Can I deploy extensions from multiple GPOs?

[teknowledgist]

I am trying to deploy the LibKey Nomad extension and not having any luck. The GPO deploys the extension to Chrome and Edge with no issue, and the required registry key and settings file for the extension to be pre-configured for FF are deployed. Basically, the GPO is working except for the plugin appearing in FF.

I have a lower level (i.e. overriding in case of conflict) GPO that deploys the uBlock Origin extension to FF just fine, so FF is working in general. If I look at HKLM:\SOFTWARE\Policies\Mozilla\Firefox\Extensions\Locked I see the LibKey Nomad entry there but not in the neighboring Install key, and it should be in both. The uBlock entry is in the Install key.

The vast majority of the time, GPO settings "stack", but I'm wondering if FF extensions are considered a single GPO setting and are not additive. In other words, do only the extensions identified in the "winning" GPO apply?

If that is true, it should be noted in the documentation.

Can I deploy one extension through ExtensionsSettings in one GPO and then then other through the legacy Extensions in the other GPO and have them both be installed?

Thanks.

[mkaply]

Do you mean one in machine and one in user?

We do combine the two, so what you're saying should work. Use Install in one and ExtensionSettings in the other.

When I built this, I asked around, and was specifically told (by Windows folks) that GPOs do not stack/combine in most cases for individual items

It would be an engineering nightmare to try to figure out how all the various things could combine (arrays, strings, JSON, etc)

[teknowledgist]

I totally get why it would be a nightmare to try to stack this, and I guess I wasn't thinking about GPOs stacking different settings vs stacking a single setting. I believe your understanding is correct though.

That said, I can't really apply the user side without enabling loopback on everything. Thus, I was asking about whether "GPO1" is configured with "ExtensionA" in the computer-side Extensions to Install, and "GPO2" is configured with "ExtensionB" in the computer-side Extension Management would stack or conflict. If so, that would be an easy solution for me. If not, I've got to figure out how to combine/split my GPOs in some logical way, but that's not your problem. 😄

Thanks!

[teknowledgist]

In a preliminary test, it does appear that I can deploy one extension using the JSON of Extension Management in one GPO and another extension using the list in Extensions to Install of another GPO.

I didn't set any generic restrictions in the JSON, so I don't know if those might conflict.

[mkaply]

Glad it works! I thought it would.