Introduction
One requirement that I have started to see more and more is the controlling of the use of extensions within web browsers due to various exploits which can be exposed when using this, and though you can have some form of control using GPOs or even creating policies within Intune, sometimes the policies can be more around stopping users from installing extensions rather than actually stopping them altogether. Google Chrome and Firefox are popular browsers in which a lot of clients use which require this. We will look into how we achieve this from using this within MECM and Intune.
PowerShell Script for Disabling Extensions
I have developed a PowerShell script which can achieve this, will show these in two parts to represent each browser.
Now both scripts are pretty much the same, they will create the shortcuts within the Start Menu and also on the desktops with the correct switch which will disable the extensions for either browser.
The one line which does require some further explanation is the $Parent = Get-ChildItem “C:\Users” -Directory -Exclude “Public” line.
This line basically excludes the Public User profile, because the script itself creates the shortcut on all profiles so this change is active for all users. And if a shortcut is created in the Public user profile as well, then you will end up with two shortcuts so to clean this up this line has been placed.
Google Chrome
Below is the PowerShell script which makes the changes to the shortcut for both the desktop and the start menu.
$Destination = “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk”
$Shell = New-Object -Com WScript.shell
$Shortcut = $Shell.CreateShortcut($Destination)
$Shortcut.TargetPath = “C:\Program Files\Google\Chrome\Application\chrome.exe”
$Shortcut.Arguments = “–disable-extensions”
$Shortcut.Save()
Remove-Item “C:\users\*\Desktop\Google Chrome.lnk”
$Parent = Get-ChildItem “C:\Users” -Directory -Exclude “Public”
foreach($user in $Parent){
$Destination = “$($user.fullname)\Desktop\Google Chrome.lnk”
Copy-Item “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk” $Destination
}
Once updated you should then see the shortcut details.
When users access Google Chrome and trying to look at extensions they should see it greyed out.
Mozilla Firefox
Below is the PowerShell script which makes the changes to the shortcut for both the desktop and the start menu.
$Destination = “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk”
$Shell = New-Object -Com WScript.shell
$Shortcut = $Shell.CreateShortcut($Destination)
$Shortcut.TargetPath = “C:\Program Files\Mozilla Firefox\firefox.exe”
$Shortcut.Arguments = “–safe-mode”
$Shortcut.Save()
Remove-Item “C:\users\*\Desktop\firefox.lnk”
$Parent = Get-ChildItem “C:\Users” -Directory -Exclude “Public”
foreach($user in $Parent){
$Destination = “$($user.fullname)\Desktop\Firefox.lnk”
Copy-Item “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk” $Destination
}
Once updated you should then see the shortcut details.
When users access Mozilla Firefox and trying to look at extensions they should see it greyed out.
Configuration in MECM via Configuration Baselines
One method you can use is to create a configuration baseline which can be applied to a collection so that on a regular interval the browsers can be checked to see if the extensions have been disabled.
Compliance Scripts
The compliance scripts are what will be used to check to see that the extensions disabling switch is present. Below are the scripts for both browsers.
Google Chrome
$Shell = New-Object -Com WScript.shell
$ShortcutCheck = $Shell.CreateShortcut(“C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk”)
If ($ShortcutCheck.Arguments -eq “–disable-extensions”)
{
Write-Host “Compliant”
}
else
{
Write-Host “Not Compliant”
}
Mozilla Firefox
$Shell = New-Object -Com WScript.shell
$ShortcutCheck = $Shell.CreateShortcut(“C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk”)
If ($ShortcutCheck.Arguments -eq “–safe-mode”)
{
Write-Host “Compliant”
}
else
{
Write-Host “Not Compliant”
}
Create Configuration Baseline
To create the configuration baseline please perform the following for each browser;
- Open the Microsoft Endpoint Configuration Manager Console
- Go to Assets and Compliance
- Go to Compliance Settings – Configuration Items
- Right Click and select Create Configuration Item
- General: Specify general information about this configuration item – Give a name for your configuration item then click next
- Supported Platforms: Specify the client operating systems that will assess this configuration item for compliance – Click next
- Settings: Specify settings for this operating system – Click New
- Create Setting: General – Give a name for the setting, Change Setting Type to script and Data Type to string. Click the Add Script button under discovery script and copy and paste the Compliance Script then click OK. Click Add Script under the Remediation Script section and copy and paste the PowerShell Extension Disabling script at the top of this article then click OK
- Create Settings: Compliance Rules – Click New. Give a name then change the Rule Type to Value and enter into the For the Value field as “Compliant”. Click OK
- Compliance Rules: Specify compliance rules for this operating system – Click Next
- Summary: The wizard will create an operating system configuration item with the following settings – Click next to complete
- Go to Compliance Settings – Configuration Baseline
- Right Click and select Create Configuration Baseline
- Create Configuration Baseline: Specify general information about this configuration baseline – Give a name then click the Add button and select Configuration Items
- Add Configuration Items: Select the configuration items that you want to add to this configuration baseline – Add the Configuration Item that you just created then click OK
- Click OK to create the Configuration Baseline
Now you can then deploy the configuration baseline to the collection
Configuration in Intune via Proactive Remediation Scripts
Another way is deploy the same PowerShell scripts but to do it via Intune as a Proactive Remediation Scripts which work very similar to how configuration baselines work in MECM.
Detection Scripts
Below are the detection scripts for your Proactive Remediation Scripts which check if the disable extensions switch is present.
Google Chrome
$Shell = New-Object -Com WScript.shell
$ShortcutCheck = $Shell.CreateShortcut(“C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk”)
If ($ShortcutCheck.Arguments -eq “–disable-extensions”)
{
Write-Host “Compliant”
Exit 0
}
else
{
Write-Host “Not Compliant”
Exit 1
}
Mozilla Firefox
$Shell = New-Object -Com WScript.shell
$ShortcutCheck = $Shell.CreateShortcut(“C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk”)
If ($ShortcutCheck.Arguments -eq “–safe-mode”)
{
Write-Host “Compliant”
Exit 0
}
else
{
Write-Host “Not Compliant”
Exit 1
}
Create Proactive Remediation Script Package
To create the Proactive Remediation Script Package please perform the following for each browser;
- Open Endpoint Manager
- Go to Reports – Endpoint Analytics
- Select Proactive Remediation Scripts
- Click Create Script Package
- Create Custom Script: Basics – Enter a name and click next
- Create Custom Script: Settings – For the Detection script file click the folder button and browse to the PowerShell script which contains the detection script above then click OK. Then click the Remediation script file and browse to the PowerShell Script which contains the disabling extension script above then click OK. Then click next
- Create Custom Script: Scope Tags – Click Next
- Create Custom Script: Assignments – Select the group you wish to deploy to
- Create Custom Script: Review + Create – Click Create