Blocking chrome extensions but whitelist specific ones

Bronze Contributor

Hi all,


Im having issues white listing specific extensions and also blocking others too! 

Iv added the Chrome ADMX and have force deploy on specific apps  which is working but below are the config for the ones that dont work







<enabled/> <data id="ExtensionInstallBlacklistDesc" value="1&#xF000;*"/>




OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallWhitelist


String: <enabled/> <data id="ExtensionInstallWhitelistDesc" value="1&#xF000;alhngdkjgnedakdlnamimgfihgkmenbh&#xF000;2&#xF000;jbldkhfglmgeihlcaeliadhipokhocnm"/>


(I used this link: )


 Please help!



33 Replies
I did try this before and same thing! So annoying ha. Is it worth doing it the JSON way?

Although I am unsure how to even ad the JSON via intune
There should be an error than in your intune mgt log and the device mgt event log
This error you were mentioning

is not the one you are looking for, this one is due to the detect if a certain patch is present on Windows if i am not mistaken
Hi think I found the correct one MDM ConfigurationManager: Command failure status. Configuration Source ID: (2F8AAF4A-BBC7-4009-A02F-27F93C36E6DA), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallBlacklist), Result: (The system cannot find the file specified.).

@Rudy_Ooms_MVP Any ideas one what I can try?



We need need to be sure if the admx  that is delivered to the client has the  ExtensionInstallBlacklist in it... 

Could you check out this key:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes

Search for chrome... note down that number and use it like this
Get-ItemProperty -Path Registry::"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\15026" | Select-Object "ExpectedValue" | Format-List * | Out-File c:\temp\chromeADMX.txt


And open that txt and search for ExtensionInstallBlacklist

And if its in there .. try to search for ExtensionInstallBlacklist in that same nodes key.






Not sure if that the issue but i noticed the word: deprecatedpolicies... i guess I got an older admx?





Do I need to change something in the code? via policy

best response confirmed by AB21805 (Bronze Contributor)
You could try to download this admx file (just uploaded it)

And try to ingest that one... to see what happens?
just trying now thanks
Worked perfectly! Thank you
Nice to hear! .. now your next problem :p
ahah so so many!
Hi, created/updated my blog about it. Take a look at part 3 :)