Manage extensions in enterprise environments

Visual Studio Code extensions enhance productivity but require careful management in enterprise environments to maintain security and compliance. This article covers how IT admins can control extension installation, host a private marketplace, and deploy extensions to users' machines.

Configure allowed extensions

VS Code supports controlling which extensions can be installed on users' machines through the extensions.allowed Open in VS Code Open in VS Code Insiders This setting is managed at the organization level. Contact your administrator to change it.ORG application-wide setting. You can selectively allow extensions by publisher, specific extension, version, and platform. By default, all extensions are allowed. When you configure this setting, only listed extensions can be installed, and unlisted extensions are blocked. If you block an extension or version that is already installed, the extension is disabled.

Allow or block by publisher

Use the publisher ID to allow or block all extensions from a publisher. A key without a period (.) is treated as a publisher ID.

"extensions.allowed": {
    "microsoft": true,
    "github": true
}

Allow or block by extension

Use the full extension ID (<publisher>.<extension>) to allow or block a specific extension. A key with a period is treated as an extension ID.

"extensions.allowed": {
    "esbenp.prettier-vscode": true,
    "ms-azuretools.vscode-containers": false
}

Allow specific versions or platforms

Pin an extension to one or more approved versions. Version ranges are not supported, so you must list each version individually. To further restrict by platform, append @<platform> to the version.

"extensions.allowed": {
    "dbaeumer.vscode-eslint": ["3.0.0"],
    "figma.figma-vscode-extension": ["3.0.0", "4.2.3", "4.1.2"],
    "rust-lang.rust-analyzer": ["5.0.0@win32-x64", "5.0.0@darwin-x64"]
}

Allow only stable versions

Use "stable" as the value to allow all stable versions of an extension or all extensions from a publisher, while blocking pre-release versions.

"extensions.allowed": {
    "github.vscode-pull-request-github": "stable",
    "redhat": "stable"
}

Precedence and rules

• The more specific selector takes precedence. For example, "microsoft": true and "microsoft.cplusplus": false allows all Microsoft extensions except the C++ extension.
• Duplicate key values are not supported. Including both "microsoft": true and "microsoft": false results in an invalid configuration.
• Wildcards are not supported in extension or publisher IDs, except for "*" to allow or block all extensions. For example, "*": false blocks all extensions.

Deploy with organization policy

Organizations can centrally manage allowed extensions by using the AllowedExtensions policy. Through device management solutions, admins can deploy and enforce the policy across all managed devices. This overrides any user-configured extensions.allowed Open in VS Code Open in VS Code Insiders This setting is managed at the organization level. Contact your administrator to change it.ORG setting on individual devices.

Preinstall extensions

You can set up VS Code with a set of preinstalled extensions (bootstrap). This functionality is useful in cases where you prepare a machine image, virtual machine, or cloud workstation where VS Code is preinstalled and specific extensions are immediately available for users.

Follow these steps to bootstrap extensions:

1. Create a folder bootstrap\extensions in the VS Code installation directory.

2. Download the VSIX files for the extensions that you want to preinstall and place them in the bootstrap\extensions folder.

3. When a user launches VS Code for the first time, all extensions in the bootstrap\extensions folder are installed silently in the background.

Users can still uninstall extensions that were preinstalled. Restarting VS Code after uninstalling an extension will not reinstall the extension.

Host a private extension marketplace

The private marketplace enables enterprises to self-host and distribute extensions within their organization to meet security and compliance requirements. The private marketplace integrates with the VS Code extensions experience, giving users discovery and automatic updates of private extensions.

Key features of the private marketplace:

• Self-hosting: Host internal extensions on your own infrastructure, such as Azure or Kubernetes, to protect intellectual property.
• Upstreaming: Automatically include public extensions from the Visual Studio Marketplace, even in environments with restricted internet connectivity. Allow or deny select extensions by setting up an allow list.
• Rehosting: Download and host public extensions to apply enterprise-specific verification and security standards, with support for air-gapped environments. See how Microsoft protects your software supply chain.
• Simple deployment: Deploy as a stateless Docker container, no external database required.
• Flexible storage: Publish and manage extensions using any file system or Azure Artifacts.
• Centralized rollout: Deploy the private marketplace to your team using group policy on Windows and macOS.
• Integrated installation and updates: Search for and install extensions directly from VS Code, with automatic updates for new versions.
• Cross-platform support: Compatible with VS Code desktop on Windows, macOS, and Linux.

Private marketplace is currently available to GitHub Enterprise customers. VS Code users must sign in with a GitHub Enterprise or Copilot Enterprise/Business account to access the private marketplace.

Get started with the deployment and feature guide, which includes deployment instructions, scripts, and development environment configuration. For questions or assistance, contact private marketplace support.

Related resources

• Extension Marketplace - Learn about installing and managing extensions in VS Code.
• Extension runtime security - Learn about extension security in VS Code.
• Enterprise policies - Reference for all enterprise policies in VS Code.