Detections
Analytics
1.6.1 Ensure 'Configure extension management settings' is set to 'Enabled: *'
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
This policy setting controls extension management settings for Microsoft Edge, including any controlled by existing extension-related policies. This policy supersedes any legacy policies that might be set.NOTE: This policy maps an extension ID or an update URL to its specific setting only. A default configuration can be set for the special ID '*', which applies to all extensions without a custom configuration in this policy. With an update URL, configuration applies to extensions with the exact update URL stated in the extension manifest. If the override_update_url flag is set to true, the extension is installed and updated using the update URL specified in the ExtensionInstallForcelist (Control which extensions are installed silently) policy or in update_url field in this policy. The flag override_update_url is ignored if the update_url is the Edge Add-ons website update URL.
Note #2: For more granular control the ExtensionInstallForcelist and ExtensionInstallAllowlist (Allow specific extensions to be installed) to allow or force install of specific extensions even if the store is blocked using the JSON in the the example. {'update_url:https://clients2.google.com/service/update2/crx':{'installation_mode':'blocked'}}
For more details, check out the detailed guide to ExtensionSettings policy available at the following link.
The recommended state for this setting is: Enabled: *.
Rationale:
Blocking extensions that could potentially allow remote control of the system through the browser is a good security practice. If there are extensions needed for securing the browser or for enterprise use these can be enabled by configuring either the setting Allow specific extensions to be installed.
Impact:
Any installed extension will be removed unless it is specified on the extension allowlist, if an organization is using any approved password managers ensure that the extension is added to the allowlist.
Solution
To establish the recommended configuration via Group Policy, set the following UI path to Enabled: *:Computer Configuration\Polices\Administrative Templates\Microsoft Edge\Extensions\Configure extension management settings
Default Value:
Not configured.
See Also
Item Details
Audit Name: CIS Microsoft Edge L2 v1.1.0
References: CSCv7|7.2
Plugin: Windows
Control ID: 988c4f365cc3fe7b843075f257a6263ab6bb4953ca2b2b1839b146d3614df666