Mike O’Leary – mikeoleary.net

Use these links to skip the intro and get right to the good stuff:
Deploying and pinning uBlock Origin Lite for Chrome
Managing uBlock Origin Lite’s “no filtering” List

If you’ve ever spoken to me online or at a conference, you’ll know that I’m a total zealot about adblocking in the enterprise. Malvertising remains a big, big problem and I can tell you from firsthand experience that endpoint infection rates drop like a rock once you’ve protected your browsers with uBlock Origin.

Don’t take my word for it: The FBI, DoD and CISA all strongly recommend it. Heck, even Taylor Swift thinks it’s a good idea.

So if uBlock Origin is so great, why would you want to deploy its lesser cousin uBlock Origin Lite instead?

Well, it’s like Mr. Gaye said: “there’s only three things for sure: taxes, death and trouble.”

Our current trouble? Google is changing how extensions interact with the browser. Soon – very soon – all Chrome extensions must be Manifest v3 compliant. For reasons you can read about here, uBlock Origin is not and will never be.

Rather than compromise the robust filtering abilities of uBlock Origin, Raymond Hill and his collaborators have instead released a Mv3-compatible (and admittedly somewhat less capable) version they call uBlock Origin Lite.

This new “lite” version has been under active development for quite a while and appears to be ready for prime time. All we’re missing now is some quality guidance for adopting it in an enterprise environment.

So, enough talking already! Let’s learn how Intune can help us deploy uBlock Origin Lite and – most importantly – how we can manage its “no filtering” exceptions list.

Deploying and pinning uBlock Origin Lite for Chrome

We’re going to use the settings catalog to deploy and pin uBlock Origin Lite to Chrome.

From the Intune landing page, select Devices > Configuration > Create > New Policy:

Select the following and click Create:

Platform: Windows 10 and Later
Profile type: Settings Catalog

On the Basics tab, enter a Name and Description as you see fit, then select Next:

Under Configuration Settings, select Add Settings:

In Settings Picker, select Google > Google Chrome > Extensions:

Check the Configure the list of force-installed apps and extensions and Extension management settings boxes from the list of settings:

Back on Configuration Settings, toggle both Extension management settings and Configure the list of force-installed apps and extensions to Enabled.

Enter uBlock Origin Lite’s extension ID ddkjiahejlhfcafbddmgiahcphecmpfh in the Extension/App IDs and update URLs to be silently installed field.

(For future reference, you can crib this or any extension ID from its URL in the Chrome web store.)

In the Extension Managment Settings field, enter the following to pin the uBlock Origin Lite icon to Chrome’s toolbar:
{"ddkjiahejlhfcafbddmgiahcphecmpfh": {"toolbar_pin": "force_pinned"}}

With this done, keep clicking Next as you assign scopes and groups as necessary. Once you reach step 5, review your selected configuration profile settings before clicking Create.
After waiting a few moments to allow your new profile configuration to propagate, refresh policy on the assigned client of your choice and bask in your success. uBlock Origin Lite has now been silently installed and pinned to Chrome’s taskbar:

If you’re a “trust but verify” kind of person (me too,) you can enter chrome://policy into the address bar to confirm your policy has been received and applied as expected:

Managing uBlock Origin Lite’s “no filtering” List

Unfortunately, Chrome’s extension management settings only provide support for a short list of predefined items and – surprise, surprise – uBlock Origin Lite’s noFiltering is not among them.

To address this, I’ve created a simple script that will write a list of noFiltering exclusions to the registry in just the way uBlock Origin Lite likes it. All you need to do is paste your URLs between the array operators below and deploy with Intune, which we’ll get into next:

To deploy this script with Intune, perform the following:

From the Intune landing page, select Devices > Scripts and Remediation > Platform Scripts > Add > Windows 10 and Later:

On the Basics tab, enter an appropriate Name and Description and select Next:

Under Script Settings, upload your modified version of the script to Script Location, toggle Run this script using the logged on credentials to No and toggle Run script in 64 bit PowerShell Host to Yes: