Managing Forced Browser Extensions at Scale with Intune

Managing Forced Browser Extensions at Scale with Intune

Intune supports configuring forced browser extensions for both Google Chrome and Microsoft Edge using the ExtensionInstallForcelist policy. However, there’s a significant limitation: Intune does not merge multiple configuration profiles that define this setting. If more than one profile targeting ExtensionInstallForcelist is assigned to the same user or device, the result is a policy conflict.

Once in a conflict state, Intune reports the setting as “Conflict”—but it’s unclear which policy, if any, actually takes effect. This behavior is inconsistent and makes the use of configuration profiles unreliable in environments where multiple extensions need to be managed across diverse user groups or departments.

Recommended Approach: Proactive Remediations

To avoid this limitation, I recommend managing browser extension enforcement using Intune Proactive Remediations and PowerShell. This approach provides much better flexibility and control in a scalable way.

Benefits:

You can assign multiple proactive remediation scripts to different device or user groups without risk of policy collision.
Each script can independently manage a specific set of extensions.
Logging and conditional logic provide greater visibility and reliability.

Provided Scripts

The following PowerShell scripts are designed to be used with Intune Proactive Remediations and work under the SYSTEM context.

Detection Script

This script checks whether specific extensions are present in the ExtensionInstallForcelist registry key. If any required extensions are missing, the script exits with a non-zero code to trigger remediation.

Remediation Script

This script adds specified extensions to the force-install list. It:

Supports both Chrome and Edge
Handles multiple extensions in a single run
Avoids duplicate entries
Creates the registry key if it doesn’t already exist
Logs all actions to C:\Windows\Logs

Optional: Removal Script

An optional script is also provided to remove specific extensions from the force-install list. This is useful for cleaning up deprecated or unauthorized extensions.

Use Cases

Enforcing security-related extensions like LastPass, uBlock Origin, or Microsoft Defender
Deploying internal tools such as Graph X-Ray or custom enterprise extensions
Assigning different extensions by role, department, or region without policy conflicts

Download the Scripts

All scripts are available here:

Each script is self-contained, easy to modify, and ready to deploy.

This method offers a more reliable and scalable way to manage browser extension policies in Intune-managed environments. It avoids the limitations of configuration profiles and provides the flexibility needed to support complex enterprise requirements.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.