Try It

Managing Forced Browser Extensions at Scale with Intune

shape_not_found
shape_not_found
intune browser extensions

Managing Forced Browser Extensions at Scale with Intune

Intune supports configuring forced browser extensions for both Google Chrome and Microsoft Edge using the ExtensionInstallForcelist policy. However, there’s a significant limitation: Intune does not merge multiple configuration profiles that define this setting. If more than one profile targeting ExtensionInstallForcelist is assigned to the same user or device, the result is a policy conflict.

Once in a conflict state, Intune reports the setting as “Conflict”—but it’s unclear which policy, if any, actually takes effect. This behavior is inconsistent and makes the use of configuration profiles unreliable in environments where multiple extensions need to be managed across diverse user groups or departments.

Recommended Approach: Proactive Remediations

To avoid this limitation, I recommend managing browser extension enforcement using Intune Proactive Remediations and PowerShell. This approach provides much better flexibility and control in a scalable way.

Benefits:

  • You can assign multiple proactive remediation scripts to different device or user groups without risk of policy collision.

  • Each script can independently manage a specific set of extensions.

  • Logging and conditional logic provide greater visibility and reliability.

Provided Scripts

The following PowerShell scripts are designed to be used with Intune Proactive Remediations and work under the SYSTEM context.

Detection Script

This script checks whether specific extensions are present in the ExtensionInstallForcelist registry key. If any required extensions are missing, the script exits with a non-zero code to trigger remediation.

Remediation Script

This script adds specified extensions to the force-install list. It:

  • Supports both Chrome and Edge

  • Handles multiple extensions in a single run

  • Avoids duplicate entries

  • Creates the registry key if it doesn’t already exist

  • Logs all actions to C:\Windows\Logs

Optional: Removal Script

An optional script is also provided to remove specific extensions from the force-install list. This is useful for cleaning up deprecated or unauthorized extensions.

Use Cases

  • Enforcing security-related extensions like LastPass, uBlock Origin, or Microsoft Defender

  • Deploying internal tools such as Graph X-Ray or custom enterprise extensions

  • Assigning different extensions by role, department, or region without policy conflicts

Download the Scripts

All scripts are available here: 

github mark2
Get the Scripts!


Each script is self-contained, easy to modify, and ready to deploy.

This method offers a more reliable and scalable way to manage browser extension policies in Intune-managed environments. It avoids the limitations of configuration profiles and provides the flexibility needed to support complex enterprise requirements.

Picture of John Marcum

John Marcum

John Marcum is a Technical Architect and Program Manager for PowerStacks BI products for Endpoint Manager residing in Alabama. John is an active blogger and he participates regularly in the Configuration Manager and Intune forums on Reddit as well as Twitter and LinkedIn. John devotes much of his time to conquering device management challenges. When he is not blogging, answering questions online, expanding his skill sets or working, he enjoys spending time on the lake where he lives.