Chrome/Edge multiple string values entries create as single multistring value

[kwygant]

I will use V-221563 from Chrome as an example. If you only want the one extension ID from the STIG checklist listed, the setting works as expected because you are only populating value name "1". If you want to add additional extensions to the approved list each one would be added as an additional value with an incremented number for a name and a string value of the extension ID.

Using the Chrome admx files and entering manually via gpedit you get something like this: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist] "1"="oiigbmnaadbkfbmpbfijlflahbdbdgdf" "2"="oiigbmnaadbkfbmpbfijlflahbdbdgd4"

If I enter these values in my DSC as an array... 'V-221563' = @{ ValueData = @('oiigbmnaadbkfbmpbfijlflahbdbdgdf','oiigbmnaadbkfbmpbfijlflahbdbdg4g') } ... the values get smashed together into a single value

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist] "1"="oiigbmnaadbkfbmpbfijlflahbdbdgdf oiigbmnaadbkfbmpbfijlflahbdbdg4g "

I did manage to solve this in a function for a Configuration Manager baseline using the PolicyFileEditor module. While not directly applicable, the base logic could be used to add the capability to PowerSTIG.

$regpath = "Software\Policies\Google\Chrome\ExtensionInstallAllowlist" $regtype = "String" $comparitor = "-eq" $Counter = 1 $regvalues = @( 'oiigbmnaadbkfbmpbfijlflahbdbdgdf', 'oiigbmnaadbkfbmpbfijlflahbdbbnhs' ) $usersetting = $False

Function New-STIGReg{

Microsoft provides programming examples for illustration only,

# without warranty either expressed or implied, including, but not 
# limited to, the implied warranties of merchantability and/or 
# fitness for a particular purpose. 
#
# This sample assumes that you are familiar with the programming 
# language being demonstrated and the tools used to create and debug 
# procedures. Microsoft support professionals can help explain the 
# functionality of a particular procedure, but they will not modify 
# these examples to provide added functionality or construct 
# procedures to meet your specific needs. If you have limited 
# programming experience, you may want to contact a Microsoft 
# Certified Partner or the Microsoft fee-based consulting line at 
# (800) 936-5200. 
#
# For more information about Microsoft Certified Partners, please 
# visit the following Microsoft Web site:
# https://partner.microsoft.com/global/30000104

<#
    .SYNOPSIS
        Set policy values

    .DESCRIPTION
        Create registry key for policy and if LGPO.exe is present in System32, injects the setting into local policy as well.

    .PARAMETER regpath
        path under HKLM:\ to create/set value

    .PARAMETER regname
        value name to create/set

    .PARAMETER regtype
    value type to create/set

    .PARAMETER regvalue
    value to create/set

    .PARAMETER usersetting
    if set to $TRUE, key is verified under HKCU instead of HKLM

    .NOTES
        Author: Ken Wygant
        Date Created: 17August2020

    .OUTPUT none

    .EXAMPLE
        New-STIGReg -regpath "SYSTEM\CurrentControlSet\Policies\EarlyLaunch" -regName "DriverLoadPolicy" -regtype "DWORD" -regvalue "3"

        Description
        -----------
        Set value for ELAM driver loading

#>
Param (
    [parameter(Mandatory=$True,Position=0)]
    [ValidateNotNullOrEmpty()]
    [string]$regpath,
    [parameter(Mandatory=$True,Position=1)]
    [ValidateNotNullOrEmpty()]
    [string]$regName,
    [parameter(Mandatory=$True,Position=2)]
    [ValidateNotNullOrEmpty()]
    [string]$regtype,
    [parameter(Mandatory=$True,Position=3)]
    [ValidateNotNullOrEmpty()]
    $regvalue,
    [bool]$usersetting
)

import-module PolicyFileEditor
if($usersetting){$Pol = "$env:windir\system32\GroupPolicy\User\registry.pol"}
else{$Pol = "$env:windir\system32\GroupPolicy\Machine\registry.pol"}

if($regvalue -ne "NULL"){
    Set-PolicyFileEntry -path $Pol -key $regpath -ValueName $regName -Data $regvalue -Type $regtype
}
else{
    Remove-PolicyFileEntry -Path $Pol -key $regpath -ValueName $regname -Force
}

}

ForEach($regvalue in $regvalues){ [string]$regName = $counter New-STIGReg -regpath $regpath -regName $regName -regtype $regtype -regvalue $regvalue -usersetting $usersetting $counter++ }

[kwygant]

The settings this will apply to (may be others)

Google Chrome STIG - V-221596 - URLs must be allowlisted for Autoplay use. Google Chrome STIG - V-221563 - Extensions that are approved for use must be allowlisted Google Chrome STIG - V-221572 - The URL protocol schema javascript must be disabled. Microsoft Edge STIG - V-235722 - The list of domains for which Microsoft Defender SmartScreen will not trigger warnings must be allowlisted if used. Microsoft Edge STIG - V-235753 - URLs must be whitelisted for plugin use Microsoft Edge STIG - V-235755 - Extensions that are approved for use must be allowlisted if used.