Hi Mark,

Chrome extension removal via PowerShell can be tricky, especially in managed environments where timeouts and profile corruption are common. I’ve been down this road myself.

Based on web searching and testing on my end, the Google Chrome Enterprise documentation available at their website goes into specifics for how to use the 4Syops link you gave us. Below are a couple of Google provided resources followed by my suggestions:
- https://support.google.com/chrome/a/answer/7532015?hl=en&ref_topic=9023098&sjid=7092383473352488300-NA
- https://support.google.com/chrome/a/answer/9296680?hl=en.

As a prerequisite, I would utilize the adm/admx files to either create a GPO or to manage settings via an MDM. While, it will be possible to utilize Automox to import these, you want your MDM to enforce those specific settings. To perform this with Automox, you can ingest the adm/admx files into a required software policy as a payload to configure Google Chrome to maintain specific settings.

Additionally, the best way to go after removal would be to craft a custom script and to drop it into a worklet with the following functions:

Required

• stop Google Chrome browser to avoid user-date profile locks (if running)
• parse Chrome’s extensions folder and manifest.json files
• preserve appearance (dark/light/device mode), you can blow away permissions, configurations, and bookmarks if you’re not careful (read and preserve appearance.mode (dark/light/system) from Chrome’s Preferences file)

• detect extensions with "name" fields containing "theme", or by categories (extensive code needed), safer to rip out themes instead

Optional

• scrub extension metadata

• purge folders like IndexedDB, ScriptCache, Extension Scripts, etc.

Code considerations

• read installed extensions and including Names/Friendly names of the extensions with their extension IDs
• create exit codes with necessary outputs to notify you from the Automox Activity Log as to which steps were performed
• avoid profile resets - destructive and will lead to lost bookmarks (all user data is removed)
• utilize array to remove specific extensions by their identifiers
• utilize an array to include exclusions to avoid removing Corporate managed extensions
• create a dynamic variable to remove every extension that is not in your exclusions array
  
  Then, you will be able to easily utilize the Google Chrome Extension enforcement to prevent extensions reinstallation. If you utilize this in tandem with a security tool (e.g., CrowdStrike, Defender, SentinelOne, etc), you can stop extensions from even loading.
   

Let us know if that’s what you were looking for and which path you may need guidance with. 

Thanks,

Angelo 

So while it isnt a app driven solution, I have a GPO that has Allowed extensions. Once enforce anything NOT on that list is nuked pretty quick. Sadly it is manual as you need to know the ID Chrome assigns to each one you want to allow. But it works!  I have what it looks like in chrome below if interested =)  The formatting changes here, this would be a one liner in the GPO. 

{"*":{"installation_mode":"blocked","blocked_install_message":"Please contact the help desk if you think an extension should be unblocked."},"efaidnbmnnnibpcajpcglclefindmkaj":{"installation_mode":"allowed"},"mfpddejbpnbjkjoaicfedaljnfeollkh":{"installation_mode":"allowed"},"pnlccmojcmeohlpggmfnbbiapkmbliob":{"installation_mode":"allowed"},"fdjamakpfbbddfjaooikfcpapjohcfmg":{"installation_mode":"allowed"},"fmkadmapgofadopljbjfkapdkoienihi":{"installation_mode":"allowed"},"hdokiejnpimakedhajhdlcegeplioahd":{"installation_mode":"allowed"}}

Yes, GPOs management with ADM/ADMX templates also works well for creating restrictions for specific and already know Chrome app IDs. Nice one!