Disabling Extensions for Chrome/Firefox Browsers using MECM

Introduction

One requirement that I have started to see more and more is the controlling of the use of extensions within web browsers due to various exploits which can be exposed when using this, and though you can have some form of control using GPOs or even creating policies within Intune, sometimes the policies can be more around stopping users from installing extensions rather than actually stopping them altogether. Google Chrome and Firefox are popular browsers in which a lot of clients use which require this. We will look into how we achieve this from using this within MECM and Intune.

PowerShell Script for Disabling Extensions

I have developed a PowerShell script which can achieve this, will show these in two parts to represent each browser.

Now both scripts are pretty much the same, they will create the shortcuts within the Start Menu and also on the desktops with the correct switch which will disable the extensions for either browser.

The one line which does require some further explanation is the $Parent = Get-ChildItem “C:\Users” -Directory -Exclude “Public” line.

This line basically excludes the Public User profile, because the script itself creates the shortcut on all profiles so this change is active for all users. And if a shortcut is created in the Public user profile as well, then you will end up with two shortcuts so to clean this up this line has been placed.

Google Chrome

Below is the PowerShell script which makes the changes to the shortcut for both the desktop and the start menu.

$Destination = “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk”
$Shell = New-Object -Com WScript.shell
$Shortcut = $Shell.CreateShortcut($Destination)
$Shortcut.TargetPath = “C:\Program Files\Google\Chrome\Application\chrome.exe”
$Shortcut.Arguments = “–disable-extensions”
$Shortcut.Save()

Remove-Item “C:\users\*\Desktop\Google Chrome.lnk”
$Parent = Get-ChildItem “C:\Users” -Directory -Exclude “Public”
foreach($user in $Parent){
$Destination = “$($user.fullname)\Desktop\Google Chrome.lnk”
Copy-Item “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk” $Destination
}

Once updated you should then see the shortcut details as seen below in Figure 1.1

Figure 1.1 – Google Chrome Disable Extensions Configuration

When users access Google Chrome and trying to look at extensions they should see it greyed out as seen in Figure 1.2

Figure 1.2 – Google Chrome Extensions Greyed Out

Mozilla Firefox

Below is the PowerShell script which makes the changes to the shortcut for both the desktop and the start menu.

$Destination = “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk”
$Shell = New-Object -Com WScript.shell
$Shortcut = $Shell.CreateShortcut($Destination)
$Shortcut.TargetPath = “C:\Program Files\Mozilla Firefox\firefox.exe”
$Shortcut.Arguments = “–safe-mode”
$Shortcut.Save()

Remove-Item “C:\users\*\Desktop\firefox.lnk”
$Parent = Get-ChildItem “C:\Users” -Directory -Exclude “Public”
foreach($user in $Parent){
$Destination = “$($user.fullname)\Desktop\Firefox.lnk”
Copy-Item “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk” $Destination
}

Once updated you should then see the shortcut details as seen below in Figure 1.3

Figure 1.3 – Firefox Disabling Extensions Configuration

When users access Mozilla Firefox and trying to look at extensions they should see it greyed out as seen in Figure 1.4

Figure 1.4 – Firefox extensions disabled

Configuration in MECM via Configuration Baselines

One method you can use is to create a configuration baseline which can be applied to a collection so that on a regular interval the browsers can be checked to see if the extensions have been disabled.

Compliance Scripts

The compliance scripts are what will be used to check to see that the extensions disabling switch is present. Below are the scripts for both browsers.

Google Chrome

$Shell = New-Object -Com WScript.shell
$ShortcutCheck = $Shell.CreateShortcut(“C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk”)
If ($ShortcutCheck.Arguments -eq “–disable-extensions”)
{
Write-Host “Compliant”
}
else
{
Write-Host “Not Compliant”
}

Mozilla Firefox

$Shell = New-Object -Com WScript.shell
$ShortcutCheck = $Shell.CreateShortcut(“C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk”)
If ($ShortcutCheck.Arguments -eq “–safe-mode”)
{
Write-Host “Compliant”
}
else
{
Write-Host “Not Compliant”
}

Create Configuration Baseline

To create the configuration baseline please perform the following for each browser;

  1. Open the Microsoft Endpoint Configuration Manager Console
  2. Go to Assets and Compliance
  3. Go to Compliance Settings – Configuration Items
  4. Right Click and select Create Configuration Item
  5. General: Specify general information about this configuration item – Give a name for your configuration item then click next
  6. Supported Platforms: Specify the client operating systems that will assess this configuration item for compliance – Click next
  7. Settings: Specify settings for this operating system – Click New
  8. Create Setting: General – Give a name for the setting, Change Setting Type to script and Data Type to string. Click the Add Script button under discovery script and copy and paste the Compliance Script then click OK. Click Add Script under the Remediation Script section and copy and paste the PowerShell Extension Disabling script at the top of this article then click OK
  9. Create Settings: Compliance Rules – Click New. Give a name then change the Rule Type to Value and enter into the For the Value field as “Compliant”. Click OK
  10. Compliance Rules: Specify compliance rules for this operating system – Click Next
  11. Summary: The wizard will create an operating system configuration item with the following settings – Click next to complete
  12. Go to Compliance Settings – Configuration Baseline
  13. Right Click and select Create Configuration Baseline
  14. Create Configuration Baseline: Specify general information about this configuration baseline – Give a name then click the Add button and select Configuration Items
  15. Add Configuration Items: Select the configuration items that you want to add to this configuration baseline – Add the Configuration Item that you just created then click OK
  16. Click OK to create the Configuration Baseline

Now you can then deploy the configuration baseline to the collection

Configuration in Intune via Proactive Remediation Scripts

Another way is deploy the same PowerShell scripts but to do it via Intune as a Proactive Remediation Scripts which work very similar to how configuration baselines work in MECM.

Detection Scripts

Below are the detection scripts for your Proactive Remediation Scripts which check if the disable extensions switch is present.

Google Chrome

$Shell = New-Object -Com WScript.shell
$ShortcutCheck = $Shell.CreateShortcut(“C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk”)
If ($ShortcutCheck.Arguments -eq “–disable-extensions”)
{
Write-Host “Compliant”
Exit 0
}
else
{
Write-Host “Not Compliant”
Exit 1
}

Mozilla Firefox

$Shell = New-Object -Com WScript.shell
$ShortcutCheck = $Shell.CreateShortcut(“C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk”)
If ($ShortcutCheck.Arguments -eq “–safe-mode”)
{
Write-Host “Compliant”
Exit 0
}
else
{
Write-Host “Not Compliant”
Exit 1
}

Create Proactive Remediation Script Package

To create the Proactive Remediation Script Package please perform the following for each browser;

  1. Open Endpoint Manager
  2. Go to Reports – Endpoint Analytics
  3. Select Proactive Remediation Scripts
  4. Click Create Script Package
  5. Create Custom Script: Basics – Enter a name and click next
  6. Create Custom Script: Settings – For the Detection script file click the folder button and browse to the PowerShell script which contains the detection script above then click OK. Then click the Remediation script file and browse to the PowerShell Script which contains the disabling extension script above then click OK. Then click next
  7. Create Custom Script: Scope Tags – Click Next
  8. Create Custom Script: Assignments – Select the group you wish to deploy to
  9. Create Custom Script: Review + Create – Click Create

Share:

Facebook
Twitter
LinkedIn

Contact Us

=
On Key

More Posts

WME Cybersecurity Briefings No. 014
Cyber Security

WME Security Briefing 14 June 2024

LightSpy Spyware’s macOS Variant Detected with Advanced Surveillance Capabilities Overview Findings reveal a previously undocumented macOS variant of the LightSpy spyware. It was initially thought to target only iOS users. This spyware utilizes a plugin-based system

Read More »
WME Cybersecurity Briefings No. 013
Cyber Security

WME Security Briefing 10 June 2024

CISA Urges Patching of Actively Exploited Linux Kernel Vulnerability Overview CISA just issued an urgent advisory concerning a newly discovered security flaw in the Linux kernel. The flaw is being actively exploited to affect the netfilter component of

Read More »
3 Things to Consider Before You Enable Copilot for Microsoft 365
Microsoft Copilot

3 Things to Consider Before You Enable Copilot for Microsoft 365

In today’s digital landscape, any productivity tool that streamlines workflow and boosts performance is a pleasant addition. With its AI-powered productivity-enhancing capabilities, Microsoft Copilot has emerged as a game-changer for employees, particularly for organizations using Microsoft

Read More »
WME Cybersecurity Briefings No. 012
Cyber Security

WME Security Briefing 03 June 2024

Moroccan Cybercrime Group Exploits Gift Card Systems for Major Financial Gains Overview: Storm-0539, also called Atlas Lion, is a Moroccan cybercrime group that executes advanced email and SMS phishing attacks. They are committing fraud by utilizing

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=