search cancel

Chrome ExtensionInstallForcelist entries in the HKLM registry prevent equivalent entries in HKCU key path from functioning


Article ID: 173154


Updated On:


Data Loss Prevention Endpoint Prevent


You are currently applying user policies via GPO from Active Directory for the Chrome browser. You notice that after the installation of the DLP endpoint agent, the user GPOs no longer apply to the Chrome browser. 


This installation of the DLP Endpoint Agent creates a registry key entry in the HKLM key path below.
This prevents the user from uninstalling the DLP agent extension for Chrome so detection cannot be bypassed. The key will return if deleted. 
However, it appears that entries in the above key will prevent equivalent entries in the HKCU path (below) from functioning.


14.x, 15.x



  • If the agent is installed with the chrome plugin then it will continue to check and try to install the plug in. To manage this action see under the advanced agent settings.
  • Without the Chrome extension the DLP agent will not capture any policy violations for that browser.
  • However, if you wish to manage all Chrome Extensions (including the one required by the DLP Agent) via GPO yourself e.g.. on a per user basis and not per machine, you can follow the workaround below


From version 15.5 upwards, you can suppress the installation of the Chrome extension by adding INSTALLCHROMEPLUGIN=0 to the agent package installation string in the install_agent.bat file.


Additional Information

For information on removing this extension from computers where the agent has already been deployed, see TECH240124.