Modern browsers rely heavily on browser extensions. Password managers, security tools and productivity extensions often become essential parts of a user’s daily workflow. At the same time, unmanaged extensions can introduce security risks, performance issues and unnecessary support calls.

Using the Settings catalogue in Microsoft Intune makes it straightforward to control Microsoft Edge extensions in a consistent and supportable way. This article explains how to restrict extensions, allow approved ones and force required extensions to install.

Why Manage Edge Extensions Centrally

From an endpoint management perspective, browser extensions are no different from applications. Left unchecked, users can install anything from the Edge Add-ons store, including extensions that request excessive permissions or conflict with corporate tools.

Central management helps you to:

  • Reduce security risk by blocking unapproved extensions.
  • Ensure required business extensions are always present.
  • Provide a consistent browser experience across devices.
  • Cut down on service desk incidents caused by incompatible extensions.

Prerequisites and Planning

Before configuring policies, it is worth checking a few basics:

  • Devices must be enrolled in Microsoft Intune .
  • Users should be signed in with a work account from Microsoft Entra ID .
  • Microsoft Edge must be available and kept reasonably up to date.

It also helps to agree internally which extensions are approved, which are mandatory and which should never be allowed. This avoids frequent policy changes later.

Using the Intune Settings Catalogue

The Settings catalogue is now the recommended way to configure Microsoft Edge policies. It closely mirrors Group Policy, but with cloud based delivery and better visibility.

In the Intune admin centre, you will find it under:

Devices > Configuration > Policies > Create > New Policy > Windows > Settings catalogue

From there, search for Microsoft Edge in Settings catalogue and focus on the Extensions category.

Restricting All Extensions by Default

A common security-first approach is to block all extensions unless explicitly allowed.

The key settings that need to be configured are:

  • Control which extensions cannot be installed.
  • Allow specific extensions to be installed.
  • Control which extensions are installed silently.

By default, Edge allows users to install any extension. To change this behaviour:

  • Configure the policy to block all extensions. Adding an asterisk (*) will block all extensions in this section

This means users cannot install random extensions from the Edge Add-ons store. From an endpoint management point of view, this significantly reduces unexpected browser behaviour.

Allowing Specific Extensions

Some teams prefer a softer approach where users can install extensions, but only from a defined list.

In this case:

  • Enable extension installation.
  • Populate the allow list with approved extension IDs.

An example might be allowing a password manager, a corporate web filtering tool and a PDF manager. Anything else is blocked automatically.

This works well in environments where users need some flexibility but still operate within clear boundaries.

Forcing Required Extensions to Install

Certain extensions are non-negotiable. Examples include security reporting tools or single sign-on extensions.

To enforce these:

  • Use the Control which extensions are installed silently setting.
  • Add the extension ID and update URL.

When the policy applies, Edge installs the extension automatically and users cannot remove it. If the extension is removed or disabled, Edge reinstalls it at the next policy refresh.

This is particularly useful during new device builds, where you want Edge to be fully ready without manual intervention.

What the User Experience Looks Like

From the user’s perspective, the experience is usually quiet and predictable:

  • Blocked extensions simply cannot be installed.
  • Allowed extensions behave normally.
  • Forced extensions appear automatically.

Clear communication helps. A short internal guide explaining why certain extensions are restricted can prevent unnecessary support tickets.

Common Pitfalls to Avoid

Even with a simple setup, a few issues appear regularly:

  • Using the wrong extension ID, which causes policies to fail silently.
  • Mixing legacy Administrative Templates with the Settings catalogue.
  • Forgetting to assign the profile to the correct group.

Testing policies on a small pilot group before wider rollout can save a lot of time.

Troubleshooting Tips

If an extension does not behave as expected:

  • Check the device is receiving policies in the Intune admin centre.
  • Confirm Edge is signed in with the correct work profile.
  • Review Edge policy status at edge://policy.

These checks often highlight misconfigurations quickly, which is helpful for service desk escalation paths.

Conclusion and Practical Takeaway

Managing Microsoft Edge extensions through the Intune Settings catalogue gives you strong control without adding unnecessary complexity. By deciding what to block, what to allow and what to force, you can strike a balance between security and usability.

Treat browser extensions like any other managed application. Define standards early, apply them consistently and review them occasionally as business needs change.