Test allowed extensions policy

[sandy081]

Refs: #84756

• Win @lszomoru
• Win @chrisdias

Complexity: 3

Create Issue

---

Feature Documentation

Test that Allowed Extensions (extensions.allowed) setting can be added as a group policy on Windows.

Set up policies

• Download the Windows ZIP from the builds page to get policies
• Inside you'll find a policies folder.
  • Copy the policies\VSCodeInsiders.admx file to C:\Windows\PolicyDefinitions\
  • Copy the policies\en-us\VSCodeInsiders.adml file to C:\Windows\PolicyDefinitions\en-us
• Press Win R, type gpedit.msc hit Enter
• You'll find the Allowed Extensions policy for both levels in {User,Computer} Configuration/Administrative Templates/Visual Studio Code - Insiders/Extensions. To set it:
  • Double click it
  • Switch to Enabled
  • In the value text box enter the JSON string value of allowed extensions object. Example text: {"microsoft": true}

Testing

• Open VS Code please make sure the configured extensions are allowed and others are not allowed
• Open Settings Editor and look for extensions.allowed setting in the settings editor and make sure
  • the value is shown as configured above
  • there is no link to edit this setting
  • Modifying the setting in the json file should not have any impact

[Gijsreyn]

I don't know if this is too soon feedback, but I just tried this in:

Unfortunately, it did not work. Might I need the nightly build?

P.S. The Group Policy settings:

[isidorn]

@Gijsreyn good feedback, but the value of the group policy setting needs to be JSON serializable object! @ntrogh let's make sure we document that (if we have not already).
Try something like:

"{ "ms-vscode.powershell": true }"

Testers here's an example JSON object you can put as the value

{

        "microsoft": true,
        "github": true,
        "esbenp.prettier-vscode": true,
        "ms-azuretools.vscode-docker": false,
        "dbaeumer.vscode-eslint": ["3.0.0"],
        "figma.figma-vscode-extension": ["3.0.0", "4.2.3", "4.1.2"]
        "rust-lang.rust-analyzer": ["5.0.0@win32-x64", "5.0.0@darwin-x64"]
        "github.vscode-pull-request-github": "stable",
        "redhat": "stable"
    }

[sandy081]

Also please note that there is a bug in today's insiders that reading policies from the registry is not working. End-end should be working from tomorrow's build.

[ntrogh]

Instructions are included in our vnext docs, to be released with 1.96 : https://github.com/microsoft/vscode-docs/blob/5f8d57339f7334ab2e63ad162d538815419c3a9d/docs/setup/enterprise.md?plain=1#L79

You can control the extensions.allowed setting by using device management. Use the AllowedExtensions VS Code policy, which overrides the extensions.allowed setting. The value of this policy is a JSON string that contains the allowed extensions.

[Gijsreyn]

Hi @sandy081 and @isidorn. I know this item is closed, but hopefully I can still leave some feedback here. If you want me to raise another issue, I can.

Perhaps it is good to document the current limitations e.g.:

• The setting does not allow to pin a specific version in the allowed list
• Wildcards cannot be used. For example, when I tried doing something like *ms-* or ms-* to allow all Microsoft extensions, it did not reflect

A script might also be useful to set the relevant registry key.

# Change HKLM: to HKCU: if you want to do it for the user
$registryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\VSCodeInsiders'
$propertyName = 'AllowedExtensions'
$propertyValue = @{'ms-vscode.powershell' = $true }

# Check if the registry key exists
if (-not (Test-Path $registryPath)) {
    # Create the registry key
    New-Item -Path $registryPath -Force
}

# Check if the property exists
if (-not (Get-ItemProperty -Path $registryPath -Name $propertyName -ErrorAction SilentlyContinue)) {
    # Create the property
    New-ItemProperty -Path $registryPath -Name $propertyName -Value ($propertyValue | ConvertTo-Json -Compress) -PropertyType String -Force
} else {
    Write-Output "The property '$propertyName' already exists."
}

P.S. While I recognize you want to document it in a timely manner with the release, I'm happy to contribute to the docs. I'll be putting up a blog post on it later this morning, so I have some content laying around. Just let me know :)

[ntrogh]

@Gijsreyn What exactly do you mean by not being able to pin a specific version? You can specify an extension and version to allow only that one ("dbaeumer.vscode-eslint": ["3.0.0"]). Or am I misinterpreting your comment?

I'll add a note about not supporting wildcards. BTW, you can use microsoft as the publisher ID to allow all Microsoft extensions.

[Gijsreyn]

@ntrogh You are not misinterpreting it. I should have been testing with an actual version that exist, which I didn't. Apologize, and thanks for providing the example.

Will wait for the awesome documentation to come. Cheers!

[ntrogh]

Thanks for challenging us. Makes the docs better!

[rtpub88]

Hi, just want to share that I tried this policy and found that although the extensions set in the group policy are being locked down (i.e. you cannot override the settings set by your administrator), any additional extensions you set in your settings.json will be allowed to install.

[isidorn]

@rtpub88 thank you. Can you please file a new issue for this with repro steps and ping me @isidorn on the issue 🙏