Menu
CCMEXEC.COM – Enterprise Mobility
  • Home
  • General
  • Configuration Manager
  • Windows 10
  • Windows 11
  • Intune
  • GitHub
  • About
CCMEXEC.COM – Enterprise Mobility

Managing extensions in Visual Studio Code

Posted on February 13, 2025February 14, 2025 by Jörgen Nilsson

Managing extensions in Visual Studio code is supported since version 1.96 (November 2024) and is a very welcome addition. We can block extensions, allow extensions or control exactly which version of an extension that is allowed and more.

ADMX/ADML files are now included in the setup files for Visual Studio code.
I will not use them but use a simple remediation script instead as I see no need to import the ADMX/ADML files in Intune for just two settings. (Extension control and Update control)

Background

But let’s start with why this is important. The extensions in Marketplace are controlled by Microsoft before publishing, from the FAQ:
“The Visual Studio Marketplace employs several measures to protect you from malicious extensions and you can also perform various steps to determine if an extension is reliable before installing it.”
Extension Marketplace
However what about my information? There are many AI-backed extensions and of course they have different levels of privacy. But after checking a couple of random extensions, browsing their website I found this as an example (not outing which extension it is)

I wonder how many of the users of the extension actually read that?
That is why the first thing we need to do is to educate our Visual Studio Code users to read and take a couple of minutes to check an extension before installing it.
But in some environments that is not enough, we need to control which extensions are allowed to be installed. An example could be a Secure Access Workstation(SAW) or many more scenarios.

If a system installation of Visual Studio code is used a standard user can still install extensions, they are installed in the user profile.

Settings we can manage

We can control two settings:

PolicyDescription
AllowedExtensionsControls which extensions can be installed.
UpdateModeControls whether VS Code automatically updates when a new version is released.

Allowed extension can be controlled by either the publisher or extension identifier which can be found in Visual Studio Code or Marketplace.

We can allow them using the following sample syntax:

Allow all extensions published by Microsoft =  {“microsoft” :true,}
Allow all extensions published by Microsoft and Rainbow CSV = {“microsoft” :true,”mechatroner.rainbow-csv” :true,}
Allow only stable versions of an extension = {”mechatroner.rainbow-csv” :”stable”,}

We can also block individual extensions by replacing true with false

Block all extensions published by Microsoft = {“microsoft” :false,}

NOTE: It is really important that there is a space before :true for example “{“microsoft” :true,}” without the space the setting is not enforced.

UpdateMode settings, None, Manual, start, default. As our users don’t have local admin permissions and we manage 3rd party updates with a tool (for example, PatchMyPC, Enterprise App Management or Robopack) we want to disable automatic updates prompts as the user cannot update it anyway.
Setting UpdateMode to None suppress any dialog to update to a newer version of Visual Studio Code.

Sample script to be run as Remediation script in Intune.

if (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\VSCode")) {
    New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\VSCode" -Force -EA SilentlyContinue 
}
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\VSCode" -Name "AllowedExtensions" -PropertyType String -Value '{"microsoft" :true,"mechatroner.rainbow-csv" :true,}'
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\VSCode" -Name "UpdateMode" -PropertyType String -Value "none"
Exit 0

User experience

After the policy is applied it is still possible to browse extensions but only install the approved ones. When browsing extensions Install is greyed out like shown below.

The following text is shown for extensions not allowed.

If an extension was already installed that is not approved anymore, it will be disabled and the following message will be shown.

To sum it up, it works very well and is a long-awaited feature in Visual Studio code for organizations that want to make sure their information is secure and that no sensitive information in the scripts are shared.

1 thought on “Managing extensions in Visual Studio Code”

  1. Alya says:
    April 15, 2025 at 5:54 pm

    Thank you for this useful information.
    How can I control exactly which version of an extension is allowed ?

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
All code is provided "AS-IS" with no warranties.

Recent Posts

  • New settings in Intune Security Baseline Windows 11 24H2 -2504
  • Managing extensions in Visual Studio Code
  • Reinstall a required Win32app using remediation on demand
  • Administrator protection in Windows 11 – First look
  • Remediation on demand script – ResetWindowsUpdate
©2025 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT