Every Intune deployment has two steps:
Install the extension – force-install it into managed Chrome and Edge browsers.
Configure employee recognition – make sure usage is attributed to the right employee.
New to the extension? Read Browser Extension first to choose an edition and understand how employee recognition works.
Before you start
Intune administrator access (Devices → Configuration and, for the remediation method, Devices → Scripts and remediations).
Your Viio customer key — from Viio under Integrations → Browser Extension.
Decide which edition you're deploying and use its extension ID everywhere:
Edition | Extension ID |
Silent (recommended) |
|
Interactive |
|
The examples below use the Silent extension ID. Swap it for the Interactive ID if that's the edition you chose.
Windows
Step 1: Install the extension
Force-install the extension into Chrome and Edge using a Settings Catalog profile.
In Intune, go to Devices → Configuration → Create → New Policy.

Set:
Give the profile a name (e.g. Viio Browser Extension — Install).
Click Add settings and add the force-install setting for each browser:
Enable each setting and add the extension with its update URL:
nffjckgmpigfpkmamacllkakieaphfnm;https://clients2.google.com/service/update2/crxAssign the profile to your target device/user groups and create it.
Step 2: Configure employee recognition
Two values drive recognition, written under the extension's policy registry key:
Chrome -
SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\<EXTENSION_ID>\policyEdge:
SOFTWARE\Policies\Microsoft\Edge\3rdparty\extensions\<EXTENSION_ID>\policy
customerKey– your Viio customer key (same for everyone). Always required.employeeEmail– the individual employee's work email.
Which path applies to you? It depends on whether you need to set employeeEmail:
Your situation | What you need to set | Use |
Employees sign into managed Chrome/Edge profiles with their work email |
| |
Browsers are not (or only partially) managed |
|
Path A – customerKey only (ADMX template)
When employees are on managed browser profiles, the extension picks up their email automatically, so you only need to deploy the customer key. The easiest way is the Viio ADMX template, which exposes a Customer Key setting for Chrome and Edge (for both the Silent and Interactive editions).
Get the templates: download viio.admx and its en-US\viio.adml language file from the viio-io/agent-installer-scripts repository (policies). If you can't access them, contact [email protected].
Then import them into Intune:
Import the ADMX. In the Intune admin center, go to Devices → Configuration → Import ADMX → Import, upload
viio.admxtogether with itsen-US\viio.admllanguage file, and wait until the status shows Available (ingestion takes a few minutes).Create a profile that uses it. Go to Devices → Configuration → Create → New Policy and set:
Platform: Windows 10 and later
Profile type: Templates → Imported Administrative templates (this is the only profile type that shows your imported ADMX – Settings Catalog won't).
Give it a name (e.g. Viio Browser Extension – Customer Key) and continue.
Find the Customer Key setting. On the Configuration settings tab, the imported ADMX appears as a browsable, searchable tree. Expand Viio → Extensions → Chrome / Edge → Silent (or Interactive, matching the edition you deployed) – or just search for Customer Key. There's a separate setting per browser, so configure it for each browser you're rolling out.
Open Customer Key, set it to Enabled, and enter the customer key from Viio (Settings).
On the Assignments tab, assign the profile to your target device/user groups, then create it.
No ADMX? As an alternative, add a Settings Catalog / custom OMA-URI setting that writes the customerKey string value directly under each browser's policy key above (value name customerKey, type String).
Path B – customerKey + employeeEmail (Remediation script)
When browsers aren't managed, employeeEmail differs per user, so hard-coding it doesn't scale. Use an Intune Remediation (a detection + remediation script pair) that writes customerKey and, per user, employeeEmail into the extension policy for Chrome and Edge – covering both editions. It re-checks on a schedule, so new users are configured automatically.
Get the scripts. detect.ps1 and remediate.ps1 are maintained in the viio-io/agent-installer-scripts repository under browser-extension/. Download both from there – always use the maintained version rather than a copy.
Configure them. Both scripts share an identical CONFIGURATION block at the top. Edit it, and keep it the same in both files – Intune's detect/remediate model requires the pair to agree:
Setting | What to set |
| Your Viio customer key (from Settings). Required – always written to |
|
|
|
|
For this path (customer key and per-user email), set $EmployeeEmail = "AUTO" and $EmployeeEmailScope = "HKCU".
How it works: detect.ps1 reports non-compliant when the configured values are missing or wrong; Intune then runs remediate.ps1 to write them. With AUTO, the email is resolved from the logged-on user's UPN (Entra registration, with an Office identity fallback). When the remediation runs as SYSTEM, HKCU-scoped values are written into the logged-on user's hive (HKEY_USERS\<SID>) rather than SYSTEM's own.
Deploy it:
Edit the
CONFIGURATIONblock in bothdetect.ps1andremediate.ps1(identical values in each).In Intune, go to Devices → Scripts and remediations → Create and upload:
Choose a schedule (e.g. daily) and assign to your target groups.
Only need the customer key here? Set $EmployeeEmail = "" and the same scripts configure customerKey alone – a scripted alternative to the Path A ADMX method.













