Intune supports configuring forced browser extensions for both Google Chrome and Microsoft Edge using the ExtensionInstallForcelist
policy. However, there’s a significant limitation: Intune does not merge multiple configuration profiles that define this setting. If more than one profile targeting ExtensionInstallForcelist
is assigned to the same user or device, the result is a policy conflict.
Once in a conflict state, Intune reports the setting as “Conflict”—but it’s unclear which policy, if any, actually takes effect. This behavior is inconsistent and makes the use of configuration profiles unreliable in environments where multiple extensions need to be managed across diverse user groups or departments.
To avoid this limitation, I recommend managing browser extension enforcement using Intune Proactive Remediations and PowerShell. This approach provides much better flexibility and control in a scalable way.
Benefits:
You can assign multiple proactive remediation scripts to different device or user groups without risk of policy collision.
Each script can independently manage a specific set of extensions.
Logging and conditional logic provide greater visibility and reliability.
The following PowerShell scripts are designed to be used with Intune Proactive Remediations and work under the SYSTEM context.
This script checks whether specific extensions are present in the ExtensionInstallForcelist
registry key. If any required extensions are missing, the script exits with a non-zero code to trigger remediation.
This script adds specified extensions to the force-install list. It:
Supports both Chrome and Edge
Handles multiple extensions in a single run
Avoids duplicate entries
Creates the registry key if it doesn’t already exist
Logs all actions to C:\Windows\Logs
An optional script is also provided to remove specific extensions from the force-install list. This is useful for cleaning up deprecated or unauthorized extensions.
Enforcing security-related extensions like LastPass, uBlock Origin, or Microsoft Defender
Deploying internal tools such as Graph X-Ray or custom enterprise extensions
Assigning different extensions by role, department, or region without policy conflicts
All scripts are available here:
Each script is self-contained, easy to modify, and ready to deploy.
This method offers a more reliable and scalable way to manage browser extension policies in Intune-managed environments. It avoids the limitations of configuration profiles and provides the flexibility needed to support complex enterprise requirements.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |