3 Ways to Prevent Users from Installing Extensions on Google Chrome

A few days back we got a complaint from one of our Facebook followers that he shared his laptop with his younger son for his project work. Later on it was found that by unknowingly his son ended up installing some useless extensions on Chrome Browser. 

This incident forced us to investigate if it is possible to prevent users from installing such extensions on Chrome Browser. After several trials, we came across 3 practical ways to prevent such issues which we would like to describe in this blog.

1. Disallow Write Permission of Extension Folder

If you want the easiest and quickest solution to prevent users from installing extensions on Chrome Browser, then this one will be your go to option! 

When you download and try to add any extensions on Chrome Browser, Google Chrome stores all these .crx files on a specific folder. You can disallow google to make any changes within this folder by denying the write permission with the help of Windows Explorer. This process will force Chrome not to install any extensions. 

Follow the steps below to disallow Write Permission of the Extension Folder. However, to execute the process you need to be an Administrator of the device.

Step 1: Check If You are an Administrator

• Go to the Start Menu and then go to the Control Panel.
• Go to User Accounts.
• Again choose User Accounts from the next window.
• If you are an Administrator it will display here.
• Proceed to next steps only if you are an Admin.

Step 2: Changing the Write Permission

• Open Google Chrome and type chrome://version/ in the address bar then hit Enter.
• Copy the target location beside Profile Path.
• Open This PC and Paste the target location on the address bar then hit Enter.
• Right click on Extensions Folder and go to Properties.
• Go to the Security Tab and click on Edit.
• Choose all the entries under Groups or User Names one by one and Check Mark on Deny only on the Write Permission for each entry.
• Click on Apply.
• Open Google Chrome and try to install any extension, an error message will be popped up by Chrome Browser.

2. Using Windows Registry Editor Tool

Windows Registry Editor is an in-built tool of Windows. Using this tool you can modify Chrome Browser and prevent other users from installing any extensions on it.

Please remember that Windows Registry Editor is a powerful tool, messing up with it can affect your entire operating system. However, if you stick to the information that has been informed here there will be no issues (taking a backup of the registry is always a smart move before doing any experiments with your device). You can refer to this article for backing up Windows Registry. Now let us jump into the actual process.

• Press Windows Key + R on your keyboard.
• Type regedit and hit Enter.
• Provide required Administration permissions.
• Go to HKEY_LOCAL_MACHINE then drill down to SOFTWARE.
• Further drill down to WOW6432Node > Policies > Google > Chrome. (If you are using a 32 bit device go to HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Google > Chrome instead.)
  
  You may not find Google and Chrome subkeys on some devices. In such cases right Click on the Policy Key and then go to New > Key. Name this subkey as Google. Repeat the same process to add another subkey under Google named Chrome.
• Right click on the Chrome subkey and then go to New > Key to add another subkey named ExtensionInstallBlocklist.
• Now Right click on ExtensionInstallBlocklist subkey and then go to New > String Value.
• On the right hand panel you will see the newly added String Value, rename it to 1.
• Double click on the renamed string value.
• Enter * (Asterix) as the Value Data then click on Ok.
• Repeat the previous steps to add another subkey under the Chrome subkey.
• This time rename it to BlockExternalExtensions.
• Right click on the BlockExternalExtensions subkey and then go to New > String Value.
• Like previous, rename it to 1 and enter * (Asterix) as the Value Data.
• Close the Windows Registry Editor tool.
• Open Google Chrome and visit any extension description page you will find the Add to Chrome button has changed to Blocked by Admin.

3. Using Windows Group Policy Editor Tool

Adding new extensions on Chrome Browser can also be blocked using Windows Local Group Policy. If you are a newbie to Windows Registry Editor tool then you may want to avoid it and use Windows Group Policy Editor tool instead.

If you are on a professional or Enterprise build of Windows then by default Windows will enable Local Group Policy Editor tool for its user. But however, if you are using a Home build then you need to enable Public Group Policy Editor first. You may refer to this video to enable it. After enabling you can proceed with the steps as mentioned below.

Step 1: Add Chrome Policy Template to the Group Policy Editor Tool

• Download Chrome Policy Template and unzip it.
• Press Windows Key + R then type gpedit.msc and hit Enter.
• Select Administrative Templates under Computer Configuration.
• On the Menu Bar Click on Action and go to Add/Remove Templates..
• Click on Add Button.
• Go to the location where you have unzipped the previously downloaded Chrome Policy Template folder.
• Go to policy_templates > windows > adm > en-US.
• Choose chrome.adm and click on Open then close the following window. Now the Chrome Policy Template has been successfully added to the Group Policy Editor.

Step 2: Blocking Extension Using the Group Policy Editor Tool

• From the Local Group Policy editor window go to Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > Google > Google Chrome > Extensions.
• On the right side you will find an entry called Configure extension installation blocklist.
• Right click on it and go to Edit.
• Choose Enabled radio button then click on Show under Options.
• Enter * (Asterix) as Value and click on Ok.
• Click on Apply and close the window.
• On the Extension Policy Page you will find another entry named Block external extensions from being installed.
• Right click on it and go to Edit.
• Choose Enabled radio button and click on Ok.
• Close Local Group Policy Editor Tool.
• You are done. Now open Chrome Browser to check if these extensions are blocked or not.

What About Third Party Extensions?

Google Chrome has an in-built feature that by default blocks any extensions from being installed outside of Chrome Web Store. But with a few Google searches any users can easily find a way around to install such extensions. Furthermore there is a possibility that with some simple manipulations hackers can inject miscellaneous extensions to your browser which can even have the ability to steal your login credentials.

So you might think, how can you prevent other users & hackers in such scenarios?

You can easily block installation of the third party extensions even if anyone finds a way around to bypass chrome’s policy. With the help of the same methods that have been discussed earlier i.e. Disallowing read permission of extension folder or Tweaking inside Windows Registry Editor or Local Group Policy Editor can also block third party extensions as well.

Whether the extension has been installed from Chrome Web Store or from any third party sources, Google Chrome stores all the installed extensions in the same folder. So removing write permission won’t allow Chrome to make any changes within it.

In case of tweaking inside Windows Registry Editor “BlockExternalExtensions” subkey is particularly made to prevent installation of third party extensions. And for Windows Local Group Policy Editor, changing the settings of “Block external extensions from being installed” entry does the same.

Prevent Disabling Pre-Installed Useful Extensions

If you use Windows Registry Editor or Local Group Policy Editor to block installation of the extensions, by default it will also disable pre-installed extensions on Chrome Browser. 

Extensions like any Ad Blockers or any Security Extensions are super useful irrespective of the users. These extensions will help you to protect your device from Viruses, Spywares or Adwares. 

There are two ways to keep enabling such extensions, either you can use Windows Registry Editor tool or you can use Windows Local Group Policy Editor.

1. Prevent Disabling Pre-Installed Useful Extensions by Using Windows Registry Editor

Step 1: Identifying the Extension IDs

• Open Google Chrome and go to the Chrome Web Store.
• Search for all the extensions that you have already installed and want to keep enabled, for example we are taking uBlock Origin Ad Blocker.
• Click on the extension and go to its description page.
• On the address bar you will see something like this: “https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en-GB”
• If you have accessed the Chrome Web Store from Settings then copy everything in between the last forward and the very next question mark (?hl=en-GB). And if you have accessed Chrome Web Store directly from Google Search then copy everything after the last forward slash.
  
  Check the infographic below to get a better idea. This will be the ID of that particular extension, in our case it is cjpalhdlnbpafiamejdnhcphjbkeiagm (If you want to allow multiple extensions then you need to open multiple extensions’ description page to get their ID).

Step 2: Prevent Disabling Pre-Installed Extensions by Using Windows Registry Editor

• Open Registry Editor tool from Start Menu (You may need to search by typing “Registry Editor” on Start Menu).
• Drill down to HKEY_LOCAL_MACHINE > SOFTWARE >  WOW6432Node > Policies > Google > Chrome. (For 32 bit users go to HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Google > Chrome instead.)
• Make a new subkey under Chrome, and name it ExtensionInstallAllowlist. (Refer to the earlier “Method 2” to create this subkey).
• Add a new String Value under ExtensionInstallAllowlist by right clicking on it and then go to New > String Value.
• On the right hand panel rename the String Value to 1.
• Double click on the renamed String Value and enter the copied Extension ID (Add only one extension Id for one String Value) as Value Data and click on Ok.
• If you need to allow more than one extension, add more String Value then rename those to 2, 3, 4 and so on with respective Extension ID as Value Data.
• You are done, now these extensions will be kept enabled even if you follow our previously mentioned methods to block the installation process for the others.

2. Prevent Disabling Pre-Installed Useful Extensions by Using Windows Group Policy Editor

Pre Considerations:

• You have access to Windows Local Group Policy Editor.
  
  You can check this by pressing Windows + R key from keyboard then type gpedit.msc and click enter. If your device doesn’t have access to the policy editor Windows will pop up an error message. In such cases refer to this video to enable it.
• You have added Chrome Policy Template to Local Group Policy Editor (Follow the steps of “Third Method” of preventing users from installing extensions on Google Chrome).

If all the pre requirements are fulfilled, follow the steps below:

Step 1: Identify the Extensions IDs

• Previously we have already discussed how to get ID for an extension, repeat the same steps for the specific extensions that you want to allow.

Step 2: Tweak Inside Windows Local Group Policy Tool

• Open Local Group Policy editor window drill down to Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > Google > Google Chrome > Extensions.
• Double click on the entry named “Configure extension installation allow list”.
• Click on the Enabled radio button.
• Then click on Show under the Options.
• Enter previously copied Extension IDs one by one under the “Extensions IDs to exempt from block list”.
• Click on Ok on this window and the following window.
• Open Chrome to check if those specific extensions have been enabled or not.

Blocking Installation of Particular Extensions

It is not necessary that every time you need to block all the extensions from being installed. Oftentimes we have seen users demanding to block some specific extensions.

For example we have seen parents being concerned about their kids from accessing adult content by installing VPN extensions to their browser. If you are interested to know how to set up parental controls on Google Chrome you may check our blog on “8 Ways to Set Up Parental Controls for Google Chrome”.

The best way to block specific extensions on Chrome Browser can be incorporated either by using Windows Registry Editor tool or by Windows Local Group Policy Editor.

1. Block Particular Extensions Using Windows Registry Editor

Step 1: Identifying the Extension ID

• Previously we have already discussed how to get ID for an extension, repeat the same steps for the specific extensions that you want to block.

Step 2: Blocking Specific Extensions Using Registry Editor Tool

• Open Windows Registry Editor and repeat the same steps as mentioned earlier until you drill down to Chrome subkey.
• Make a new subkey under Chrome, named ExtensionInstallBlocklist. 
• Like the previous method, add a new String Value under ExtensionInstallBlocklist and rename it to 1.
• Double click on the renamed String Value and enter the copied Extension ID as Value Data and click on Ok.
• For blocking more than one extension add more String Value then rename those to 2, 3, 4 and so on with respective Extension ID as Value Data.
• Open Chrome Browser to check if these extensions are blocked or not.

2. Block Particular Extensions Using Windows Group Policy Editor Tool

Pre Considerations:

• Same as mentioned earlier for Prevent Disabling Pre-Installed Useful Extensions by Using Windows Group Policy Editor.

After incorporating all the prerequisite settings, follow the steps below:

Step 1: Identify the Extensions IDs

• Previously we have already discussed how to get ID for an extension, repeat the same steps for the specific extensions that you want to block.

Step 2: Tweaking Inside Windows Group Policy Editor

• Open Local Group Policy Editor and drill down to Extensions (Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > Google > Google Chrome > Extensions).
• On the right side you will find an entry called Configure extension installation blocklist.
• Double click on it and click on Enabled radio button then click on Show under Options.
• One by one enter all the IDs of the Extensions that you want to block and click on Ok.
• Click Ok on the following window and close Policy Editor.
• You have successfully blocked these selective extensions from being installed on Chrome Browser.

Whatever we have discussed so far, we have assumed that we were on Chrome’s regular mode. But what if anyone tries to install extensions from Chrome Incognito Mode?

Can You Add Extensions from Chrome’s Incognito Mode?

Google Chrome does not allow users to install any new extensions inside Incognito mode. However if you have an extension installed from the regular mode you can also enable it for the Incognito Mode.

Firstly, inside incognito mode if you try to access the Chrome Web Store from Settings to install any extension by default Chrome Browser will switch you to the regular mode.

Secondly, let’s assume inside incognito mode you try to access chrome web store or any particular extension from a direct link or typing the actual address in the address bar, in such case chrome will allow you to access the Web Store or that Extension’s description page but only to browse and check the information, it won’t allow you to install any extensions or themes, in fact Chrome will display a sticky message at the top mentioning “You cannot add extensions in incognito or guest windows”.

Why Do We Need to Prevent Users from Installing Extension?

We can not deny that extensions are an integral part of any Web Browser and help us to make our web activity easier. But in certain scenarios we may need to disable extensions from being installed.

The main reason for preventing users from giving access to install any extension is to disallow other users to make any integral changes inside Chrome Browser.

Personal Usage: If you need to share your personal device with your family members or friends then it’s quite obvious that installing random Chrome Extension by them without your permission is not acceptable at all.

Malicious extensions can affect your device significantly. These extensions not only can inject virus to your device but also are able to read login credentials! If you want to know in detail if an extension can read passwords or not, you can check our blog on “Can Browser Extensions Read Passwords?”

Schools or Colleges: Organizations like Schools or colleges block adult websites or social media websites from being accessed by the students. However, there are a few options to unblock a website, using Chrome Extension is one of them. So these organizations may want to disable adding extensions on Chrome Browser.

MNC or Other Big Organizations: Data is a key asset for any organization. You need to grant permissions to any extensions to make it workable. If any employee unknowingly installs Miscellaneous extensions and grants all the permissions it has asked for, it can steal all data on that device and send it to the hijackers. So preventing installing Chrome Extensions can be a good solution for such issues.

The Conclusion

Blocking installation of extensions can be a good hack for a handful of users. We have discussed all three methods that we ourselves use on our devices. However you do not need to implement all three methods together. Stick to the one that you prefer the most.

Incorporating all these methods will also block the installation of extensions for the Administrators. So if at any point of time administrators themselves want to add an extension, they need to reverse back all the steps and reincorporate again if needed.