diff --git a/SOURCES/0001-extensionSystem-Support-locking-down-extension-insta.patch b/SOURCES/0001-extensionSystem-Support-locking-down-extension-insta.patch
new file mode 100644
index 0000000..9993f7a
--- /dev/null
+++ b/SOURCES/0001-extensionSystem-Support-locking-down-extension-insta.patch
@@ -0,0 +1,92 @@
+From 91449e6a19af63eebaf5f97f85ba44f69259075a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Florian=20M=C3=BCllner?= <fmuellner@gnome.org>
+Date: Sat, 10 Feb 2024 00:58:27 +0100
+Subject: [PATCH] extensionSystem: Support locking down extension installation
+
+Currently extensions can only be locked down completely by
+restricting the `enabled-extensions` key via dconf.
+
+This is too restrictive for environments that want to allow users
+to customize their system with extensions, while still limiting
+the set of possible extensions.
+
+To fill that gap, add a new `allow-extension-installation` setting,
+which restricts extensions to system extensions when disabled.
+
+As the setting is mainly intended for locking down by system
+administrators, there is no attempt to load/unload extensions
+on settings changes.
+---
+ data/org.gnome.shell.gschema.xml.in | 11 +++++++++++
+ js/ui/extensionDownloader.js        |  6 ++++++
+ js/ui/extensionSystem.js            |  8 ++++++--
+ 3 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/data/org.gnome.shell.gschema.xml.in b/data/org.gnome.shell.gschema.xml.in
+index 6f1c424bad..b5921983cd 100644
+--- a/data/org.gnome.shell.gschema.xml.in
++++ b/data/org.gnome.shell.gschema.xml.in
+@@ -40,6 +40,17 @@
+         the “enabled-extension” setting.
+       </description>
+     </key>
++    <key name="allow-extension-installation" type="b">
++      <default>true</default>
++      <summary>Allow extension installation</summary>
++      <description>
++        Allow users to install extensions in their home folder. If disabled,
++        the InstallRemoteExtension D-Bus method will fail, and extensions
++        are only loaded from system directories on startup.
++        It does not affect extensions that are already loaded, so a change
++        only takes full effect on the next login.
++      </description>
++    </key>
+     <key name="disable-extension-version-validation" type="b">
+       <default>false</default>
+       <summary>Disables the validation of extension version compatibility</summary>
+diff --git a/js/ui/extensionDownloader.js b/js/ui/extensionDownloader.js
+index 471ddab147..01ed165c01 100644
+--- a/js/ui/extensionDownloader.js
++++ b/js/ui/extensionDownloader.js
+@@ -17,6 +17,12 @@ var REPOSITORY_URL_UPDATE   = 'https://extensions.gnome.org/update-info/';
+ let _httpSession;
+ 
+ function installExtension(uuid, invocation) {
++    if (!global.settings.get_boolean('allow-extension-installation')) {
++        invocation.return_dbus_error('org.gnome.Shell.InstallError',
++            'Extension installation is not allowed');
++        return;
++    }
++
+     const oldExt = Main.extensionManager.lookup(uuid);
+     if (oldExt && oldExt.type === ExtensionUtils.ExtensionType.SYSTEM) {
+         log('extensionDownloader: Trying to replace system extension %s'.format(uuid));
+diff --git a/js/ui/extensionSystem.js b/js/ui/extensionSystem.js
+index 937f861994..528d9ea450 100644
+--- a/js/ui/extensionSystem.js
++++ b/js/ui/extensionSystem.js
+@@ -64,7 +64,10 @@ var ExtensionManager = class {
+ 
+     get updatesSupported() {
+         const appSys = Shell.AppSystem.get_default();
+-        return appSys.lookup_app('org.gnome.Extensions.desktop') !== null;
++        const hasUpdatesApp =
++            appSys.lookup_app('org.gnome.Extensions.desktop') !== null;
++        const allowed = global.settings.get_boolean('allow-extension-installation');
++        return allowed && hasUpdatesApp;
+     }
+ 
+     lookup(uuid) {
+@@ -595,7 +598,8 @@ var ExtensionManager = class {
+         this._enabledExtensions = this._getEnabledExtensions();
+ 
+         let perUserDir = Gio.File.new_for_path(global.userdatadir);
+-        FileUtils.collectFromDatadirs('extensions', true, (dir, info) => {
++        const includeUserDir = global.settings.get_boolean('allow-extension-installation');
++        FileUtils.collectFromDatadirs('extensions', includeUserDir, (dir, info) => {
+             let fileType = info.get_file_type();
+             if (fileType != Gio.FileType.DIRECTORY)
+                 return;
+-- 
+2.43.0
+
diff --git a/SPECS/gnome-shell.spec b/SPECS/gnome-shell.spec
index 1de9633..734520b 100644
--- a/SPECS/gnome-shell.spec
+++ b/SPECS/gnome-shell.spec
@@ -2,7 +2,7 @@
 
 Name:           gnome-shell
 Version:        40.10
-Release:        13%{?dist}.inferit.2
+Release:        14%{?dist}.inferit
 Summary:        Window management and application launching for GNOME
 
 License:        GPLv2+
@@ -56,6 +56,7 @@ Patch52: 0001-osk-layouts-Replace-SS-extra-key-with.patch
 Patch53: 0001-po-Update-translations.patch
 Patch54: 0001-st-icon-Only-get-resource-scale-after-peeking-theme-.patch
 Patch55: 0001-window-tracker-Only-emit-tracked-windows-changed-on-.patch
+Patch56: 0001-extensionSystem-Support-locking-down-extension-insta.patch
 
 # MSVSphere
 Patch100: 0001-MSVSphere-welcomeDialog-Adapt-dialog-title.patch
@@ -174,7 +175,7 @@ Requires:       bolt%{?_isa}
 Requires:       xdg-desktop-portal-gtk >= 1.8.0
 Requires:       xdg-desktop-portal-gnome
 # needed by the welcome dialog
-#Recommends:     gnome-tour
+# Recommends:     gnome-tour
 
 Provides:       desktop-notification-daemon = %{version}-%{release}
 Provides:       PolicyKit-authentication-agent = %{version}-%{release}
@@ -280,23 +281,36 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/evolution-calendar.de
 %{_mandir}/man1/gnome-shell.1*
 
 %changelog
-* Sat Nov  5 2023 Arkady L. Shane <tigro@msvsphere-os.ru> - 40.10-13.inferit.2
+* Wed Mar  6 2024 Florian Müllner <fmuellner@redhat.com> - 40.10-14
+- Allow restricting extension installation
+  Resolves: RHEL-25201
+
+* Wed Mar  6 2024 Ray Strode <rstrode@redhat.com> - 40.10-13
+- Don't reset smartcard conversation twice when smartcard is inserted.
+  Resolves: #2140898
+
+* Sat Oct 28 2023 Arkady L. Shane <tigro@msvsphere-os.ru> - 40.10-12.inferit.5
 - Drop gnome-tour from Recommends
 
-* Tue Oct 24 2023 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 40.10-13.inferit.1
-- Updated the Russian translation of the context menu
+* Tue Oct 24 2023 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 40.10-12.inferit.4
+- Updated Russian translation
 
-* Thu Oct 12 2023 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 40.10-13.inferit
+* Tue Aug 29 2023 Sergey Cherevko <s.cherevko@msvsphere.ru> - 40.10-12.inferit.3
 - Translated names of power profiles in menu
+- Rebuilt for MSVSphere 9.2
+
+* Thu Aug 10 2023 Arkady L. Shane <ashejn@msvsphere.ru> - 40.10-12.inferit.2
+- Fix OS Name
+
+* Wed Jun 28 2023 Sergey Cherevko <s.cherevko@msvsphere.ru> - 40.10-12.inferit.1
 - Fix Russian Translation in welcome dialog
-- Rebuilt for MSVSphere 9.3
 
-* Mon May 15 2023 Ray Strode <rstrode@redhat.com> - 40.10-13
-- Don't reset smartcard conversation twice when smartcard is inserted.
-  Resolves: #2140898
+* Mon May 15 2023 Sergey Cherevko <s.cherevko@msvsphere.ru> - 40.10-12.inferit
+- Updated Russian translation
+- Rebuilt for MSVSphere 9.2
 
-* Fri Apr 14 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 40.10-12
-- Rebuilt for MSVSphere 9.2 beta
+* Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 40.10-12
+- Rebuilt for MSVSphere 9.1.
 
 * Wed Feb 22 2023 Florian Müllner <fmuellner@redhat.com> - 40.10-12
 - Require xdg-desktop-portal-gnome