Edge Policy REQ: Allow Extensions from other stores

%3CLINGO-SUB%20id%3D%22lingo-sub-1201189%22%20slang%3D%22en-US%22%3EEdge%20Policy%20REQ%3A%20Allow%20Extensions%20from%20other%20stores%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1201189%22%20slang%3D%22en-US%22%3E%3CP%3EAn%20Edge%20policy%20to%20enable%2Fdisable%20%22Allow%20extensions%20from%20other%20stores.%22%20would%20be%20very%20helpful.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20currently%20use%20the%20allow%20extensions%20policy%2C%20in%20addition%20to%20allowed%20lists%2C%20and%20url%2Fstore%20restrictions.%26nbsp%3B%20Some%20allowed%20extensions%20are%20from%20the%20Chrome%20store.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThough%20using%20these%20requires%20this%20additional%20manual%20step%20to%20actually%20install%20the%20extension.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1208045%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Policy%20REQ%3A%20Allow%20Extensions%20from%20other%20stores%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1208045%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F548065%22%20target%3D%22_blank%22%3E%40dandirk%3C%2FA%3E%26nbsp%3BThanks%20for%20reaching%20out!%20To%20confirm%2C%20are%20you%20using%20Microsoft%20Edge%20on%20an%20Enterprise%20account%3F%20And%20if%20so%2C%20can%20you%20provide%20some%20more%20details%20about%20how%20an%20enable%2Fdisable%20policy%20would%20be%20beneficial%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CI%3EFawkes%20(they%2Fthem)Project%20%26amp%3B%20Community%20Manager%20-%20Microsoft%20Edge%3CI%3E%3C%2FI%3E%3C%2FI%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1209341%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Policy%20REQ%3A%20Allow%20Extensions%20from%20other%20stores%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1209341%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F484598%22%20target%3D%22_blank%22%3E%40fawkes%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECorrect%20yes%20we%20are%20using%20Edge%20with%20our%20Azure%2FEnterprise%20accounts%20(hybrid%20join%2C%20MEMCM%20co-managed%20etc).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20currently%20white%20list%20approved%20extensions...%26nbsp%3B%20In%20order%20to%20install%20an%20approved%20extension%20from%20Chrome%20Web%20Store%2C%20users%20need%20to%20turn%20that%20flag%20on%20manually.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20would%20like%20the%20option%20to%20set%20this%20for%20them%2C%20reduce%20one%20more%20self-config%20step%20and%20secure%20with%20other%20methods%20(allowed%20extensions%2Fstores%20etc).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20option%20would%20be%20to%20exclude%20approved%20extensions%20from%20that%20security%20check%20so%20the%20option%20could%20still%20be%20off%20but%20still%20allow%20installation.%26nbsp%3B%20This%20is%20the%20behavior%20for%20forced%20extension%20installations...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1224468%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Policy%20REQ%3A%20Allow%20Extensions%20from%20other%20stores%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1224468%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F548065%22%20target%3D%22_blank%22%3E%40dandirk%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20a%20coincidence.%20I%20was%20just%20looking%20at%20exactly%20this%20today%20and%20was%20met%20with%20the%20exact%20same%20issue%20...%20no%20way%20to%20enable%20that%20switch.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20was%20already%20another%20discussion%20over%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fenterprise%2Fgpo-for-quot-allow-extensions-from-other-store-quot%2Fm-p%2F860733%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fenterprise%2Fgpo-for-quot-allow-extensions-from-other-store-quot%2Fm-p%2F860733%3C%2FA%3E%26nbsp%3Babout%20this%20but%20they%20never%20came%20to%20anything%20close%20to%20a%20solution.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI've%20also%20opened%20a%20case%20regarding%20this%2C%20if%20that%20helps%20anyone.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1231900%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Policy%20REQ%3A%20Allow%20Extensions%20from%20other%20stores%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1231900%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F510249%22%20target%3D%22_blank%22%3E%40narutards%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F548065%22%20target%3D%22_blank%22%3E%40dandirk%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20explained%20the%20current%20workflow%20for%20the%20preference%22Allow%20extensions%20from%20other%20stores%22%20in%20this%20post%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-security-baselines%2Fedge-extensions-developer-and-other-store-toggle%2Fm-p%2F1231892%23M52%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-security-baselines%2Fedge-extensions-developer-and-other-store-toggle%2Fm-p%2F1231892%23M52%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECould%20you%20please%20review%20it%20and%20let%20us%20know%20your%20feedback%20on%20that%20thread%20please%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1232066%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Policy%20REQ%3A%20Allow%20Extensions%20from%20other%20stores%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1232066%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318153%22%20target%3D%22_blank%22%3E%40ashishpoddar%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20reviewed%20the%20thread%20you%20link%20and%20I%20got%20three%20issues%20with%20the%20workflow%20described%20in%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20There%20is%20no%20way%20to%20prevent%20users%20from%20enabling%20the%20%22Allow%20extensions%20from%20other%20stores%22%20switch.%20The%20only%20way%20to%20actually%20prevent%20the%20installation%20itself%20is%20to%20blacklist%20the%20extension%20GUID%20%22*%22.%20Currently%20there%20is%20no%20way%20for%20us%20to%20limit%20users%20to%20just%20the%20Microsoft%20store.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20As%20part%20of%20the%20case%20I%20opened%20I%20was%20asked%20to%20test%20the%20%22ExtensionInstallSources%22%20policy%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-policies%23extensioninstallsources%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-policies%23extensioninstallsources%3C%2FA%3E)%20but%20it%20appears%20that%20this%20is%20completely%20unrelated%20to%20the%20%22Allow%20extensions%20from%20other%20stores%22%20switch%20too.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESetting%20the%20following%20two%20policies%20will%20still%20prompt%20you%20to%20enable%20the%20installation%20from%20other%20stores%20even%20when%20you%20are%20on%20the%20Chrome%20store's%20website%3A%3C%2FP%3E%3CUL%3E%3CLI%3EHKLM%3A%5CSOFTWARE%5CPolicies%5CMicrosoft%5CEdge%5CExtensionInstallSources%5C1%20%3D%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fmicrosoftedge.microsoft.com%252Faddons%252F*%26amp%3Bdata%3D02%257C01%257CAndre.Oliveira%2540microsoft.com%257Cc96b09842d974dfdb4e708d7c69ced71%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637196249621702170%26amp%3Bsdata%3DZ5PbZQvd8ZDJwO%252BwIaHXrSNVjDJaICTTWDLNht%252FAuKQ%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoftedge.microsoft.com%2Faddons%2F*%3C%2FA%3E%3C%2FLI%3E%3CLI%3EHKLM%3A%5CSOFTWARE%5CPolicies%5CMicrosoft%5CEdge%5CExtensionInstallSources%5C2%20%3D%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fchrome.google.com%252Fwebstore%252F*%26amp%3Bdata%3D02%257C01%257CAndre.Oliveira%2540microsoft.com%257Cc96b09842d974dfdb4e708d7c69ced71%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637196249621702170%26amp%3Bsdata%3DdgGZ9XJjLWDRsEv%252B7ooqaAAOzzihDLPgz9A3lP6x9b4%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fchrome.google.com%2Fwebstore%2F*%3C%2FA%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EI'd%20kind%20of%20expect%20the%20switch%20to%20be%20toggled%20if%20there%20already%20is%20a%20policy%20in%20place%20to%20allow%20another%20store.%20Maybe%20that's%20just%20me.%3C%2FP%3E%3CP%3ELikewise%20I'd%20expect%20to%20user%20to%20be%20unable%20to%20install%20extensions%20from%20_any%20other_%20store%20if%20I%20already%20provide%20a%20whitelisted%20set%20of%20stores.%20The%20user%20should%20not%20be%20allowed%20to%20install%20from%20any%20other%20sources%20than%20the%20whitelisted%20ones.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20Having%20the%20user%20manually%20enable%20the%20installation%20from%20other%20stores%20might%20seem%20like%20a%20security%20measure%20but%20in%20reality%20there%20are%20just%20two%20things%20that%20will%20happen.%20Group%201%20clicks%20%22OK%22%20on%20everything%20without%20thinking%20anyway%2C%20regardless%20of%20consequences.%20And%20group%202%20will%20call%20the%20IT%20hotline%20and%20ask%20what%20it%20all%20means%20and%20whether%20they%20can%20safely%20click%20the%20button.%20Being%20able%20to%20take%20away%20this%20decision%20from%20our%20users%20would%20save%20everyone%20some%20time%2C%20especially%20if%20we%20had%20the%20ability%20to%20both%20either%20disable%20or%20enable%20it%20permanently%20with%20a%20GPO.%20Bundle%20that%20with%20the%20ability%20to%20explicitly%20whitelist%20sources%20through%20the%20%22ExtensionInstallSources%22%20and%20in%20turn%20automatically%20blacklisting%20all%20other%20sources%20we'd%20have%20everything%20we%20need.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1249560%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Policy%20REQ%3A%20Allow%20Extensions%20from%20other%20stores%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1249560%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F510249%22%20target%3D%22_blank%22%3E%40narutards%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20detailed%20explanation%20of%20the%20requirements.%20We%20are%20exploring%20various%20options%20with%20respect%20to%20this.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20just%20want%20to%20clarify%20that%20%3CU%3E%3CEM%3Eas%20of%20now%26nbsp%3B%3C%2FEM%3E%3C%2FU%3E%3CSPAN%3EExtensionInstallSources%20policy%20cannot%20be%20used%20to%20block%20extensions%20from%20the%20Chrome%20Web%20Store.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1397108%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Policy%20REQ%3A%20Allow%20Extensions%20from%20other%20stores%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1397108%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318153%22%20target%3D%22_blank%22%3E%40ashishpoddar%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20update%20on%20adding%20this%20policy%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20would%20like%20this%20switch%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1470644%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Policy%20REQ%3A%20Allow%20Extensions%20from%20other%20stores%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1470644%22%20slang%3D%22en-US%22%3E%3CP%3EHaving%20issues%20with%20this%20as%20well.%3C%2FP%3E%3CP%3EMy%20goal%20is%20to%20silently%20install%20an%20extension%20from%20Chrome%20Web%20Store.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20added%20to%20the%20Extension%20ID%20to%20the%26nbsp%3BExtensionInstallAllowlist.%3C%2FP%3E%3CP%3EConfigured%26nbsp%3BExtensionInstallAllowlist%20to%20*%3C%2FP%3E%3CP%3EAnd%20added%20the%20Extension%20ID%20to%26nbsp%3BExtensionInstallForcelist.%3C%2FP%3E%3CP%3EBut%20the%20extension%20isn't%20installed%20automatically.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20do%20the%20same%20with%20an%20extension%20that%20is%20published%20in%20the%20Microsoft%20Edge%20Store%2C%20then%20its%20silently%20installed.%3C%2FP%3E%3CP%3EIn%20addition%20I%20tried%20to%20manually%20configure%26nbsp%3BExtensionInstallSources%20via%20registry%20with%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fmicrosoftedge.microsoft.com%252Faddons%252F*%26amp%3Bdata%3D02%257C01%257CAndre.Oliveira%2540microsoft.com%257Cc96b09842d974dfdb4e708d7c69ced71%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637196249621702170%26amp%3Bsdata%3DZ5PbZQvd8ZDJwO%252BwIaHXrSNVjDJaICTTWDLNht%252FAuKQ%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoftedge.microsoft.com%2Faddons%2F*%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fchrome.google.com%252Fwebstore%252F*%26amp%3Bdata%3D02%257C01%257CAndre.Oliveira%2540microsoft.com%257Cc96b09842d974dfdb4e708d7c69ced71%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637196249621702170%26amp%3Bsdata%3DdgGZ9XJjLWDRsEv%252B7ooqaAAOzzihDLPgz9A3lP6x9b4%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fchrome.google.com%2Fwebstore%2F*%3C%2FA%3E%26nbsp%3Bbut%20it%20didn't%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20user%20can%20manually%20install%20the%20extension%20after%20enabling%26nbsp%3BAllow%20extensions%20from%20other%20store.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20more%20to%20it%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

An Edge policy to enable/disable "Allow extensions from other stores." would be very helpful.

 

We currently use the allow extensions policy, in addition to allowed lists, and url/store restrictions.  Some allowed extensions are from the Chrome store. 

 

Though using these requires this additional manual step to actually install the extension.

8 Replies
Highlighted

@dandirk Thanks for reaching out! To confirm, are you using Microsoft Edge on an Enterprise account? And if so, can you provide some more details about how an enable/disable policy would be beneficial?

 

Fawkes (they/them)
Project & Community Manager - Microsoft Edge

Highlighted

@fawkes 

 

Correct yes we are using Edge with our Azure/Enterprise accounts (hybrid join, MEMCM co-managed etc).

 

We currently white list approved extensions...  In order to install an approved extension from Chrome Web Store, users need to turn that flag on manually.

 

We would like the option to set this for them, reduce one more self-config step and secure with other methods (allowed extensions/stores etc).

 

Another option would be to exclude approved extensions from that security check so the option could still be off but still allow installation.  This is the behavior for forced extension installations...

 

 

Highlighted

@dandirk 

What a coincidence. I was just looking at exactly this today and was met with the exact same issue ... no way to enable that switch.

 

There was already another discussion over at https://techcommunity.microsoft.com/t5/enterprise/gpo-for-quot-allow-extensions-from-other-store-quo... about this but they never came to anything close to a solution.

 

I've also opened a case regarding this, if that helps anyone.

Highlighted

@narutards @dandirk 

 

We have explained the current workflow for the preference"Allow extensions from other stores" in this post https://techcommunity.microsoft.com/t5/microsoft-security-baselines/edge-extensions-developer-and-ot...

 

Could you please review it and let us know your feedback on that thread please? 

Highlighted

@ashishpoddar 

I've reviewed the thread you link and I got three issues with the workflow described in it.

 

1. There is no way to prevent users from enabling the "Allow extensions from other stores" switch. The only way to actually prevent the installation itself is to blacklist the extension GUID "*". Currently there is no way for us to limit users to just the Microsoft store.

 

2. As part of the case I opened I was asked to test the "ExtensionInstallSources" policy (https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#extensioninstallsources) but it appears that this is completely unrelated to the "Allow extensions from other stores" switch too. 

 

Setting the following two policies will still prompt you to enable the installation from other stores even when you are on the Chrome store's website:

I'd kind of expect the switch to be toggled if there already is a policy in place to allow another store. Maybe that's just me.

Likewise I'd expect to user to be unable to install extensions from _any other_ store if I already provide a whitelisted set of stores. The user should not be allowed to install from any other sources than the whitelisted ones.

 

3. Having the user manually enable the installation from other stores might seem like a security measure but in reality there are just two things that will happen. Group 1 clicks "OK" on everything without thinking anyway, regardless of consequences. And group 2 will call the IT hotline and ask what it all means and whether they can safely click the button. Being able to take away this decision from our users would save everyone some time, especially if we had the ability to both either disable or enable it permanently with a GPO. Bundle that with the ability to explicitly whitelist sources through the "ExtensionInstallSources" and in turn automatically blacklisting all other sources we'd have everything we need.

Highlighted

@narutards Thanks for the detailed explanation of the requirements. We are exploring various options with respect to this. 

 

I just want to clarify that as of now ExtensionInstallSources policy cannot be used to block extensions from the Chrome Web Store. 

Highlighted

@ashishpoddar 

Any update on adding this policy?

 

We would like this switch as well.

 

Highlighted

Having issues with this as well.

My goal is to silently install an extension from Chrome Web Store.

 

I have added to the Extension ID to the ExtensionInstallAllowlist.

Configured ExtensionInstallAllowlist to *

And added the Extension ID to ExtensionInstallForcelist.

But the extension isn't installed automatically.

 

If I do the same with an extension that is published in the Microsoft Edge Store, then its silently installed.

In addition I tried to manually configure ExtensionInstallSources via registry with https://microsoftedge.microsoft.com/addons/* and https://chrome.google.com/webstore/* but it didn't help.

 

The user can manually install the extension after enabling Allow extensions from other store.

 

Is there more to it?