How to Block Edge Extensions using Intune

In this post, I will show you how to block Edge extensions using Intune. You can restrict users from installing Microsoft Edge extensions using Intune(MEM).

You can easily manage Edge extensions using Intune and block specific edge extensions or only allow specific edge extensions to be installed by users.

There are two methods to control Microsoft Edge Extensions via Intune.

  1. Allow specific edge extensions to install and block specific extensions from installation.
  2. Block installing all the Edge extensions in Intune.

If you want to allow specific extensions to install, you create an Intune Edge extension allow list, and add the list of extension ID’s to the allow list. Whereas the second method is useful when you want to completely block installing all the extensions in Edge. If you have come here looking for the first method, I will probably cover that in a separate post.

I was talking to my colleague a few days ago, and he mentioned that in his organization, users are restricted from installing any Edge extensions. He works for an investment banking firm and usually the security is one notch higher than the rest of the companies.

He mentioned that even Bluetooth access is restricted via Intune. Blocking edge extensions using Intune prevents users from installing any add-on or extension. The best part here is you can completely block installation of Edge extensions using Intune, and it takes few steps to deploy this policy.

How to Block Edge Extensions using Intune

We will now create a Device Configuration Profile to block Edge extensions using Intune.

  • First, sign in to the Microsoft Endpoint Manager admin center.
  • Go to Devices > Windows > Configuration Profiles.
  • Create a new Intune Configuration profile and define the settings to block edge extensions.

On Windows Configuration Profiles window, select Create Profile.

Intune Device Configuration Profile - Block Edge Extensions
Intune Device Configuration Profile – Block Edge Extensions

On the Create a Profile window, select Platform as Windows 10 and later. Select profile type as Settings catalog. Click Create.

Intune Device Configuration Profile - Block Edge Extensions
Intune Device Configuration Profile – Block Edge Extensions

On the Basics tab, specify the name of the profile as Block Edge Extensions, and you may add a profile description. Click Next.

Intune Device Configuration Profile - Block Edge Extensions
Intune Device Configuration Profile – Block Edge Extensions

On the Configuration Settings section, under Settings Catalog, click Add Settings.

Settings Catalog - Add Settings
Settings Catalog – Add Settings

On the Settings picker window, type “extensions” in the search box and click Search. From the search results, select Microsoft Edge\Extensions. Now select Control which extensions cannot be installed.

Block Edge Extensions using Intune
Block Edge Extensions using Intune

To block Edge extensions using Intune, we will use the Control which extensions cannot be installed setting in Intune. This setting lists specific extensions that users can NOT install in Microsoft Edge.

Enable the Control which extensions cannot be installed setting.

When you deploy this policy, any extensions on this list that were previously installed will be disabled, and the user won’t be able to enable them.

If you remove an item from the list of blocked extensions, that extension is automatically re-enabled anywhere it was previously installed.

You can use “*” to block all extensions that aren’t explicitly listed in the allow list. If you don’t configure this policy, users can install any extension in Microsoft Edge. Click Next.

Block Edge Extensions using Intune
Block Edge Extensions using Intune

On the Assignments window, specify the groups to which you want to target this policy. Click Next.

Block Edge Extensions using Intune - Policy Assignments
Block Edge Extensions using Intune – Policy Assignments

In Intune, Scope tags determine which objects admins can see. On the Scope tags section, you specify scope tags. Click Next.

Define Scope Tags
Define Scope Tags

On the Review + Create section, review all the settings defined to block edge extensions and select Create.

Review and Create - Block Edge Extensions using Intune
Review and Create – Block Edge Extensions using Intune

After you create a device configuration policy in Intune, a notification appears “Policy created successfully“. This confirms that we have deployed the policy to block installing edge extensions.

Block Edge Extensions using Intune Policy Created
Block Edge Extensions using Intune Policy Created

End-User Experience

After you have successfully deployed the policy to block edge extensions, let’s test if the users can install extensions from Edge Add-ons store.

Launch the Edge browser and type edge://extensions/ in the address bar. Select Get extensions for Microsoft Edge. From the list of extensions, select any extension and click Get.

You see a notification that states, “Your admin has blockedextension name” – APP ID.

Edge Extension installation blocked
Edge Extension installation blocked

Even if you attempt to install Microsoft extensions, you see the same message. You cannot install any extensions because we have blocked it using a policy.

Edge Extension installation blocked
Edge Extension installation blocked

If you choose to install extensions from Google Chrome store, you see the following message – This extension is blocked by your organization. Instead of Get extension, you see Blocked by admin.

I hope this post helps you to restrict users from installing extensions in Edge browser. If you have any questions, add them in the comments section.

How to Block Edge Extensions using Intune
How to Block Edge Extensions using Intune

Prajwal Desai

Hi, I am Prajwal Desai. For last few years, I have been working on multiple technologies such as SCCM / Configuration Manager, Intune, Windows 11, Azure, Security etc. I created this site so that I can share valuable information with everyone.

Leave a Comment