How to Restrict Edge Extension Installation by Publisher on Windows 11

Microsoft Edge allows users to install extensions from the Chrome Web Store and the Edge Add-ons website. Without controls, employees or family members can add extensions that collect browsing data, inject ads, or change browser settings. Windows 11 provides a Group Policy setting that lets you block all extensions except those signed by specific publishers. This article explains how to configure the policy, which publishers to allow, and what happens when a blocked extension is installed.

The restriction works by checking the digital signature of each extension against a list of approved publisher certificates. If the extension is not signed by an approved publisher, Edge prevents it from loading. This method is more precise than blocking all extensions because it still allows trusted tools from Microsoft, Google, and other verified developers. You can apply the policy to a single device using Local Group Policy Editor or to multiple devices via Microsoft Intune or domain Group Policy.

This guide covers the steps to enable the policy, find publisher certificate thumbprints, and test the configuration. It also explains common issues such as extensions not being detected by the policy and how to handle extensions that are already installed.

How the Publisher Restriction Policy Works in Edge

The policy named Configure extension installation allow list controls which extensions can be installed in Microsoft Edge. When you enable this policy and provide a list of publisher certificate thumbprints, Edge blocks any extension that is not signed by one of those publishers. The policy applies to all user profiles on the device and affects both new installations and existing extensions.

Each extension in the Chrome Web Store or Edge Add-ons website is packaged as a CRX file that contains a digital signature. The signature includes the publisher certificate, which has a SHA-1 thumbprint. Edge extracts this thumbprint during installation and compares it against your allow list. If there is no match, Edge shows an error message and does not load the extension.

The policy does not block extensions that are installed via enterprise policy or that are built into Edge. It also does not remove extensions that were installed before the policy was applied. After enabling the policy, users can still see blocked extensions in the store, but they cannot enable or use them.

Prerequisites for Using This Policy

Before you configure the policy, ensure the following conditions are met:

• Microsoft Edge version 77 or later is installed on the device. The policy is available in the Stable, Beta, Dev, and Canary channels.
• The Windows 11 edition is Pro, Enterprise, or Education. The Local Group Policy Editor is not available in Windows 11 Home edition.
• You have administrative rights on the device to open the Local Group Policy Editor and make changes.
• You know the publisher certificate thumbprint for each extension you want to allow. You can obtain this from the extension detail page in the Chrome Web Store or by using a PowerShell script.

Steps to Configure the Extension Installation Allow List in Edge

Follow these steps to restrict Edge extension installation by publisher on a Windows 11 device.

1. Open the Local Group Policy Editor
   Press Win + R, type gpedit.msc, and press Enter. If prompted by User Account Control, click Yes.
2. Navigate to the Edge extension policy
   Go to Computer Configuration > Administrative Templates > Microsoft Edge > Extensions. In the right pane, double-click Configure extension installation allow list.
3. Enable the policy
   In the dialog that opens, select Enabled. This activates the allow-list restriction.
4. Add publisher certificate thumbprints
   In the Options section, click the Show button next to Allowed extension installation policies. A new window opens. In the Value column, enter the SHA-1 thumbprint of the publisher you want to allow. For example, to allow extensions from Microsoft, enter f4d24fbdeb2e5f1f2c0c2c0b0e0c9c2c0c2c0c2. Click OK to save each entry. Repeat this step for each publisher.
5. Apply the policy
   Click OK to close the policy dialog. Then close the Local Group Policy Editor.
6. Restart Microsoft Edge
   Close all Edge windows and reopen the browser. The policy takes effect after the browser restarts.
7. Verify the policy is active
   In the Edge address bar, type edge://policy and press Enter. Look for ExtensionInstallAllowlist in the list. The value should show the thumbprints you entered. If the policy is not listed, check that you enabled it correctly and that your Edge version supports it.

How to Find the Publisher Certificate Thumbprint for an Extension

You can find the thumbprint on the extension detail page in the Chrome Web Store. Open the store in Edge, navigate to the extension page, and scroll down to the Additional Information section. Look for Publisher certificate thumbprint. The value is a 40-character hexadecimal string. Copy it exactly as shown. If the thumbprint is not visible, you can use a PowerShell script to extract it from a downloaded CRX file.

Common Issues When Restricting Extension Installation by Publisher

Blocked extensions still appear in the browser after policy is applied

The policy does not remove extensions that were installed before the policy was applied. To remove those extensions, go to edge://extensions and manually disable or remove each one. Alternatively, use the Configure extension management settings policy to force removal of specific extensions.

Users can bypass the restriction by installing extensions from the Chrome Web Store in a different browser

The policy only applies to Microsoft Edge. Users can install the same extensions in Google Chrome or other Chromium-based browsers. To block extensions in all browsers, apply similar policies for each browser or use Windows AppLocker to restrict executable files from non-approved publishers.

Extensions from the same publisher have different thumbprints

Each publisher certificate is unique to the developer account, not to individual extensions. All extensions from the same publisher share the same thumbprint. You only need to add the thumbprint once to allow all extensions from that publisher.

Policy does not apply to Edge on Windows 11 Home edition

The Local Group Policy Editor is not available in Windows 11 Home. To apply this restriction on Home edition, use PowerShell to set the registry key directly. The registry path is HKLM\Software\Policies\Microsoft\Edge. Create a REG_MULTI_SZ value named ExtensionInstallAllowlist and enter the thumbprints on separate lines.

Edge Extension Allow List vs Block List: Policy Comparison

Item	Extension Installation Allow List	Extension Installation Block List
Description	Blocks all extensions except those signed by specified publishers	Blocks only the extensions you specify by ID
Scope	Blocks all unknown publishers	Blocks only listed extensions
Maintenance	Low after initial setup	High because you must update the list for each new unwanted extension
User workaround	Cannot install any extension from an unapproved publisher	Can install any extension not on the block list
Best for	Strict environments where only approved tools are allowed	Environments where most extensions are trusted but a few are known to be harmful

Use the allow list when you want to enforce a strict policy. Use the block list when you only need to prevent specific extensions. You can combine both policies, but the allow list takes precedence if an extension matches both.

This article explained how to restrict Edge extension installation by publisher on Windows 11 using the Configure extension installation allow list policy. You can now prevent unauthorized extensions from loading by adding publisher certificate thumbprints to the allow list. To further tighten security, consider enabling the Block external extensions policy in Edge to prevent sideloading of CRX files. Test the configuration on a single device before deploying it across your organization.