Edge Policy REQ: Allow Extensions from other stores

ashishpoddar 

I've reviewed the thread you link and I got three issues with the workflow described in it.

1. There is no way to prevent users from enabling the "Allow extensions from other stores" switch. The only way to actually prevent the installation itself is to blacklist the extension GUID "*". Currently there is no way for us to limit users to just the Microsoft store.

2. As part of the case I opened I was asked to test the "ExtensionInstallSources" policy (https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#extensioninstallsources) but it appears that this is completely unrelated to the "Allow extensions from other stores" switch too. 

Setting the following two policies will still prompt you to enable the installation from other stores even when you are on the Chrome store's website:

• HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallSources\1 = https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmicrosoftedge.microsoft.com%2Faddons%2F*&data=02%7C01%7CAndre.Oliveira%40microsoft.com%7Cc96b09842d974dfdb4e708d7c69ced71%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637196249621702170&sdata=Z5PbZQvd8ZDJwO%2BwIaHXrSNVjDJaICTTWDLNht%2FAuKQ%3D&reserved=0
• HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallSources\2 = https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchrome.google.com%2Fwebstore%2F*&data=02%7C01%7CAndre.Oliveira%40microsoft.com%7Cc96b09842d974dfdb4e708d7c69ced71%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637196249621702170&sdata=dgGZ9XJjLWDRsEv%2B7ooqaAAOzzihDLPgz9A3lP6x9b4%3D&reserved=0

I'd kind of expect the switch to be toggled if there already is a policy in place to allow another store. Maybe that's just me.

Likewise I'd expect to user to be unable to install extensions from _any other_ store if I already provide a whitelisted set of stores. The user should not be allowed to install from any other sources than the whitelisted ones.

3. Having the user manually enable the installation from other stores might seem like a security measure but in reality there are just two things that will happen. Group 1 clicks "OK" on everything without thinking anyway, regardless of consequences. And group 2 will call the IT hotline and ask what it all means and whether they can safely click the button. Being able to take away this decision from our users would save everyone some time, especially if we had the ability to both either disable or enable it permanently with a GPO. Bundle that with the ability to explicitly whitelist sources through the "ExtensionInstallSources" and in turn automatically blacklisting all other sources we'd have everything we need.