Skip to main content
Most Windows fleets should use the MSI. Use the methods on this page when you do not deploy via the MSI, for example when you push policy through Group Policy Preferences, a policies.json file, or the Intune Settings Catalog. Unlike the MSI (which configures Chrome, Edge, and Firefox), the PowerShell script and manual registry tables here also cover Vivaldi and Brave.

Per-user (HKCU) deployment

Browser policy can live in the per-user hive (HKCU\Software\Policies\…) instead of HKLM. That subtree is privileged — a non-elevated process cannot write it — so per-user rollout uses a mechanism that runs with the necessary rights: Group Policy, Intune, or the per-user MSI run elevated. The keys are identical to the manual registry tables below; only the hive changes (HKCU instead of HKLM).

Group Policy (complete per-user path)

Use a user-scoped GPO. Group Policy Preferences Registry items can write the full key set — force-install plus the apiToken / organizationName managed config — to HKCU\Software\Policies\…. The Group Policy engine applies them in each user’s context with the rights those keys require, so this single mechanism covers both force-install and managed configuration.

Intune

Assign the policies to user groups (not device groups):
  • Force-install — covered by the Settings Catalog: Chrome “Configure the list of force-installed apps and extensions” and Edge “Control which extensions are installed silently”. Use the Velatir extension IDs from the Settings Catalog section.
  • Managed config (apiToken / organizationName) — this per-extension managed storage is not a Settings Catalog setting. Deliver it via Group Policy Preferences (above) alongside Intune force-install, or via a custom OMA-URI / ingested ADMX if you are Intune-only.

Per-user MSI (run elevated)

The per-user MSI (VelatirExtension-PerUser-<arch>.msi, x64 · arm64) writes the force-install and managed-config keys straight to HKCU\Software\Policies in one step, with no Group Policy or ADMX work. Because that subtree is privileged, it must run elevated in the target user’s session (a non-elevated run fails). Deliver it where that holds — the user runs it as a local admin, or your tooling launches it elevated in the user’s context. It is registry-only and never carries the directory-context host. 
msiexec /i VelatirExtension-PerUser-x64.msi API_TOKEN="vltr_yourApiTokenHere" ORGANIZATION_NAME="Your Organization" /qn

Add Velatir to an existing per-user GPO

For fleets that already push force-installed extensions via a per-user GPO (HKCU\Software\Policies\<Google\Chrome|Microsoft\Edge>\ExtensionInstallForcelist), the cleanest rollout is to add the Velatir extension IDs to that existing GPO rather than deploying the per-machine MSI for the forcelist. Chrome and Edge resolve same-policy values across hives by precedence — HKLM beats HKCU, with no cross-scope merge available — so a per-machine MSI deployed on top of a per-user GPO would hide every other extension the GPO was pushing.

Velatir IDs and update URLs

Add one row per browser to your existing per-user GPO forcelist. The value format is <extension-id>;<update-url>:
BrowserExtension IDUpdate URL
Chromebbiokppljpbjgiogcoggjnfffbeiihjahttps://clients2.google.com/service/update2/crx
Edgephgnjcoglpdamjjmidheehacjbkgkoochttps://edge.microsoft.com/extensionwebstorebase/v1/crx
Firefoxvelatir@velatir.comhttps://addons.mozilla.org/firefox/downloads/latest/velatir/latest.xpi
Firefox does not use the ExtensionInstallForcelist policy; it uses HKCU\Software\Policies\Mozilla\Firefox\Extensions\Install with the XPI URL as the value (no extension ID prefix). See the manual registry tables below for the full key shape. Use a high value name (e.g. 1000) for the new entry to avoid colliding with your other GPO-managed forcelist entries, which conventionally start at 1.

Managed configuration (API token, organisation name)

The forcelist installs the extension but does not configure it. Add the per-extension managed-config keys to the same GPO so each user gets apiToken, organizationName, and machineId populated automatically. The key paths and value names match the manual registry tables below — just swap HKLM for HKCU and deliver them from your GPO instead of the MSI. The machineId value can be anything stable per device; the MSI uses the Windows computer name (%COMPUTERNAME%).

Directory context (optional)

If you want every trace enriched with the user’s AD / Entra organisational context (department, OU hierarchy, group memberships), the directory-context host still ships in the per-machine MSI and can be installed standalone, writing no browser-policy keys, via LDAP_ONLY=1. The browser-policy components are suppressed, so API_TOKEN and ORGANIZATION_NAME are not needed: 
msiexec /i VelatirExtension-x64.msi LDAP_ONLY=1 /qn
The MSI then touches only C:\Program Files\Velatir\ and the per-browser native-messaging-host registrations under HKLM\SOFTWARE\<browser>\NativeMessagingHosts\com.velatir.ldap_host. Your GPO continues to own every ...\Policies\... key. See Directory Context for what the host sends.

Verifying

After updating the GPO, run gpupdate /force on a test box, then open chrome://policy and edge://policy and click Reload policies. The ExtensionInstallForcelist row should list every extension your GPO was already pushing plus the Velatir entry, all sourced from the same hive. Each extension should auto-install within a minute or two.

PowerShell script

A single PowerShell script covers Chrome, Edge, Firefox, Vivaldi and Brave. It uses the Windows computer name ($env:COMPUTERNAME) as the machineId shared across all five browsers, matching the MSI’s behaviour so both deployment paths produce the same value. Edit $ApiToken and $OrganizationName at the top of the script, then run it as Administrator or SYSTEM in 64-bit PowerShell. Set $EnablePrivateBrowsing = $true to enable the extension in Edge InPrivate and Firefox private browsing. Configuration script (Configure-Velatir.ps1): 
# Configuration - UPDATE THESE VALUES
$ApiToken = "your-api-token-here"
$OrganizationName = "Your Organization"
$EnablePrivateBrowsing = $false  # Set to $true to enable in Edge InPrivate and Firefox private browsing

# Extension IDs
# Vivaldi and Brave install the Chrome Web Store build of the extension and
# therefore share Chrome's extension ID.
$ChromeId = "bbiokppljpbjgiogcoggjnfffbeiihja"
$EdgeId = "phgnjcoglpdamjjmidheehacjbkgkooc"
$FirefoxId = "velatir@velatir.com"
$VivaldiId = $ChromeId
$BraveId = $ChromeId

# Machine ID: Windows computer name. Matches the MSI's [ComputerName] behaviour.
$MachineId = $env:COMPUTERNAME

function Set-ManagedPolicy($Path, $Token, $OrgName, $Id) {
    if (-not (Test-Path $Path)) {
        New-Item -Path $Path -Force | Out-Null
    }
    Set-ItemProperty -Path $Path -Name "apiToken" -Value $Token -Type String
    Set-ItemProperty -Path $Path -Name "organizationName" -Value $OrgName -Type String
    Set-ItemProperty -Path $Path -Name "machineId" -Value $Id -Type String
}

# Chrome
$ChromeForcelist = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"
if (-not (Test-Path $ChromeForcelist)) {
    New-Item -Path $ChromeForcelist -Force | Out-Null
}
# Use name "1000" to avoid colliding with MDM-managed entries (which start at 1)
Set-ItemProperty -Path $ChromeForcelist -Name "1000" -Value "$ChromeId;https://clients2.google.com/service/update2/crx" -Type String
Set-ManagedPolicy "HKLM:\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\$ChromeId\policy" $ApiToken $OrganizationName $MachineId

# Edge
$EdgeForcelist = "HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist"
if (-not (Test-Path $EdgeForcelist)) {
    New-Item -Path $EdgeForcelist -Force | Out-Null
}
Set-ItemProperty -Path $EdgeForcelist -Name "1000" -Value "$EdgeId;https://edge.microsoft.com/extensionwebstorebase/v1/crx" -Type String
Set-ManagedPolicy "HKLM:\SOFTWARE\Policies\Microsoft\Edge\3rdparty\extensions\$EdgeId\policy" $ApiToken $OrganizationName $MachineId

# Edge InPrivate (opt-in)
$EdgeInPrivate = "HKLM:\SOFTWARE\Policies\Microsoft\Edge\MandatoryExtensionsForInPrivateNavigation"
if ($EnablePrivateBrowsing) {
    if (-not (Test-Path $EdgeInPrivate)) {
        New-Item -Path $EdgeInPrivate -Force | Out-Null
    }
    Set-ItemProperty -Path $EdgeInPrivate -Name "1000" -Value $EdgeId -Type String
} elseif (Test-Path $EdgeInPrivate) {
    Remove-ItemProperty -Path $EdgeInPrivate -Name "1000" -ErrorAction SilentlyContinue
}

# Firefox
# Force-install via Extensions\Install to avoid overwriting ExtensionSettings (a single JSON value that may conflict with MDM)
$FirefoxInstall = "HKLM:\SOFTWARE\Policies\Mozilla\Firefox\Extensions\Install"
if (-not (Test-Path $FirefoxInstall)) {
    New-Item -Path $FirefoxInstall -Force | Out-Null
}
Set-ItemProperty -Path $FirefoxInstall -Name "1000" -Value "https://addons.mozilla.org/firefox/downloads/latest/velatir/latest.xpi" -Type String
Set-ManagedPolicy "HKLM:\SOFTWARE\Policies\Mozilla\Firefox\3rdparty\Extensions\$FirefoxId" $ApiToken $OrganizationName $MachineId

# Firefox private browsing (opt-in)
$FirefoxPolicyKey = "HKLM:\SOFTWARE\Policies\Mozilla\Firefox"
if ($EnablePrivateBrowsing) {
    $ExtensionSettings = '{"velatir@velatir.com":{"private_browsing":true}}'
    Set-ItemProperty -Path $FirefoxPolicyKey -Name "ExtensionSettings" -Value $ExtensionSettings -Type String
} elseif (Get-ItemProperty -Path $FirefoxPolicyKey -Name "ExtensionSettings" -ErrorAction SilentlyContinue) {
    Remove-ItemProperty -Path $FirefoxPolicyKey -Name "ExtensionSettings" -ErrorAction SilentlyContinue
}

# Vivaldi (Chromium-based; reads ExtensionInstallForcelist + 3rdparty\extensions\<id>\policy)
$VivaldiForcelist = "HKLM:\SOFTWARE\Policies\Vivaldi\ExtensionInstallForcelist"
if (-not (Test-Path $VivaldiForcelist)) {
    New-Item -Path $VivaldiForcelist -Force | Out-Null
}
Set-ItemProperty -Path $VivaldiForcelist -Name "1000" -Value "$VivaldiId;https://clients2.google.com/service/update2/crx" -Type String
Set-ManagedPolicy "HKLM:\SOFTWARE\Policies\Vivaldi\3rdparty\extensions\$VivaldiId\policy" $ApiToken $OrganizationName $MachineId

# Brave (Chromium-based; the policy root drops the "-Browser" suffix even
# though the install directory is "Brave-Browser")
$BraveForcelist = "HKLM:\SOFTWARE\Policies\BraveSoftware\Brave\ExtensionInstallForcelist"
if (-not (Test-Path $BraveForcelist)) {
    New-Item -Path $BraveForcelist -Force | Out-Null
}
Set-ItemProperty -Path $BraveForcelist -Name "1000" -Value "$BraveId;https://clients2.google.com/service/update2/crx" -Type String
Set-ManagedPolicy "HKLM:\SOFTWARE\Policies\BraveSoftware\Brave\3rdparty\extensions\$BraveId\policy" $ApiToken $OrganizationName $MachineId

Write-Output "Velatir browser extensions configured (machineId: $MachineId)"
The script uses the Windows computer name ($env:COMPUTERNAME) as the machineId and writes it into each browser’s managed policy. The value is stable across reruns and consistent between Chrome, Edge, Firefox, Vivaldi and Brave, matching the MSI deployment behaviour.
To deploy to a subset of browsers, comment out the corresponding Chrome, Edge, Firefox, Vivaldi, or Brave section in both the configuration and uninstall scripts.
In Firefox, setting $EnablePrivateBrowsing = $true enables the extension in private browsing automatically. In Edge, the policy requires the extension to be allowed in InPrivate, but each user must still manually enable the extension for InPrivate mode in their browser settings. Chrome does not support an Incognito policy on Windows.

Uninstall

To reverse everything the configuration script writes, run the script below. It’s safe to run whether or not the configuration script has been applied, and it leaves any MDM-managed policies (at forcelist indexes other than 1000) untouched. Uninstall script (Remove-Velatir.ps1): 
$ChromeId = "bbiokppljpbjgiogcoggjnfffbeiihja"
$EdgeId = "phgnjcoglpdamjjmidheehacjbkgkooc"
$FirefoxId = "velatir@velatir.com"
$VivaldiId = $ChromeId
$BraveId = $ChromeId

function Remove-ForcelistEntry($Path, $Name) {
    if (Test-Path $Path) {
        Remove-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue
    }
}

# Chrome
Remove-ForcelistEntry "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist" "1000"
Remove-Item -Path "HKLM:\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\$ChromeId" -Recurse -Force -ErrorAction SilentlyContinue

# Edge
Remove-ForcelistEntry "HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist" "1000"
Remove-ForcelistEntry "HKLM:\SOFTWARE\Policies\Microsoft\Edge\MandatoryExtensionsForInPrivateNavigation" "1000"
Remove-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge\3rdparty\extensions\$EdgeId" -Recurse -Force -ErrorAction SilentlyContinue

# Vivaldi
Remove-ForcelistEntry "HKLM:\SOFTWARE\Policies\Vivaldi\ExtensionInstallForcelist" "1000"
Remove-Item -Path "HKLM:\SOFTWARE\Policies\Vivaldi\3rdparty\extensions\$VivaldiId" -Recurse -Force -ErrorAction SilentlyContinue

# Brave
Remove-ForcelistEntry "HKLM:\SOFTWARE\Policies\BraveSoftware\Brave\ExtensionInstallForcelist" "1000"
Remove-Item -Path "HKLM:\SOFTWARE\Policies\BraveSoftware\Brave\3rdparty\extensions\$BraveId" -Recurse -Force -ErrorAction SilentlyContinue

# Firefox (registry)
Remove-ForcelistEntry "HKLM:\SOFTWARE\Policies\Mozilla\Firefox\Extensions\Install" "1000"
# Only clear ExtensionSettings if it matches the private-browsing-only blob written by the configuration script
$FxKey = "HKLM:\SOFTWARE\Policies\Mozilla\Firefox"
$ExtSettings = (Get-ItemProperty -Path $FxKey -Name "ExtensionSettings" -ErrorAction SilentlyContinue).ExtensionSettings
if ($ExtSettings -eq '{"velatir@velatir.com":{"private_browsing":true}}') {
    Remove-ItemProperty -Path $FxKey -Name "ExtensionSettings" -ErrorAction SilentlyContinue
}
Remove-Item -Path "HKLM:\SOFTWARE\Policies\Mozilla\Firefox\3rdparty\Extensions\$FirefoxId" -Recurse -Force -ErrorAction SilentlyContinue

# Firefox policies.json alternative: remove only Velatir entries, leave other policies intact
$PolicyFile = "C:\Program Files\Mozilla Firefox\distribution\policies.json"
if (Test-Path $PolicyFile) {
    try {
        $Policy = Get-Content $PolicyFile -Raw | ConvertFrom-Json -AsHashtable
        if ($Policy.policies.ExtensionSettings) {
            $Policy.policies.ExtensionSettings.Remove($FirefoxId)
            if ($Policy.policies.ExtensionSettings.Count -eq 0) { $Policy.policies.Remove("ExtensionSettings") }
        }
        if ($Policy.policies."3rdparty".Extensions) {
            $Policy.policies."3rdparty".Extensions.Remove($FirefoxId)
            if ($Policy.policies."3rdparty".Extensions.Count -eq 0) { $Policy.policies.Remove("3rdparty") }
        }
        if ($Policy.policies.Count -eq 0) {
            Remove-Item -Path $PolicyFile -Force
        } else {
            $Policy | ConvertTo-Json -Depth 10 | Set-Content -Path $PolicyFile -Encoding UTF8
        }
    } catch {}
}

# Legacy cleanup: earlier versions of the configuration script persisted a
# generated GUID here. Remove it if present so upgrades leave no stale data.
Remove-Item -Path "HKLM:\SOFTWARE\Velatir\BrowserExtension" -Recurse -Force -ErrorAction SilentlyContinue
$VelatirRoot = "HKLM:\SOFTWARE\Velatir"
if ((Test-Path $VelatirRoot) -and -not (Get-ChildItem $VelatirRoot -ErrorAction SilentlyContinue)) {
    Remove-Item -Path $VelatirRoot -Force -ErrorAction SilentlyContinue
}

Write-Output "Velatir browser policies removed"
Removing the force-install policy does not uninstall the extension from existing browser profiles. Users will simply be able to disable or remove it themselves. To force removal, block the extension first (Chrome/Edge ExtensionInstallBlocklist, or Firefox ExtensionSettings with installation_mode: blocked) before running the uninstall script.
If you deployed via the MSI rather than this script, use msiexec /x VelatirExtension-x64.msi /qn (or VelatirExtension-arm64.msi for ARM64 fleets) — the MSI’s uninstall removes its own registry writes cleanly.

Firefox via policies.json

If you prefer a policies.json file over registry keys for Firefox, use the following script instead of (or alongside) the Firefox section above. Configuration script (Configure-VelatirFirefoxJson.ps1): 
# Configuration - UPDATE THESE VALUES
$ApiToken = "your-api-token-here"
$OrganizationName = "Your Organization"

# Machine ID: Windows computer name. Matches the MSI's [ComputerName] behaviour.
$MachineId = $env:COMPUTERNAME

$PolicyDir = "C:\Program Files\Mozilla Firefox\distribution"
$PolicyFile = "$PolicyDir\policies.json"

if (-not (Test-Path $PolicyDir)) {
    New-Item -Path $PolicyDir -ItemType Directory -Force | Out-Null
}

# Merge with existing policies.json if present
$Policy = @{ policies = @{} }
if (Test-Path $PolicyFile) {
    try {
        $Policy = Get-Content $PolicyFile -Raw | ConvertFrom-Json -AsHashtable
    } catch {
        $Policy = @{ policies = @{} }
    }
}

$Policy.policies.ExtensionSettings = @{
    "velatir@velatir.com" = @{
        installation_mode = "force_installed"
        install_url = "https://addons.mozilla.org/firefox/downloads/latest/velatir/latest.xpi"
        private_browsing = $true
    }
}

$Policy.policies."3rdparty" = @{
    Extensions = @{
        "velatir@velatir.com" = @{
            apiToken = $ApiToken
            organizationName = $OrganizationName
            machineId = $MachineId
        }
    }
}

$Policy | ConvertTo-Json -Depth 10 | Set-Content -Path $PolicyFile -Encoding UTF8

Write-Output "Velatir Firefox policies.json configured (machineId: $MachineId)"
Firefox updates may remove the distribution folder. If using this method, schedule the script to run regularly (e.g., once per day) to ensure the file is recreated after updates.

Intune Settings Catalog (force-install only)

Use this method if you only need to force-install the extension without pre-configured settings. Users will need to enter their API token manually after installation.
The Intune Settings Catalog does not support Firefox extension deployment. For Firefox, use the MSI or the PowerShell script above.
  1. Sign in to the Microsoft Intune admin center
  2. Go to Devices > Configuration > Create > New policy
  3. Select:
    • Platform: Windows 10 and later
    • Profile type: Settings catalog
  4. Name your profile (e.g., “Velatir Chrome Extension”)
  5. Click Add settings and search for Google Chrome
  6. Select Google Chrome > Extensions
  7. Enable Configure the list of force-installed apps and extensions
  8. Add the following value: 
    bbiokppljpbjgiogcoggjnfffbeiihja;https://clients2.google.com/service/update2/crx
  9. Assign to your device groups and create the profile

Manual Registry Configuration (Windows)

If you’re not using Intune or SCCM, you can apply the same policies directly to the Windows registry. Use regedit, Group Policy Preferences, or any other tool that writes registry values. The tables below list every key, value name, and data needed. All values are written under HKEY_LOCAL_MACHINE (HKLM) as REG_SZ (String). Run any tool you use in 64-bit context so writes don’t land under WOW6432Node.
Use the value name 1000 for the force-install entries. This avoids colliding with MDM-managed entries, which typically start at 1.
Required
KeyValue nameData
SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist1000bbiokppljpbjgiogcoggjnfffbeiihja;https://clients2.google.com/service/update2/crx
SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\bbiokppljpbjgiogcoggjnfffbeiihja\policyapiTokenYour Velatir API token (e.g. vltr_...)
SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\bbiokppljpbjgiogcoggjnfffbeiihja\policyorganizationNameYour organisation’s display name
Optional
KeyValue nameData
SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\bbiokppljpbjgiogcoggjnfffbeiihja\policymachineIdStable per-device identifier (e.g. computer name)
Chrome does not support an Incognito policy on Windows, so there’s no equivalent to the Edge InPrivate or Firefox private-browsing entry.
To remove the configuration, delete the values you added. Removing the force-install entry doesn’t uninstall the extension from existing browser profiles. Users will simply be able to disable or remove it themselves.

Windows MSI (recommended)

The simpler, supported path for most Windows fleets

Verify the deployment

Confirm policies applied and the extension is installed