Google Chrome has a great set of Group Policy settings we can configure which makes it possible for us to even use Chrome in environments with high-security requirements, and we can also do this with Intune as it supports ADMX ingestion and ADMX backed policies!
Starting with Google Chrome version 69 and later it supports ADMX-backed policies (Windows 10 1703 or later) delivered through Intune.
Let’s see how we can configure Chrome using Intune.
Some of the things we might want to configure is forcefully install Chrome Extensions like:
Windows Defender Browser Protection extension, which will protect you from suspicious and malicious sites.
https://chrome.google.com/webstore/detail/windows-defender-browser/bkbeeeffjjeopflfhgeknacdieedcoml
Windows 10 Accounts extension which the possibility to use your AzureAD account for websites and for Conditional access in Chrome so it can be recognized as a managed device https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji
In this example we will configure the following:
- Configure the Home Button
- Forcefully install the two extensions above
- Create a custom Intune Configuration Profile for Windows 10 and later which we will use to ingest the Chrome.ADMX file to the clients. Create it with the settings shown below
OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx
Data type: String
And in the value for the “String” field copy all the content from the Chrome.ADMX file as shown below and then assign it to a test client.
- Verify that it works by looking in the registry of the test client under HKLM\Software\Microsoft\PolicyManager\ADMXInstalled
There you should see ChromeADMX added as shown below.
- Create a new Configuration Profile that uses the Chrome.ADMX file we just ingested. Select a new Profile for Windows 10 and later and a Custom profile type. And then we add a new OMA-URI for each setting we make, it will look like this when we are finished
Show Home Button:
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ShowHomeButton
Data type: String
Value: <enabled/>
Forcefully Install extensions:
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
Data type:String
Value: <enabled/>
<data id=”ExtensionInstallForcelistDesc” value=”1bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx2ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx”/>
NOTE: “” are the characters used as separators
- Then we assign the Configuration Profile to our test client
On the clients we can see that the policies are applied either by entering chrome://policy/ as the URL in Chrome
or check the HKLM/Software/Policies/Chrome registry key.
And when starting Google Chrome, the extensions are automatically installed.
Note that not all policies seem to be working as many of the Group Policies for Google Chrome only works on devices that are AD Joined.
References: https://support.google.com/chrome/a/answer/9102677?hl=en
Hi I tried everything, but can’t get the extension forcelist to work. Any ideas?
Hi,
Most likely a character that is wrong somewhere. I can post my working sample on Github later today so you can import it in and test it out.
Regards,
Jörgen
Hi,
I updated the quotes but still not working. any updates on the script from gethub?
Hi,
I have posted them here. https://github.com/SweJorgen/IntunePolicies
From those .json files you can use the Intune Powershell sample scripts to import them into intune.
Regards,
Jörgen
I am unable to get Forcefully Install extensions to work, I even changed the quotes, still no go on an AzureAD + Intune managed device, even tried copying from the GitHub example above. Here’s the error and config:
Setting error
SETTING
ExtensionInstallForcelist [./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist]
STATE
Error
SOURCE PROFILES
Source Profile
Windows 10 Google Chrome ADMX Device Policy
ERROR CODE
0x87d1fde8
ERROR DETAILS
Remediation failed
-2016281112 (Remediation failed)
ExtensionInstallForcelist
./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
String
When I manually add the registry key for one extension it shows up right away. Has anyone figured out what additional typo or syntax may be incorrect to get the policy to apply?
I finally FOUND the problem when attempting to get the Extension Forcelist to work! There is a typo in the OMA-URI path that seems to have changed with the new ADMX template. The example listed on this site has the following:
./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
It should actually be pointing to the following:
./Device/Vendor/MSFT/Policy/Config/GoogleChrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
I also made sure to change the quotes from left/right formatting to regular quotes after copy and pasting.
Hope this helps others! Wasted almost a whole day trying different combinations until I released the policy name starts with GoogleChrome~Policy… within the registry.
Cheers!
Julien, is that marked anywhere in the ADMX (like some of the policies list the registry path), or did you just happen to notice in the registry that’s where the policy ends up taking effect? I’m having a hell of a time getting the managed bookmarks to push lol. Thanks!
Thank you !!! That’s Works!!!
Multiple extensions would only work for me if I included a semicolon after the final update url (not shown in the above example):
When I am trying to push out the chrome.admx out through Intune, I am able to see the reg key. However, when you look in the Event Viewer, i see the following error. With that, I am wondering if that is why I can’t push out any other polices via Intune.
MDM ConfigurationManager: Command failure status. Configuration Source ID: (CCEA7F2C-BABE-486D-9E77-931D21E8E9A1), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version), Result: (The system cannot find the file specified.).