Detections
Analytics

1.8.2 (L2) Ensure 'Configure extension management settings' is set to 'Enabled: *'

Information

This policy setting controls extension management settings for Microsoft Edge, including any controlled by existing extension-related policies. This policy supersedes any legacy policies that might be set.

The recommended state for this setting is: Enabled: *

NOTE: This policy maps an extension ID or an update URL to its specific setting only. A default configuration can be set for the special ID '*'LEVEL|2A, which applies to all extensions without a custom configuration in this policy. With an update URL, configuration applies to extensions with the exact update URL stated in the extension manifest. If the

override_update_url

flag is set to true, the extension is installed and updated using the update URL specified in the

ExtensionInstallForcelist (Control which extensions are installed silently)

policy or in

update_url

field in this policy. The flag

override_update_url

is ignored if the

update_url

is the Edge Add-ons website update URL.

Note #2: For more granular control the

ExtensionInstallForcelist

and

ExtensionInstallAllowlist (Allow specific extensions to be installed)

to allow or force install of specific extensions even if the store is blocked using the JSON in the example. {'update_url:https://clients2.google.com/service/update2/crx': {'installation_mode': 'blocked'}}

For more details, check out the detailed guide to

ExtensionSettings

policy available from Microsoft at

Detailed guide to the ExtensionSettings policy | Microsoft Learn

.

Blocking extensions that could potentially allow remote control of the system through the browser is a good security practice. If extensions are needed for securing the browser, or for enterprise use, these can be enabled by configuring the setting

Allow specific extensions to be installed

.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to Enabled: * :

Computer Configuration\Polices\Administrative Templates\Microsoft Edge\Extensions\Configure extension management settings

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from:

Download Microsoft Edge for Business - Microsoft

.

Impact:

Any installed extension will be removed unless it is specified on the extension allowlist, if an organization is using any approved password managers ensure that the extension is added to the allowlist.

See Also

https://workbench.cisecurity.org/benchmarks/18501

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-10, 800-53|CM-11, 800-53|SC-18, CSCv7|7.2

Plugin: Windows

Control ID: 34f9d3fff858e13051038b8a37d9e44001a804fbecd35fff3273abffb639a69c