Since Visual Studio Code version 1.96 (November 2024), Microsoft introduced native support for managing extensions at the enterprise level. This capability allows IT administrators to control which extensions users can install, ensuring security, compliance, and consistency across development teams.

For organizations using Microsoft Intune for cloud-based device management, deploying these policies requires a specific approach due to registry path restrictions. This comprehensive guide walks you through the complete implementation process.

What You’ll Learn

• How VS Code extension policies work
• Why traditional Intune methods don’t work for VS Code policies
• How to implement extension control using PowerShell remediation scripts
• How to test and validate your deployment
• Best practices for managing extensions at scale

Why This Matters

• Many AI-powered extensions send code snippets to external servers
• Third-party extensions may have varying privacy policies
• Unapproved extensions can introduce security vulnerabilities

Prerequisites

Before starting, ensure:

• Microsoft Intune admin access
• Windows 10/11 Devices enrolled in Intune
• Visual Studio Code version 1.96 or newer installed on target devices
• Familiarity with PowerShell scripting, Windows Registry and VS Code Extensions.

How Extension Policies Actually Work

VS Code checks a specific Windows registry location for extension policies:

HKLM\SOFTWARE\Policies\Microsoft\VSCode

There are two settings that control everything:

1. AllowedExtensions

This is where you define what users can install. The syntax is JSON-based, and there’s one critical rule you absolutely must follow: you must put a space before the colon.

Correct: {"microsoft" :true}
Wrong: {"microsoft":true}

I learned this the hard way after wondering why my perfectly-crafted policy wasn’t doing anything. That space matters.

Here’s what you can control:

{ 
  "microsoft" :true,                            // Everything from Microsoft 
 
  "github" :"stable",                          // All GitHub extensions 
 
  "ms-vscode.powershell" :true,               // Specific extension 
 
  "sketchy-publisher" :false,                // Block this publisher 
 
  "specific.extension" :"stable",            // Only stable versions 
   
  "another.extension" :["1.0.0", "1.2.0"]    // Specific versions only 
} 

2. UpdateMode

Controls how VS Code handles updates:

• none – No updates allowed (you handle this centrally)
• manual – Users trigger updates themselves
• start – Check for updates when VS Code starts
• default – Standard automatic updates

Finding Extension IDs

Open VS Code, go to Extensions (Ctrl+Shift+X), right-click any extension, and select “Copy Extension ID”. That’s the identifier you’ll use in your policy.

For example, the PowerShell extension-id is ms-vscode.powershell.

The Registry Challenge

Here’s where things get interesting. You’d think deploying this through Intune would be straightforward – after all, it’s just a registry key. But there’s a catch.

Intune blocks direct writes to:

HKLM\SOFTWARE\Policies\Microsoft\*

Why? Microsoft reserved this path exclusively for traditional Group Policy Objects (GPO) to prevent conflicts in hybrid environments where both Intune and GPO might be managing the same devices.

What doesn’t work:

• Importing ADMX templates into Intune
• Using the Settings Catalog
• Custom OMA-URI configurations
• Direct registry tweaks through configuration profiles

What does work:

• PowerShell remediation scripts running with SYSTEM privileges

The scripts bypass Intune’s Settings Catalog restrictions because they’re executed by the Intune Management Extension with elevated permissions.

Solution: PowerShell Remediation Scripts

How Remediation Scripts Work

Intune’s Remediation feature (also called Proactive Remediations or Scripts and Remediations) consists of two scripts:

1. Detection Script: Checks if the configuration is compliant
2. Remediation Script: Applies the configuration if needed

Key Advantages:

• Runs with SYSTEM-level privileges
• Can write to restricted registry paths
• Scheduled execution ensures ongoing compliance
• Built-in reporting in Intune

Step-by-Step Implementation

Step 1: Prepare Your Scripts

Detection Script:

Create the script manually by saving the code below as VSCode_Detection.ps1 in your working directory:

# Detection script - Checks if VS Code is installed (machine or user) and meets minimum version requirement (v1.96)
# Designed for Intune Proactive Remediations running in SYSTEM context

# Define registry path, value name and version requirement
$regpath = "HKLM:\SOFTWARE\Policies\Microsoft\VSCode"
$name = "AllowedExtensions"
$minimumVersion = [Version]"1.96.0"

$vsCodePath = $null
$installType = $null

# Check machine-wide installation
$machinePath = "$env:ProgramFiles\Microsoft VS Code\Code.exe"

if (Test-Path $machinePath) {
    $vsCodePath = $machinePath
    $installType = "Machine"
}

# Check user installations across all profiles because VS Code is commonly installed per-user
if (-not $vsCodePath) {

    Get-ChildItem "C:\Users" -Directory -ErrorAction SilentlyContinue | ForEach-Object {

        $userCodePath = Join-Path $_.FullName "AppData\Local\Programs\Microsoft VS Code\Code.exe"

        if (Test-Path $userCodePath) {
            $vsCodePath = $userCodePath
            $installType = "User ($($_.Name))"
            Write-Host "VS Code Installed at Path: $vsCodePath (Installation Type: $installType)"
            return
        }
    }
}

if (-not $vsCodePath) {
    Write-Host "VS Code not installed - no action needed"
    exit 0
}

# Retrieve installed version from executable
try {
    $versionInfo = (Get-Item $vsCodePath).VersionInfo.ProductVersion
    $installedVersion = [Version]$versionInfo
}
catch {
    Write-Host "Unable to determine VS Code version - skipping remediation"
    exit 0
}

Write-Host "Found: Microsoft Visual Studio Code ($installType), v$installedVersion"

# Validate minimum version requirement
if ($installedVersion -lt $minimumVersion) {
    Write-Host "VS Code v$installedVersion is below minimum required v$minimumVersion - policies not supported"
    exit 0
}

Write-Host "Version check passed: v$installedVersion meets minimum requirement >= $minimumVersion"


# Check if policy exists
if (Get-ItemProperty -Path $regpath -Name $name -ErrorAction SilentlyContinue) {
    Write-Host "Policy exists - compliant"
    exit 0
}
else {
    Write-Host "Policy missing - remediation required"
    exit 1
}

How It Works:

1. Checks for VS Code installation in all common paths (user and system installations)
2. If VS Code not found: Exits with 0 (compliant – nothing to manage)
3. If VS Code found: Checks if the AllowedExtensions policy exists
4. Exit codes: 

• • 0 = Compliant (no action needed)
  • 1 = Non-compliant (run remediation)

Remediation Script:

Create the script manually by saving the code below as VSCode_Remediation.ps1 in your working directory:

# Remediation script to configure VS Code policies

# Define registry path and values (PowerShell format)
$regpath = "HKLM:\SOFTWARE\Policies\Microsoft\VSCode"
$allowedExtensionsName = "AllowedExtensions"
$allowedExtensionsValue = '{"microsoft" :true, "blackboxapp" :false, "github" :"stable", "dbaeumer.vscode-eslint" :["3.0.20", "3.0.16"], "ritwickdey.liveserver" :true, 
                            "ms-azuretools.vscode-azurecontainerapps" :false}' # must put a space before the colon
$updateModeName = "UpdateMode"
$updateModeValue = "default"  # Options: none, manual, start, default

try {
    # Create the registry path if it doesn't exist
    if (-not (Test-Path $regpath)) {
        Write-Host "Creating registry path: $regpath"
        New-Item -Path $regpath -Force | Out-Null
    }
    
    # Set AllowedExtensions value
    Write-Host "Setting AllowedExtensions policy"
    Set-ItemProperty -Path $regpath -Name $allowedExtensionsName -Value $allowedExtensionsValue -Type String -Force
    
    # Set UpdateMode value
    Write-Host "Setting UpdateMode policy"
    Set-ItemProperty -Path $regpath -Name $updateModeName -Value $updateModeValue -Type String -Force
    
    Write-Host "VS Code policies configured successfully"
    exit 0  # Success
}
catch {
    Write-Error "Failed to configure VS Code policies: $_"
    exit 1  # Failure
}

Customization Points:

Modify the $allowedExtensionsValue to match your organization’s requirements

Step 2: Deploy Through Intune

Now we’ll get these scripts running on your managed devices.

 Navigate to Intune:

1. Open Microsoft Intune Admin Center
2. Go to Devices → Scripts and remediations
3. Click + Create script package

Configure the basics:

• Name: VS Code Extension & Updates Policy Management
• Description: Enforces allowed extensions and update mode for Visual Studio Code 
• Publisher: Your organization name

Upload your scripts:

• Detection script: Upload VSCode_Detection.ps1
• Remediation script: Upload VSCode_Remediation.ps1

Critical settings:

• Run this script using logged-on credentials: No
• Enforce script signature check: No
• Run script in 64-bit PowerShell: Yes

Why “No” on logged-on credentials? We need SYSTEM privileges to write to that registry path.

Assign to devices:

Start with a small pilot group.

• Click + Add group
• Select your pilot group
• Schedule: Every 8 hours (or whenever works for you)

Review and create:

Double-check everything, then hit Create. Intune will start deploying to your devices within 15-30 minutes.

Step 3: Monitor the Deployment

Back in Devices → Remediations, click on your new package. You’ll see:

• Without issues – VS Code not installed or policy already configured
• With issues – Policy missing, remediation pending
• Remediated – Script successfully applied the policy
• Failed – Something went wrong (check the logs)

Click on any device to see the actual script output. This is invaluable for troubleshooting.

Step 4: Verify on Pilot Devices

After deploying to your pilot group, check a few devices manually:

Registry check:

Run in an elevated PowerShell:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\VSCode"

Should show (among other values):

AllowedExtensions : {"microsoft" :true,"blackboxapp" :false,"github" :"stable","dbaeumer.vscode-eslint" :["3.0.20","3.0.16"],"ritwickdey.liveserver" :true,"ms-azuretools.vscode-azurecontainerapps" :false}
UpdateMode: default

VS Code user interface:

1. Open VS Code on a pilot device
2. Go to Extensions (Ctrl+Shift+X)
3. Search for “Microsoft”, Install button should work normally (Microsoft publisher allowed)
4. Search for “Blackbox” or similar from blackboxapp — Install button greyed out / blocked
5. Search for “GitHub Copilot” – Only stable releases allowed (pre-releases should be blocked/disabled)
6. Search for “ESLint” – Only versions 3.0.20 and 3.0.16 should be visible and allowed to install
7. Search for “Live Server” – All versions should be visible and allowed to install
8. Search for “Azure Container Apps” – Install button greyed out (explicitly blocked despite Microsoft publisher being allowed)

Settings verification:

1. File → Preferences → Settings
2. Filter for “Organization Policies”
3. Should see a briefcase icon and “Managed by organization”

Wrapping Up

Managing VS Code extensions through Intune isn’t straightforward, but it’s definitely doable. The PowerShell remediation approach works reliably once you understand the registry restrictions.

Additional Resources

Official Documentation:

• VS Code Enterprise Extensions Management
• VS Code Enterprise Updates Management
• VS Code Enterprise Policies Reference
• Microsoft Intune Remediations

Community Resources:

• VS Code GitHub Issues
• Microsoft Tech Community – Intune

This guide is maintained independently and is not officially affiliated with Microsoft or the Visual Studio Code team. Always refer to official Microsoft documentation for the most up-to-date information.