Share via

Google Chrome Extension: Windows 10 Accounts - Windows 10 v2004 - does it work?

RDW 216 Reputation points
2020-09-09T20:16:39.917+00:00

Hi folks

Does anyone know if the Google Chrome Extension "Windows 10 Accounts" works on Windows 10 v2004 (I'm using Enterprise)?

The reason I ask is that we are using Conditional Access Policies within Intune and whenever I use the extension, it is coming up with the following text:

"You can't get there from here The application contains sensitive information and can only be accessed from: - Devices or client applications that meet xxxxxx management compliance policy."

Then below the above text, it states:

"The Chrome extension is not supported on your version of Windows. You must be on Windows 10 version 1703 or above."

I am definitely running the following version:

Windows 10 2004, OS Build 19041.450

Is there a bug on the extension with this version of Windows?

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,030 questions
0 comments
Accepted answer
  1. RDW 216 Reputation points
    2020-09-17T17:04:55.39+00:00

    Hi @VipulSparsh-MSFT and @Walker McAninch , I managed after some lengthy testing, to get to the bottom of the problem for us. I did try older versions of Windows 10 (1903 etc.) and this wasn't the issue. We use Chrome CIS Level 1 security benchmarks that use ADMX ingestion (Chrome ADMX). One of those policies (which is now deprecated by Google) - NativeMessagingBlacklist with a wildcard (*) blocks access to the Native Messaging API's. You can either add in NativeMessagingWhitelist with your exceptions or use the newer Chrome policy of NativeMessagingBlocklist. This policy was the problem though.

    This was the original problem setting within Intune in the custom OMA-URI format with no whitelist set:

    ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~NativeMessaging/NativeMessagingBlacklist
    <enabled/><data id="NativeMessagingBlacklistDesc" value="1*"/>

    Once this policy was updated to the new version or a whitelist entry added for the extension for the older policy version, it worked.

    EDIT: Please note that the above NativeMessagingBlocklist and NativeMessagingAllowlist are only supported in Chrome 86 and onwards. To use the legacy policies, add the following Blacklist and Whitelist in:

    Legacy Blacklist Policy

    Name: <Your custom blacklist policy name>
    Description: <Your custom blacklist description>
    OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~NativeMessaging/NativeMessagingBlacklist
    Data type: String
    Value: <enabled/><data id="NativeMessagingBlacklistDesc" value="1*"/>

    Legacy Whitelist Policy

    Name: <Your custom whitelist policy name>
    Description: <Your custom whitelist description>
    OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~NativeMessaging/NativeMessagingWhitelist
    Data type: String
    Value: <enabled/><data id="NativeMessagingWhitelistDesc" value="1com.microsoft.browsercore"/>

    The important value is the com.microsoft.browsercore value above. Be careful when copying and pasting the "Value" data above in respect of the speech marks ("") as if they are wrong, you'll get a remediation error within Intune.

    2 people found this answer helpful.

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VipulSparsh-MSFT 16,246 Reputation points Microsoft Employee
    2020-09-10T03:38:13.07+00:00

    @RDW Thanks for reaching out. If you have already confirm that you have added the Windows 10 extension to Google Chrome, please verify if you see this registry in your machine. If not, then please create it :

    Path HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelist
    Name 1
    Type REG_SZ (String)
    Data ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx

    Have you also tried using it on any version to see if you are facing the issue only on any specific windows version. As that would help narrow it down.

    -----------------------------------------------------------------------------------------------------------------

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

    1 person found this answer helpful.
  2. Walker McAninch 6 Reputation points
    2020-09-15T23:03:26.333+00:00

    i'm experiencing the same issue on 2004. works fine on 1909, but 2004 machines throw the "Chrome extension is not supported on your version of Windows. You must be on Windows 10 version 1703 or above." error.

    1 person found this answer helpful.
    0 comments
  3. Dan P 6 Reputation points
    2021-06-21T09:28:59.34+00:00

    An additional finding for this issue - if you happen to block CMD.exe for standard users (via AppLocker or another method) then the Windows 10 accounts extension will not work, as it appears to call CMD.exe to be able to read the device ID to then allow the conditional access check in AAD.

    You will need to allow standard users to launch CMD.exe to allow chrome to read the device ID

    1 person found this answer helpful.
  4. Jason Sandys 31,181 Reputation points Microsoft Employee
    2020-09-09T21:01:22.243+00:00

    You should add Azure AD tags to your post as this really is unrelated to Intune.