ExtensionInstallForcelist - Multiple GPOs

Copper Contributor

Hi,

 

I'm trying to utilize the ExtensionInstallForcelist GPO to install extensions silently for our users.

 

We want to be able to distribute some extensions globally to all customers (using a global GPO) and then specific extensions to a sub-set of customers (using a local specific GPO).

 

Currently you appear to get a conflict message when trying to do this. It appears multiple extensions need to be defined in one GPO only, which isn't ideal for scenario above. Is it possible to get round this issue?

10 Replies

@JBrunsden Hi!  I'm checking with our Extension Team about your question.  We'll keep you updated if they have any suggestions.  Thanks! 

 

-Kelly

Hi @JBrunsden

 

Could you share the conflict error you are seeing?

 

Thanks

Ashish.  

Hi @ashishpoddar,

 

Below is the screenshot from the edge://policy/ screen.

 

JBrunsden_0-1601376629344.png

I did initially set this up with both exceptions defined in separate GPOs under Computer Config but same error as above even when one is defined in Computer and another in User (still separate GPOs).

 

Thanks,

 

John

 

 

Hi @ashishpoddar @Kelly_Y  any update on this?

Hi @JBrunsden

 

The suggestion here is to always apply the device policies after the user policies, so device will always win when there is a conflict between them.

 

Could you try this approach and confirm if this works?

 

Thanks

Ashish.

@ashishpoddar Hi, 

 

Unfortunately that just isn't possible with a current scenario, we enforce a Cyber GPO that pushes the ATP extension among other things, so this will always be above any user policies.

 

I think the issue here would ultimately be resolved if the  ExtensionInstallForcelist could just be populated with values from multiple GPOs, even in two separate Device GPOs one has to take precedence of the other and we cannot implement the way you described because of the reason above.

It looks like Chrome has GPOs that could work around this:

https://cloud.google.com/docs/chrome-enterprise/policies/?policy=PolicyDictionaryMultipleSourceMerge...

https://cloud.google.com/docs/chrome-enterprise/policies/?policy=PolicyListMultipleSourceMergeList

 

This presumably allows for separate values to be merged, so something like this could work in Edge?

 

For now we will probably have to look at putting all our extensions in one policy, but as initially stated, this isn't really flexible in an Enterprise environment for certain use cases.

 

Thanks

 

We looking at something along these lines is PolicyListMultipleSourceMergeList
Every being ported from chrome ?

@rdoloto 

 

Could you tell us the use case or the issue that you are facing for which you are suggesting this policy?

 

Thanks

Ashish 

We are also having an issue that looks like it could be resolved by PolicyListMultipleSourceMergeList. We have a need to restrict all extensions from being installed on all devices (including shared PCs with guest accounts) and then deploying extensions over top to certain users with ExtensionInstallForcelist. We combine ExtensionInstallBlocklist (device context) with ExtensionInstallForcelist (user context) to accomplish this, but this is causing the extension to occasionally become uninstalled and re-installed, which wipes out the extension's local storage. Microsoft support is saying that these 2 policies shouldn't be used together in different contexts so we are looking at ways we can re-work them and PolicyListMultipleSourceMergeList could potentially help a lot.

FYI - We are using Intune for our policy deployments.
Same issue here. Has Edge implemented PolicyListMultipleSourceMergeList yet?