Microsoft Technical Takeoff: Windows and Microsoft Intune
Oct 24 2022 07:00 AM - Oct 27 2022 12:00 PM (PDT)
SOLVED

Blocking chrome extensions but whitelist specific ones

Super Contributor

Hi all,

 

Im having issues white listing specific extensions and also blocking others too! 

Iv added the Chrome ADMX and have force deploy on specific apps  which is working but below are the config for the ones that dont work

 

Blocking

OMA-URI:

./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallBlacklist

 

String: 

<enabled/> <data id="ExtensionInstallBlacklistDesc" value="1&#xF000;*"/>

 

Whitelisting

 

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallWhitelist

 

String: <enabled/> <data id="ExtensionInstallWhitelistDesc" value="1&#xF000;alhngdkjgnedakdlnamimgfihgkmenbh&#xF000;2&#xF000;jbldkhfglmgeihlcaeliadhipokhocnm"/>

 

(I used this link: https://www.inthecloud247.com/manage-google-chrome-settings-with-microsoft-intune/ )

 

 Please help!

 

 

33 Replies
I did try this before and same thing! So annoying ha. Is it worth doing it the JSON way?

Although I am unsure how to even ad the JSON via intune
There should be an error than in your intune mgt log and the device mgt event log
This error you were mentioning
/Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version

is not the one you are looking for, this one is due to the detect if a certain patch is present on Windows if i am not mistaken
Hi think I found the correct one MDM ConfigurationManager: Command failure status. Configuration Source ID: (2F8AAF4A-BBC7-4009-A02F-27F93C36E6DA), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallBlacklist), Result: (The system cannot find the file specified.).

@Rudy_Ooms_MVP Any ideas one what I can try?

Hi,

 

We need need to be sure if the admx  that is delivered to the client has the  ExtensionInstallBlacklist in it... 


Could you check out this key:


Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes

Search for chrome... note down that number and use it like this
Get-ItemProperty -Path Registry::"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\15026" | Select-Object "ExpectedValue" | Format-List * | Out-File c:\temp\chromeADMX.txt

 

And open that txt and search for ExtensionInstallBlacklist

And if its in there .. try to search for ExtensionInstallBlacklist in that same nodes key.

 

Rudy_Ooms_0-1634287824995.png

 

@AB21805 

 

Not sure if that the issue but i noticed the word: deprecatedpolicies... i guess I got an older admx?

 

 

Rudy_Ooms_0-1634289499155.png

 

Do I need to change something in the code? via policy

best response confirmed by AB21805 (Super Contributor)
Solution
You could try to download this admx file (just uploaded it)
https://github.com/Call4cloud/Enrollment/blob/main/DU/ADMX/chromeadmx.xml

And try to ingest that one... to see what happens?
just trying now thanks
Worked perfectly! Thank you
Nice to hear! .. now your next problem :p
ahah so so many!
Hi, created/updated my blog about it. Take a look at part 3 :)

https://call4cloud.nl/2021/10/what-if-chrome-policies-are-failing/