Today we are discusing how to Allow or Block User-Level Native Messaging Hosts without Admin Permissions Policy using Intune. As you all know about the policy deployent are done vey efficiently in Microsoft Intune. Managing user-level native messaging hosts is important for keeping browser extensions safe in a organization setting.
This policy controls Microsoft Edge to use of user-level native messaging hosts. Native messaging hosts are applications that communicate with extensions running in Microsoft Edge. By default, if this policy is not configured, Microsoft Edge allows both system-level and user-level native messaging hosts.
When the policy is enabled, users are allowed to install and use native messaging hosts at the user level. This means each user can independently install a host without requiring administrative privileges or affecting other users on the system. Enabling this policy is particularly useful in environments where users need flexibility to use browser extensions that require native messaging.
If you disable this policy, Microsoft Edge will only use native messaging hosts installed on the system level. By default, if you don’t configure this policy, Microsoft Edge will allow usage of user-level native messaging hosts. So in this post Lets look how this policy configured in the Intune.
Table of Contents
What Happens if the Policy is Disabled?
If the policy is disabled, Microsoft Edge will only use native messaging hosts that are installed at the system level. By default, if the policy is not configured, Microsoft Edge allows the use of user-level native messaging host.
How to Allow or Block User-Level Native Messaging Hosts without Admin Permissions Policy using Intune
To deploy this policy using Microsoft Intune, start by Sign in to the Microsoft Intune Admin Center. Once logged in, navigate to the Device> configuration. Click on the Create button and then select “New Policy.” This will open the “Create a Profile” window.
In this window, you need to specify the platform as “Windows 10 and later” and choose “Settings catalog” as the profile type. After entering these details, click on “Create.” At this point, your profile will be successfully created and ready for configuration.
- Top 75 Latest Intune Interview Questions And Answers
- Allow Manual Start of Microsoft Account Sign In Assistant Using Intune Settings Catalog
- How to Allow Direct Memory Access for Data Protection Through Intune Settings Catalog
Know the Basic Information for a Policy
After creating the policy, you need to fill in the basic details in the “Basics” section. This includes entering the name, description, and platform details. The most important field here is the name, as it is the primary identification for the policy.
It’s essential to provide a specific and meaningful name so that you can easily recognize it from other policies in the list. In this example, I have entered the policy name, added a description, and the platform is set to Windows by default.
- Once these details are filled in, click Next to proceed.
Configuration Setting for the Policy
After completing the Basics section, you move on to a crucial step: configuring the settings. In the Configuration Settings section, you’ll see a blue-colored “Add Settings” option and click on it. This will open the Settings Picker window, where you’ll find various categories of settings. From these, select the Microsoft Edge category, as the user-level native messaging setting under it.
- Within the Microsoft Edge category, look for and select Native Messaging.
- Once you click on Native Messaging, a list of around 10 settings will appear in the subcategory.
- From this list, you need to select the setting called “Allows user-level native messaging hosts to be installed without admin permissions.” This setting applies specifically to user-level installations and does not require administrator rights.
Disabled by Default
When you select the user-level native messaging host setting, you’ll notice that the policy is disabled by default. This is indicated by the “Disabled” option being shown in gray color,that means the setting is currently Turned off. If you want to proceed with the configuration simply click “Next” to continue with the procedure.
Enable User-Level Native Messaging Hosts
To enable this policy, toggle the switch from left to right. When the switch turns blue, it means the policy is enabled. Then, click Next to proceed. Here in this tutorial, I am going to Enable the policy.
Know about the Scope Tag Section
The next step is Scope Tags. If you want to add a scope tag to the policy, you can do so easily by clicking the +(plus)Select Scope Tags and selecting the appropriate scope tag. In this case, I am not adding any scope tags, so I will skip this section and click Next to continue.”
Add Groups through Assignments
After the Scope Tags section, you are now on to the Assignments section. In this section, you can add specific groups to the policy. To add a specific group, go to the Included Groups section and select the group you want to assign. Always remember that you can add one or more groups to a policy. Once done, click Next to continue.
Review + Create the Final Tab
The final tab is called review + create option in this section the admin can review all details that you are entered like a summary page in this section have all the details about the Basics configuration settings etc. read carefully and click on the Next to continue.
Device and User Check in Status
The Monitoring status is an important part of the process. It helps you confirm whether the policy was successfully deployed or not. To verify the monitoring status or check the device and user check-in status, go to the Microsoft Intune Admin Center.
Then, navigate to Devices > Configuration Policies. In the list of configuration policies, search for the policy you just created. Once you find it, you will be able to see the deployment status, such as Succeeded.
Client-Side Verification through Event Viewer
To confirm the policy is successful or not, you can use the Event Viewer. First, open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > Device Management > Enterprise Diagnostic Provider > Admin. Look for Event IDs 813 or 814, as these typically policy-related information.
- You can use the Filter Current Log option in the right-hand pane to get the results easily.
- In the below screenshot the policy details were found under Event ID 814.
Remove Group of User-Level Native Messaging Hosts Policy
After creating the policy, if you want to remove the specific group that you previously selected, you can easily do that. First, go to Devices > Configuration policies. In the Configuration policy section, search for the policy name. Once the result appears, click on the policy.
Scroll down the page, and you will see Assignment Details. In the Assignment section, you will find an Edit option and click on it. When you click Edit, you will enter the Assignment page. Here, you will see a Remove option next to the group you added earlier.
- Click on Remove, then proceed by clicking Review + Save.
For detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
Delete User-Level Native Messaging Hosts Policy
If you want to delete this policy for any reason, you can easily do so. First, search for the policy name in the configuration section. When you find the policy name, you will see a 3-dot menu next to it. Click on the 3 dots to open a menu and click on the Delete option now your policy will be deleted.
For more information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes abo