Forum Discussion
Edge Policy REQ: Allow Extensions from other stores
Deleted
Correct yes we are using Edge with our Azure/Enterprise accounts (hybrid join, MEMCM co-managed etc).
We currently white list approved extensions... In order to install an approved extension from Chrome Web Store, users need to turn that flag on manually.
We would like the option to set this for them, reduce one more self-config step and secure with other methods (allowed extensions/stores etc).
Another option would be to exclude approved extensions from that security check so the option could still be off but still allow installation. This is the behavior for forced extension installations...
What a coincidence. I was just looking at exactly this today and was met with the exact same issue ... no way to enable that switch.
There was already another discussion over at https://techcommunity.microsoft.com/t5/enterprise/gpo-for-quot-allow-extensions-from-other-store-quot/m-p/860733 about this but they never came to anything close to a solution.
I've also opened a case regarding this, if that helps anyone.
ashishpoddarMicrosoft
We have explained the current workflow for the preference"Allow extensions from other stores" in this post https://techcommunity.microsoft.com/t5/microsoft-security-baselines/edge-extensions-developer-and-other-store-toggle/m-p/1231892#M52
Could you please review it and let us know your feedback on that thread please?
I've reviewed the thread you link and I got three issues with the workflow described in it.
1. There is no way to prevent users from enabling the "Allow extensions from other stores" switch. The only way to actually prevent the installation itself is to blacklist the extension GUID "*". Currently there is no way for us to limit users to just the Microsoft store.
2. As part of the case I opened I was asked to test the "ExtensionInstallSources" policy (https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#extensioninstallsources) but it appears that this is completely unrelated to the "Allow extensions from other stores" switch too.
Setting the following two policies will still prompt you to enable the installation from other stores even when you are on the Chrome store's website:
- HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallSources\1 = https://microsoftedge.microsoft.com/addons/*
- HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallSources\2 = https://chrome.google.com/webstore/*
I'd kind of expect the switch to be toggled if there already is a policy in place to allow another store. Maybe that's just me.
Likewise I'd expect to user to be unable to install extensions from _any other_ store if I already provide a whitelisted set of stores. The user should not be allowed to install from any other sources than the whitelisted ones.
3. Having the user manually enable the installation from other stores might seem like a security measure but in reality there are just two things that will happen. Group 1 clicks "OK" on everything without thinking anyway, regardless of consequences. And group 2 will call the IT hotline and ask what it all means and whether they can safely click the button. Being able to take away this decision from our users would save everyone some time, especially if we had the ability to both either disable or enable it permanently with a GPO. Bundle that with the ability to explicitly whitelist sources through the "ExtensionInstallSources" and in turn automatically blacklisting all other sources we'd have everything we need.
- ashishpoddar
narutards Thanks for the detailed explanation of the requirements. We are exploring various options with respect to this.
I just want to clarify that as of now ExtensionInstallSources policy cannot be used to block extensions from the Chrome Web Store.
