Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.velatir.com/llms.txt

Use this file to discover all available pages before exploring further.

The MSI is the recommended way to roll the Velatir browser extension out to Windows. It force-installs the extension from each browser’s store and writes the managed configuration (API token, organisation name) for Chrome, Edge, and Firefox in one step. No scripting, no per-browser setup.
The MSI configures Chrome, Edge, and Firefox. For Vivaldi and Brave use the alternative Windows methods; for ChatGPT Atlas use macOS. If you do not use the MSI at all (for example you push policy via Group Policy Preferences or policies.json), see the alternative methods.

Which package do I need?

There are two MSIs. Pick by where your browser policy needs to live.

Default - per-machine

Managed devices deployed by IT, with admin rights. Writes policy to HKLM. The right choice for most fleets.Download: x64 · arm64

Per-user - no admin

Your policy estate is per-user (HKCU), or you cannot grant admin. Writes policy to HKCU, installs in the user’s context.Download: x64 · arm64
Need directory context (AD / Entra) on traces too? That is an add-on to either choice, not a third package. See Directory context host below.

Install

Run the command for the package you chose above:
Runs in device context and requires admin / elevation. Writes policy under HKLM.
msiexec /i VelatirExtension-x64.msi API_TOKEN="vltr_yourApiTokenHere" ORGANIZATION_NAME="Your Organization" /qn
  • Directory context host: add ENABLE_LDAP_HOST=1 (see below)
Deploy one policy package per machine. Do not end up with force-install entries in both HKLM and HKCU on the same device — browsers read both hives and handle duplicate forcelist rows inconsistently. For per-user policies plus the machine-wide host, use the combined rollout, not both policy packages.

Deploy with Intune or SCCM

The MSI is a standard package, so any tool that runs msiexec works. Step-by-step for the two common ones:
Works on all Windows editions (Pro, Enterprise, Education) and deploys to all three browsers in one step.
  1. Sign in to the Microsoft Intune admin center
  2. Navigate to Apps > All apps, then click + Add
  3. Select Line-of-Business app as the App Type
  4. Upload the MSI (VelatirExtension-x64.msi, or the arm64 / per-user variant) in App package file and click OK
  5. In App information, fill in:
    • Name: Velatir Browser Extension
    • Description: Velatir AI compliance browser extension
    • Publisher: Velatir
    • Set Ignore app version to No
    • In Command-line arguments, enter: 
      /qn API_TOKEN="vltr_yourApiTokenHere" ORGANIZATION_NAME="Your Organization"
  6. Click OK, then Next
  7. In Assignments, click Add group and select your target groups. Use device groups for the per-machine MSI, user groups for the per-user MSI.
  8. Click Next, review, and click Create
Deploy the same pre-built MSI, passing the properties at install time.Create an application
  1. Open the Configuration Manager Console
  2. Navigate to Software Library > Application Management > Applications
  3. Click Create Application > Manually specify the application information
  4. Add a Deployment Type and select Script Installer
  5. Set the content location to the network share containing the MSI(s)
Install command
msiexec /i VelatirExtension-x64.msi API_TOKEN=vltr_yourApiTokenHere ORGANIZATION_NAME="Your Organization" /qn
(Use VelatirExtension-PerUser-x64.msi and a user collection for the per-user package. Add ADDLOCAL=Chrome,Edge or ENABLE_PRIVATE_BROWSING=1 as needed.)Detection method — a registry rule. Check HKEY_LOCAL_MACHINE for the per-machine MSI, HKEY_CURRENT_USER for the per-user MSI.
SettingValue
HiveHKEY_LOCAL_MACHINE (per-machine) / HKEY_CURRENT_USER (per-user)
KeySOFTWARE\Policies\Google\Chrome\3rdparty\extensions\bbiokppljpbjgiogcoggjnfffbeiihja\policy
ValueapiToken
Data TypeString
RuleThe registry setting must exist
Deploy
  1. Right-click the application > Deploy
  2. Select the target Device Collection (or a user collection for the per-user MSI)
  3. Set purpose to Required (auto-install) or Available (self-service)
  4. Set a schedule and complete the wizard

Directory context host (optional)

The extension can enrich every trace with the signed-in user’s organisational context (department, office, OU hierarchy, group memberships) from Active Directory or Microsoft Entra ID, fetched by a small native helper the per-machine MSI installs. It is machine-wide and needs admin either way.
  • Policies + host together (per-machine deployments): add ENABLE_LDAP_HOST=1 to the install command.
  • Host only, no browser-policy keys: pass LDAP_ONLY=1. Every browser-policy component is suppressed, so the package writes nothing under ...\Policies\... and touches only C:\Program Files\Velatir\ and the HKLM\SOFTWARE\<browser>\NativeMessagingHosts\... registrations.
msiexec /i VelatirExtension-x64.msi API_TOKEN="vltr_..." ORGANIZATION_NAME="..." ENABLE_LDAP_HOST=1 /qn

Combined rollout: per-user policies + machine-wide host

This is the supported way to get HKCU browser policies and the directory-context host on the same machine without duplicating force-install entries across hives.
1

Per-user MSI in user context

Lays the policy keys down under HKCU (no admin):
msiexec /i VelatirExtension-PerUser-x64.msi API_TOKEN="vltr_..." ORGANIZATION_NAME="..." /qn
2

Per-machine MSI with LDAP_ONLY=1 in device context

Installs only the host, writing no policy keys:
msiexec /i VelatirExtension-x64.msi API_TOKEN="vltr_..." ORGANIZATION_NAME="..." LDAP_ONLY=1 /qn
Policy keys then live only in HKCU, the host lives machine-wide, and nothing is written to HKLM\SOFTWARE\Policies\.... Re-pass LDAP_ONLY=1 on every redeploy of the per-machine package so an upgrade never reintroduces the HKLM policy keys (deployment tools store the full command line, so this is automatic). See Directory Context for the Entra admin-consent step, single-machine verification, and exactly what the host sends.

Reference

PropertyRequiredDescription
API_TOKENYesYour Velatir API token (e.g. vltr_...)
ORGANIZATION_NAMEYesYour organisation’s display name shown in the extension
ADDLOCALNoComma-separated list of browsers to configure. Defaults to all. Options: Chrome, Edge, Firefox
ENABLE_PRIVATE_BROWSINGNoSet to 1 to enable the extension in private browsing. Edge (InPrivate) and Firefox only; Chrome does not support this on Windows.
ENABLE_LDAP_HOSTNoPer-machine MSI only. Set to 1 to install the directory-context host alongside the policy keys.
LDAP_ONLYNoPer-machine MSI only. Set to 1 to install only the directory-context host and write no browser-policy keys. Implies ENABLE_LDAP_HOST=1.
Redeploy with the new value. Reinstalling overwrites the existing registry keys:
msiexec /i VelatirExtension-x64.msi API_TOKEN=vltr_newTokenHere ORGANIZATION_NAME="Your Organization" /qn

msiexec /x VelatirExtension-x64.msi /qn
Use the matching package name for a per-user install (VelatirExtension-PerUser-x64.msi), in the same context it was installed. Uninstalling removes all registry keys cleanly; the per-machine package also removes the host EXE, the manifests, and the persisted enablement flag.Removing the force-install policy does not uninstall the extension from existing browser profiles — users can then disable or remove it themselves. To force removal, block the extension first (Chrome/Edge ExtensionInstallBlocklist, or Firefox ExtensionSettings with installation_mode: blocked).

Verify the deployment

Confirm policies applied and the extension is installed

Directory Context

Enrich traces with AD / Entra organisational context

Alternative Windows methods

PowerShell, manual registry, and Settings Catalog

Enterprise overview

Browser support, managed config, and other platforms