Chrome ExtensionInstallForcelist entries in the HKLM registry prevent equivalent entries in HKCU key path from functioning
Article ID: 173154
Updated On:
Products
Data Loss Prevention Endpoint Prevent
Issue/Introduction
You are currently applying user policies via GPO from Active Directory for the Chrome browser. You notice that after the installation of the DLP endpoint agent, the user GPOs no longer apply to the Chrome browser.
Environment
14.x, 15.x
Cause
This installation of the DLP Endpoint Agent creates a registry key entry in the HKLM key path below.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelistThis prevents the user from uninstalling the DLP agent extension for Chrome so detection cannot be bypassed. The key will return if deleted.
However, it appears that entries in the above key will prevent equivalent entries in the HKCU path (below) from functioning.
HKEY_CURRENT_USER\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
Resolution
IMPORTANT NOTE:
- If the agent is installed with the chrome plugin then it will continue to check and try to install the plug in. To manage this action see ExtensionEnabledment.INSTALL_BROWSER_EXTENSION.int under the advanced agent settings.
- Without the Chrome extension the DLP agent will not capture any policy violations for that browser.
- However, if you wish to manage all Chrome Extensions (including the one required by the DLP Agent) via GPO yourself e.g.. on a per user basis and not per machine, you can follow the workaround below
WORKAROUND:
From version 15.5 upwards, you can suppress the installation of the Chrome extension by adding INSTALLCHROMEPLUGIN=0 to the agent package installation string in the install_agent.bat file.
Additional Information
For information on removing this extension from computers where the agent has already been deployed, see TECH240124.
Feedback
Yes
No
Powered by
