Detections
Analytics

1.6.1 Ensure 'Configure extension management settings' is set to 'Enabled: *'

Information

This policy setting controls extension management settings for Microsoft Edge, including any controlled by existing extension-related policies. This policy supersedes any legacy policies that might be set.

NOTE: This policy maps an extension ID or an update URL to its specific setting only. A default configuration can be set for the special ID '*', which applies to all extensions without a custom configuration in this policy. With an update URL, configuration applies to extensions with the exact update URL stated in the extension manifest. If the override_update_url flag is set to true, the extension is installed and updated using the update URL specified in the ExtensionInstallForcelist (Control which extensions are installed silently) policy or in update_url field in this policy. The flag override_update_url is ignored if the update_url is the Edge Add-ons website update URL.

Note #2: For more granular control the ExtensionInstallForcelist and ExtensionInstallAllowlist (Allow specific extensions to be installed) to allow or force install of specific extensions even if the store is blocked using the JSON in the example. {'update_url:https://clients2.google.com/service/update2/crx':{'installation_mode':'blocked'}}

For more details, check out the detailed guide to _ExtensionSettings_ policy available from Microsoft at Detailed guide to the ExtensionSettings policy | Microsoft Learn

The recommended state for this setting is: Enabled: *.

Rationale:

Blocking extensions that could potentially allow remote control of the system through the browser is a good security practice. If extensions are needed for securing the browser, or for enterprise use, these can be enabled by configuring the setting Allow specific extensions to be installed.

Impact:

Any installed extension will be removed unless it is specified on the extension allowlist, if an organization is using any approved password managers ensure that the extension is added to the allowlist.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to Enabled: *:

Computer Configuration\Polices\Administrative Templates\Microsoft Edge\Extensions\Configure extension management settings

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from: Download Microsoft Edge for Business - Microsoft.

Default Value:

Not configured.

See Also

https://workbench.cisecurity.org/benchmarks/11865

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-10, 800-53|CM-11, 800-53|SC-18, CSCv7|7.2

Plugin: Windows

Control ID: 512898f6f508efef0ec04f3d4e66c9eb7d2d97d854b09ba5181519a13ea2b51b