Back to home

Microsoft Defender vs Am I Being Pwned

Triaging Browser Extensions with Microsoft Defender

Defender Vulnerability Management rates extensions by permission on Windows only, and says 'risk is subjective'. Here's how to triage extensions with an evidence-backed verdict.

Does Microsoft Defender triage browser extensions?

Microsoft Defender Vulnerability Management (MDVM) has a Browser extensions inventory page that lists extensions across Edge, Chrome and Firefox and shows each one's requested permissions and a 'Permissions risk' level. But that risk level is generated purely from the type of access each permission requests - not from what the extension's code actually does.

Microsoft is explicit that this is not a verdict. Their documentation says the information is there to 'help make an informed decision on whether you want to allow or block this extension', and that 'risk is subjective - each organization should determine the types of risk they're willing to take on'. There are also hard limits: extension assessment is Windows-only, and MDVM can't block anything itself - enforcement happens separately in Microsoft Intune.

Am I Being Pwned picks up where MDVM stops. It unpacks the extension's code, runs it, and watches what it does - then hands you a keep-or-remove decision backed by that behaviour, on macOS and Linux as well as Windows. Instead of a permission-risk level you have to weigh yourself, you get the call and the evidence for it.

What Defender gives you

  • A Browser extensions inventory page covering Edge, Chrome and Firefox
  • Per-extension detail: install counts, enabled state per device, versions, and requested permissions
  • A 'Permissions risk' level derived from the type of access each permission requests
  • APIs and advanced-hunting tables (DeviceTvmBrowserExtensions) for querying the inventory

Where it stops

  • The risk level comes from declared permissions only; the code isn't analysed
  • There's no malicious-or-safe verdict - Microsoft states 'risk is subjective' and leaves the decision to you
  • MDVM can't block anything itself - enforcement needs a separate Intune configuration
  • Assessment is Windows-only; macOS and Linux endpoints get no extension coverage at all
  • A silent update doesn't trigger any re-analysis of behaviour

Defender vs Am I Being Pwned

Capability
Defender
Am I Being Pwned
Fleet extension inventory
Yes - Edge, Chrome, Firefox (Windows only)
Yes - every managed device, not just Windows
Basis of the risk signal
Declared-permission access type
What the extension does at runtime
Reads the extension's source code
No
Yes - unpacks and reviews the source
Dynamic sandbox execution
No
Yes - executes it and captures the network calls
Evidence-backed verdict
No - Microsoft states 'risk is subjective'
Yes - a malicious-or-safe call with the evidence
Platform coverage
Windows only
Windows, macOS and Linux, anywhere Chrome or Edge runs
Built-in enforcement
No - blocking needs Intune
Yes - and feeds the verdict into your Intune policies
Continuous behavioural re-scan
No
Yes - re-analysed whenever the version changes

How to triage browser extensions when you use Microsoft Defender

MDVM shows you a permission-risk level per extension. Here's how to turn that into an allow-or-block decision Microsoft deliberately leaves to you.

  1. 1

    Pull the Browser extensions inventory

    In Defender Vulnerability Management, open Inventories, then Browser extensions, and sort by Permissions risk. Remember this only covers Windows devices - Mac and Linux extensions won't appear.

  2. 2

    Read the permission-risk level for what it is

    Microsoft generates that level from the access an extension's permissions request, and explicitly calls risk 'subjective'. It's a prioritisation cue, not a statement that the extension is dangerous.

  3. 3

    Analyse the code behind the high-risk extensions

    For each high-permission-risk extension, find out what it actually does. Enter the extension ID into Am I Being Pwned for a behavioural report, or scan your Workspace to also cover the extensions Defender's Windows-only view misses.

  4. 4

    Decide, then enforce in Intune

    MDVM can't block extensions - you'll build allow, block, or force-install policies in Microsoft Intune's Edge and Chrome management. Base those policies on evidence, not permission counts.

  5. 5

    Watch for post-update drift

    A permission-risk level doesn't change when an extension's behaviour does. Continuous behavioural re-scanning catches extensions that go bad in a later version.

From our published research

Frequently asked questions

Does Microsoft Defender show browser extension risk?

Yes. Defender Vulnerability Management's Browser extensions page shows a 'Permissions risk' level for each extension, generated from the type of access its permissions request. It's permission-based, not code-based, and Microsoft states the risk level is subjective and the allow-or-block decision is yours.

Can Microsoft Defender block a browser extension?

Not from MDVM, which is visibility and assessment only. Blocking, allowlisting, or force-installing extensions is done separately in Microsoft Intune's Edge and Chrome management. The documented pattern is find in Defender, enforce in Intune.

Does Defender analyse what an extension's code does?

No. The Permissions risk level is derived from declared permissions, not from analysing or running the extension's code. Defender's extension assessment is also Windows-only. Behavioural analysis of the code is what Am I Being Pwned adds.

Is Defender's browser extension assessment available on Mac?

No. Microsoft documents that browser extension assessment is only available on Windows devices. macOS and Linux endpoints are not covered, so extensions installed there won't appear in the inventory.

Do I still need a dedicated extension scanner with Defender?

If you need to know whether a flagged extension is actually malicious - not just that it requested risky permissions on a Windows device - yes. Am I Being Pwned reads and runs the code across every platform and tells you what it actually does, then enforcement can flow through the same Intune policies you already use.

Triage every extension in your fleet, with evidence.

Free scan of your Google Workspace in under 48 hours.