Menu
CCMEXEC.COM – Enterprise Mobility
  • Home
  • General
  • Configuration Manager
  • Windows 10
  • Intune
  • GitHub
  • Windows 11
  • About the author
CCMEXEC.COM – Enterprise Mobility

Managing Google Chrome version 69 and later using Intune

Posted on September 24, 2018September 25, 2018 by Jörgen Nilsson

Google Chrome has a great set of Group Policy settings we can configure which makes it possible for us to even use Chrome in environments with high-security requirements, and we can also do this with Intune as it supports ADMX ingestion and ADMX backed policies!
Starting with Google Chrome version 69 and later it supports ADMX-backed policies (Windows 10 1703 or later) delivered through Intune.

Let’s see how we can configure Chrome using Intune.

Some of the things we might want to configure is forcefully install Chrome Extensions like:

Windows Defender Browser Protection extension, which will protect you from suspicious and malicious sites.

https://chrome.google.com/webstore/detail/windows-defender-browser/bkbeeeffjjeopflfhgeknacdieedcoml 

Windows 10 Accounts extension which the possibility to use your AzureAD account for websites and for Conditional access in Chrome so it can be recognized as a managed device https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji

In this example we will configure the following:

  • Configure the Home Button
  • Forcefully install the two extensions above
  1. Create a custom Intune Configuration Profile for Windows 10 and later which we will use to ingest the Chrome.ADMX file to the clients. Create it with the settings shown below
    OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx
    Data type: String
    And in the value for the “String” field copy all the content from the Chrome.ADMX file as shown below and then assign it to a test client.
  2. Verify that it works by looking in the registry of the test client under HKLM\Software\Microsoft\PolicyManager\ADMXInstalled
    There you should see ChromeADMX added as shown below.
  3. Create a new Configuration Profile that uses the Chrome.ADMX file we just ingested. Select a new Profile for Windows 10 and later and a Custom profile type. And then we add a new OMA-URI for each setting we make, it will look like this when we are finished

    Show Home Button:
    OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ShowHomeButton
    Data type: String
    Value: <enabled/>

    Forcefully Install extensions:
    OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
    Data type:String
    Value: <enabled/>
    <data id=”ExtensionInstallForcelistDesc” value=”1&#xF000;bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx&#xF000;2&#xF000;ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx”/>
    NOTE: “&#xF000;” are the characters used as separators
  4. Then we assign the Configuration Profile to our test client

On the clients we can see that the policies are applied either by entering chrome://policy/ as the URL in Chrome

or check the HKLM/Software/Policies/Chrome registry key.

And when starting Google Chrome, the extensions are automatically installed.

Note that not all policies seem to be working as many of the Group Policies for Google Chrome only works on devices that are AD Joined.

References: https://support.google.com/chrome/a/answer/9102677?hl=en

  • ADMX
  • ADMX-Backed
  • Chrome
  • Intune
  • 10 thoughts on “Managing Google Chrome version 69 and later using Intune”

    1. Jan Hajek says:
      February 15, 2019 at 6:30 pm

      Hi I tried everything, but can’t get the extension forcelist to work. Any ideas?

      Reply
      1. Jörgen Nilsson says:
        February 18, 2019 at 10:08 am

        Hi,
        Most likely a character that is wrong somewhere. I can post my working sample on Github later today so you can import it in and test it out.
        Regards,
        Jörgen

        Reply
    2. Nick says:
      February 19, 2019 at 2:09 pm

      Hi,
      I updated the quotes but still not working. any updates on the script from gethub?

      Reply
      1. Jörgen Nilsson says:
        February 19, 2019 at 2:17 pm

        Hi,
        I have posted them here. https://github.com/SweJorgen/IntunePolicies
        From those .json files you can use the Intune Powershell sample scripts to import them into intune.
        Regards,
        Jörgen

        Reply
    3. Julien Leger says:
      March 11, 2019 at 7:04 pm

      I am unable to get Forcefully Install extensions to work, I even changed the quotes, still no go on an AzureAD + Intune managed device, even tried copying from the GitHub example above. Here’s the error and config:

      Setting error
      SETTING
      ExtensionInstallForcelist [./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist]

      STATE
      Error

      SOURCE PROFILES
      Source Profile
      Windows 10 Google Chrome ADMX Device Policy

      ERROR CODE
      0x87d1fde8

      ERROR DETAILS
      Remediation failed
      -2016281112 (Remediation failed)

      ExtensionInstallForcelist
      ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
      String

      When I manually add the registry key for one extension it shows up right away. Has anyone figured out what additional typo or syntax may be incorrect to get the policy to apply?

      Reply
    4. Julien Leger says:
      March 11, 2019 at 8:31 pm

      I finally FOUND the problem when attempting to get the Extension Forcelist to work! There is a typo in the OMA-URI path that seems to have changed with the new ADMX template. The example listed on this site has the following:
      ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist

      It should actually be pointing to the following:
      ./Device/Vendor/MSFT/Policy/Config/GoogleChrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist

      I also made sure to change the quotes from left/right formatting to regular quotes after copy and pasting.

      Hope this helps others! Wasted almost a whole day trying different combinations until I released the policy name starts with GoogleChrome~Policy… within the registry.

      Cheers!

      Reply
      1. Jesse W says:
        March 19, 2019 at 3:51 pm

        Julien, is that marked anywhere in the ADMX (like some of the policies list the registry path), or did you just happen to notice in the registry that’s where the policy ends up taking effect? I’m having a hell of a time getting the managed bookmarks to push lol. Thanks!

        Reply
    5. So says:
      June 5, 2019 at 3:21 pm

      Thank you !!! That’s Works!!!

      Reply
    6. Ray Ellington says:
      July 3, 2019 at 7:16 pm

      Multiple extensions would only work for me if I included a semicolon after the final update url (not shown in the above example):

      Reply
    7. Kyle says:
      July 30, 2020 at 6:35 am

      When I am trying to push out the chrome.admx out through Intune, I am able to see the reg key. However, when you look in the Event Viewer, i see the following error. With that, I am wondering if that is why I can’t push out any other polices via Intune.

      MDM ConfigurationManager: Command failure status. Configuration Source ID: (CCEA7F2C-BABE-486D-9E77-931D21E8E9A1), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version), Result: (The system cannot find the file specified.).

      Reply

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
    All code is provided "AS-IS" with no warranties.

    Tweets by ccmexec

    Recent Posts

    • Windows Servicing, Personal Teams and Success.cmd
    • Windows MDM Security Baseline – Settings Catalog
    • Configuring MS Edge Security Baseline v107 using Settings Catalog
    • Configuring Desktop App Installer using CSP and script?!
    • Customizing Taskbar and Start in Windows 11 22h2 with PowerShell

    ©2023 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
    This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
    Privacy & Cookies Policy

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT