Managing extensions in Visual Studio Code

Managing extensions in Visual Studio code is supported since version 1.96 (November 2024) and is a very welcome addition. We can block extensions, allow extensions or control exactly which version of an extension that is allowed and more.

ADMX/ADML files are now included in the setup files for Visual Studio code.
I will not use them but use a simple remediation script instead as I see no need to import the ADMX/ADML files in Intune for just two settings. (Extension control and Update control)

Background

But let’s start with why this is important. The extensions in Marketplace are controlled by Microsoft before publishing, from the FAQ:
“The Visual Studio Marketplace employs several measures to protect you from malicious extensions and you can also perform various steps to determine if an extension is reliable before installing it.”
Extension Marketplace
However what about my information? There are many AI-backed extensions and of course they have different levels of privacy. But after checking a couple of random extensions, browsing their website I found this as an example (not outing which extension it is)

I wonder how many of the users of the extension actually read that?
That is why the first thing we need to do is to educate our Visual Studio Code users to read and take a couple of minutes to check an extension before installing it.
But in some environments that is not enough, we need to control which extensions are allowed to be installed. An example could be a Secure Access Workstation(SAW) or many more scenarios.

If a system installation of Visual Studio code is used a standard user can still install extensions, they are installed in the user profile.

Settings we can manage

We can control two settings:

Allowed extension can be controlled by either the publisher or extension identifier which can be found in Visual Studio Code or Marketplace.

We can allow them using the following sample syntax:

Allow all extensions published by Microsoft =  {“microsoft” :true,}
Allow all extensions published by Microsoft and Rainbow CSV = {“microsoft” :true,”mechatroner.rainbow-csv” :true,}
Allow only stable versions of an extension = {”mechatroner.rainbow-csv” :”stable”,}

We can also block individual extensions by replacing true with false

Block all extensions published by Microsoft = {“microsoft” :false,}

NOTE: It is really important that there is a space before :true for example “{“microsoft” :true,}” without the space the setting is not enforced.

UpdateMode settings, None, Manual, start, default. As our users don’t have local admin permissions and we manage 3^rd party updates with a tool (for example, PatchMyPC, Enterprise App Management or Robopack) we want to disable automatic updates prompts as the user cannot update it anyway.
Setting UpdateMode to None suppress any dialog to update to a newer version of Visual Studio Code.

Sample script to be run as Remediation script in Intune.

if (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\VSCode")) {
    New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\VSCode" -Force -EA SilentlyContinue 
}
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\VSCode" -Name "AllowedExtensions" -PropertyType String -Value '{"microsoft" :true,"mechatroner.rainbow-csv" :true,}'
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\VSCode" -Name "UpdateMode" -PropertyType String -Value "none"
Exit 0

User experience

After the policy is applied it is still possible to browse extensions but only install the approved ones. When browsing extensions Install is greyed out like shown below.

The following text is shown for extensions not allowed.

If an extension was already installed that is not approved anymore, it will be disabled and the following message will be shown.

To sum it up, it works very well and is a long-awaited feature in Visual Studio code for organizations that want to make sure their information is secure and that no sensitive information in the scripts are shared.