How to deploy the Push browser extension in Microsoft Edge using Microsoft Endpoint Manager (InTune)

This guide covers how to deploy the Push Security browser extension, including how to configure it to endpoints in your organization using Microsoft Endpoint Manager. We recommend that you deploy it first into a test environment, as you will be required to create policies and deploy a PowerShell script.

Note: Multiple steps in this guide overlap with the instructions in the related Google Chrome KB article. If you're following the guides to deploy settings for both browsers in your environment, please be sure to follow the steps closely to avoid missing settings that need to be applied in each instance.

Generating the extension config

Before we get started with configuring InTune, you need to generate a config specific to your team within the Push app. Skip to the next step if you’ve already done so.

In the Push app, head to the Browsers section, and click on Enrollment options.

Push app browser enrollment options: KB 10052/3/4/5/6/8
Access browser enrollment options via the Browsers section.

On the popup frame, click on the Managed button.

Push app - managed browser option: KB 10052/3/4/5/6/8
You'll see all the Push browser extension enrollment options here.

Next, click on the Device Management Software button, make sure Edge is the selected browser, Windows is the selected OS, and click Generate config. This will provide you with a button to download a config specific to your team.

Push app - Device Management Software Edge: KB 10055
Generate the config file for your team.

Once you’ve downloaded and extracted the zip file, proceed to the next step.

Creating a Configuration Profile

In Microsoft Endpoint Manager, select Devices (1), Configuration profiles (2) and then Create profile (3). Select Windows 10 and later(4) as your target platform, Templates (5)as the Profile type, and finally select Administrative Templates (6) then click the Create (7) button.

InTune - Create Configuration Profile: KB 10054 10055
Create a configuration profile in Microsoft Endpoint Manager

Enter a descriptive name for the profile (8), and a description if required, then click on the Next (9) button.

InTune - Device Management Profile Creation Edge: KB 10055
Name the profile and add a description.

On the next screen, make sure Computer Configuration is selected (10). In the Setting name listing, click on Microsoft Edge, then Extensions, and finally Control which extensions are installed silently (11). If a page opens on the right side of your screen, scroll down, click the Enabled radio button (12), and paste the following string into the value field (13):


Finally, click OK (14).

InTune - Device Management Profile Creation Edge Settings: KB 10055
Configure the Microsoft Edge administrative template.

Note: You may have noticed the URL following the extension is one associated with Google Chrome. This is intentional and should be configured as defined in this guide for the extension to be successfully rolled out to Microsoft Edge browsers.

Click Next at the bottom of the page and set any scope tags you require. On the following page, assign target groups (15), or set it to apply to all users and groups, if required. Click Next (16) at the bottom of the page.

InTune - Device Management Profile Creation Assignments: KB 10054 10055
Add groups to target with the profile.

On the final page, review the profile for any errors and finally click Create (17).

InTune - Device Management Profile Creation Edge Review: KB 10055
Review the profile's settings.

Creating a PowerShell Script

There are a few settings we can't configure via configuration profiles, so we'll need to create a PowerShell script that will run on each endpoint to finalize the configuration steps.

The purpose of the script is to create registry keys and values containing policy settings for the Push Security extension, as it's not possible to configure these values via administrative templates in InTune.

In Microsoft Endpoint Manager, click on Devices (1), Scripts (2), Add (3), and then select Windows 10 and later (4) on the dropdown menu.

InTune - Create PowerShell script step 0: KB 10054 10055

On the Add PowerShell script screen, provide a Name (5) for the script, a description (optional), and click Next (6).

InTune - Device Management Powershell Edge step 1: KB 10055
Provide a name and description for the PowerShell script.

Next, upload (8) edge_push_security.ps1 included in the file generated in the Push app. Once uploaded, click on Yes next to the Run script in 64 bit PowerShell Host (8) option. This is an important step to make sure the registry keys are created in the correct location on 64-bit hosts. Click Next (9).

InTune - Device Management Powershell Edge step 2: KB 10055
Configure the script settings.

As with the previous section, click Add groups (10) to specify the group or groups you wish to deploy the settings to, or set it to apply to all users and groups if required. Click Next (11) at the bottom of the page.

InTune - Device Management Powershell step 3: KB 10054 10055
Assign groups.

On the final page, review the profile for any errors and finally click Create (12).

InTune - Device Management Powershell Edge step 4: KB 10055

The configuration steps for deploying the Push Security browser extension for Microsoft Edge via Microsoft Endpoint Manager is complete.

If you have any questions or you need help setting up, contact us and the Push team can help.