWhitelist
Data type: String
Value: <enabled/> <data id="ExtensionInstallWhitelistDesc" value="1ppnbnpeolgkicgegkbkbjmhlideopiji2bkbeeeffjjeopflfhgeknacdieedcoml3cfhdojbkjhnklbpkdaibdccddilifddb4hdokiejnpimakedhajhdlcegeplioahd"/>
The Chrome ADMX ingestion I uploaded is the 64 bits with that versions: <!--chrome version: 90.0.4430.0--> / <!--chrome version: 89.0.4389.90-->, both with the same result.
This is the ADMX part of extensions in that file:
<policy class="Both" displayName="$(string.ExtensionInstallBlacklist)" explainText="$(string.ExtensionInstallBlacklist_Explain)" key="Software\Policies\Google\Chrome" name="ExtensionInstallBlacklist" presentation="$(presentation.ExtensionInstallBlacklist)">
<parentCategory ref="DeprecatedPolicies"/>
<supportedOn ref="SUPPORTED_WIN7"/>
<elements>
<list id="ExtensionInstallBlacklistDesc" key="Software\Policies\Google\Chrome\ExtensionInstallBlacklist" valuePrefix=""/>
</elements>
</policy>
<policy class="Both" displayName="$(string.ExtensionInstallWhitelist)" explainText="$(string.ExtensionInstallWhitelist_Explain)" key="Software\Policies\Google\Chrome" name="ExtensionInstallWhitelist" presentation="$(presentation.ExtensionInstallWhitelist)">
<parentCategory ref="DeprecatedPolicies"/>
<supportedOn ref="SUPPORTED_WIN7"/>
<elements>
<list id="ExtensionInstallWhitelistDesc" key="Software\Policies\Google\Chrome\ExtensionInstallWhitelist" valuePrefix=""/>
</elements>
</policy>
Thanks!
The best method involves utilizing the 'Configure extension installation blocklist' setting through a Device Configuration profile. For more details on blocking or whitelisting Google Chrome Extensions using Intune, refer to this step-by-step guide: https://cloudinfra.net/block-whitelist-chrome-extensions-using-intune/
Finally, is working fine with the policies updated, actually all extensions are disabled and users can't activate new ones, here the correct code:
Name: ExtensionInstallBlocklist
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallBlocklist
Data type: String
Value: <enabled/> <data id="ExtensionInstallBlocklistDesc" value="1*"/>Name: ExtensionInstallAllowlist
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallAllowlist
Data type: String
Value: <enabled/> <data id="ExtensionInstallAllowlistDesc" value="1ppnbnpeolgkicgegkbkbjmhlideopiji2bkbeeeffjjeopflfhgeknacdieedcoml3cfhdojbkjhnklbpkdaibdccddilifddb4hdokiejnpimakedhajhdlcegeplioahd"/>
anonymous user Thanks for your feedback. If you have any problem in the feature, welcome to post in our Q&A.
Thanks and have a nice day. : )
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 56.00000000000001%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBH%3C/text%3E%3C/svg%3E)
Thanks so much for sharing your solution, really helped me.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 35%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
thanks! i was missing the  AFTER the ID because i still don't understand why it needs it but this worked and i was able to fix my list!
anonymous user Thanks for posting in our Q&A.
For this issue, I checked the "chrome.admx" file and I find that the ExtensionInstallBlacklist and ExtensionInstallWhitelist are under DeprecatedPolicies, not Extensions.
So I try to deploy "OMA-URI:./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~DeprecatedPolicies/ExtensionInstallBlacklist" to my group. It is deployed successfully. However, because of the two are deprecated, it seems have some problem in use.
Given this situation, it is suggested to feedback in chrome. The "chrome.admx" file is provided by chrome and then intune will create custom profile according to the "chrome.admx" file.
Thanks for understanding and have a nice day.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Yes, I didn't see the depracated label. I checked the file again and I saw the another part of code that suposed has the new extensions policies:
<policy class="Both" displayName="$(string.ExtensionInstallAllowlist)" explainText="$(string.ExtensionInstallAllowlist_Explain)" key="Software\Policies\Google\Chrome" name="ExtensionInstallAllowlist" presentation="$(presentation.ExtensionInstallAllowlist)">
<parentCategory ref="Extensions"/>
<supportedOn ref="SUPPORTED_WIN7"/>
<elements>
<list id="ExtensionInstallAllowlistDesc" key="Software\Policies\Google\Chrome\ExtensionInstallAllowlist" valuePrefix=""/>
</elements>
</policy>
<policy class="Both" displayName="$(string.ExtensionInstallBlocklist)" explainText="$(string.ExtensionInstallBlocklist_Explain)" key="Software\Policies\Google\Chrome" name="ExtensionInstallBlocklist" presentation="$(presentation.ExtensionInstallBlocklist)">
<parentCategory ref="Extensions"/>
<supportedOn ref="SUPPORTED_WIN7"/>
<elements>
<list id="ExtensionInstallBlocklistDesc" key="Software\Policies\Google\Chrome\ExtensionInstallBlocklist" valuePrefix=""/>
</elements>
I'm gonna check it and feeback here, however is there an alternative option to do it with Intune? thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 73%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECG%3C/text%3E%3C/svg%3E)
Hi anonymous user did you ever manage to resolve this. I've lost several hours of my life trying many variations for both
ExtensionInstallForcelistDesc
ExtensionInstallAllowlistDesc
Neither are working for me. Here's the formatting I've been trying. Any thoughts?
./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
<data id="ExtensionInstallForcelistDesc" value="1bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx2nngceckbapebfimnlniiiahkandclblb;https://clients2.google.com/service/update2/crx3ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx"/>
./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallAllowlist
<data id="ExtensionInstallAllowlistDesc" value="1bkbeeeffjjeopflfhgeknacdieedcoml2nngceckbapebfimnlniiiahkandclblb3ppnbnpeolgkicgegkbkbjmhlideopiji"/>
Hey all
I solved this using the following OMA-URL just replace the guid with your own extensions. I've put one in bold as an example.
./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
<enabled/>
<data id="ExtensionInstallForcelistDesc" value="1bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx2nngceckbapebfimnlniiiahkandclblb;https://clients2.google.com/service/update2/crx3ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx"/>