Manage Google Chrome settings with Microsoft Intune

Update March 2022: with the 2203 Intune release, Google Chrome settings are now available in the Intune portal as part of the Settings Catalog and Administrative Templates profiles. Most of the settings don’t have to be configured anymore with custom OMA-URIs.

In the past, I wrote two articles about managing Internet Explorer settings with Microsoft Intune. More recently I wrote an article about managing Edge for macOS settings using Intune. In this new article, I show how the third-party Google Chrome browser can be managed using Microsoft Intune.

Google Chrome can be managed using a custom configuration policy for Windows 10. The policy consists of two parts. The first part is used to deploy the Chrome ADMX file to the Intune managed device. The second part of the policy is used to manage the settings of choice.

Deploy the Chrome ADMX file

The Chrome ADMX file can be downloaded as part Chrome Enterprise bundle. After downloading the bundle, locate the ADMX file and open the file with a text editor.

Now open a browser to sign-in to the Microsoft Intune portal.

  • Sign-in to the Device Management Portal
  • Browse to Devices – Windows
  • On the Configuration Profiles tab click Create profile
  • Give the configuration profile a Name
  • Enter a Description (optional)
  • Choose Windows 10 as Platform
  • Choose Custom as Profile type
  • Click the Settings tab
  • Click Add

With this row we deploy the ADMX file to the Windows 10 device. As you can see the OMA-URI contains ADMXInstall.
More info on how the OMA-URI is build up and complementing information about ADMX-backed policies can be read in this article on Microsoft Docs.

Enter below information to the policy;
Name: Chrome ADMX Ingestion
OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx
Data Type: String
Value: As value copy the entire content of the ADMX file in the value field

Click OK twice and click Create.

The policy to deploy the ADMX file is ready. In the next steps we add the settings we manage with Intune to the same policy.

How to build up the OMA-URI

As with deploying the ADMX file, for the settings to manage we also need to know the OMA-URI which we need to use. But the OMA-URI for managing the settings consists of some information we need to collect ourselves from the Chrome ADMX file.

This is for example the OMA-URI to manage the Homepage Location
./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageLocation
Let`s split up the OMA-URI in seperate parts.
This is default for managing applications using an ADMX file:
./Device/Vendor/MSFT/Policy/Config/

The part that comes next is not always the same, we need to follow some rules:
/Chrome~Policy~googlechrome~Startup/
It start with Chrome (the ADMX file name), like in the ADMXInstall URI, followed by Policy. Between every part we have the ~ sign.
After Policy we see the name of two categories. These categories can be found in the Chrome ADMX file.
When we open the ADMX file in a text editor, we can see there are several categories. The first categorie we find in the ADMX file is the top category and as we can see that is googlechrome. We put this in the OMA-URI after Policy.

If we search for the actual policy we want to control, in this case HomepageLocation, we also find there is a category mentioned for that policy. It is the parentcategory of HomepageLocation, Startup.
So startup is the next part of our OMA-URI.

la

The last part of our OMA-URI is the actual policy displayname, in this case HomepageLocation. If we put al this information together, we have our OMA-URI.

Manage Startup, Home page and New Tab page settings

We start with managing the settings in the Startup, Home page en New Tab page section. These are things like controlling the Homepage Location and showing the Home Button.

We have already seen how to build the OMA-URI for the policy HomepageLocation, so let`s start with that one. The Data type for these settings is always String. Than we only need to know what our Value is.

The value starts with <enabled/> (or <disabled/> if you like to disable a setting).
If we have a setting which can only be set to enabled or disabled, than that`s the value.

But for Homepage Location, we need to set the actual homepage location. In this case <enabled/> is followed by a data id. The data id is found again in the ADMX file, in below example the text id, HomepageLocation.
And as last we need to set a value, the valuename. This is the homepagelocation (which needs to start with http/https, information which you can fine when running GPeditor).

Switch over to the Intune portal.

  • Open your existing custom policy or create a new policy
  • On the settings tab click Add
  • Give the Row a Name
  • Fill in the OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageLocation
  • Data type: String
  • Value:
<enabled/> <data id="HomepageLocation" value="https://inthecloud247.com"/>
  • Click OK

That`s it! We have managed our first Google Chrome setting using Microsoft Intune.

The next example is the Homepage Is New Tab Page policy. Open the Chrome ADMX file and search for HomepageIsNewTabPage. With the information found in the ADMX file we can create the OMA-URI. As you can see in the screenshot we only have the option to enable or disable the policy, no id or value. I set the policy to disabled.

Switch to the Intune portal and add a new row to the custom policy.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageIsNewTabPage
  • Data type: String
  • Value: <disabled/>

I want to show the Home Button in the Chrome browser. In the ADMX file we can see again we have only the options to enable or disable the setting.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/ShowHomeButton
  • Data type: String
  • Value: <enabled/>

The next thing I want to control is the startup behavior. I want a website to open when Chrome is started. This can be achieved by setting the Restore On Startup to load a website (or multiple) and specifying a URL. But the solution consists of two policies.
The first one is RestoreOnStartup.

If we take a look at the ADMX file we see there are multiple options to configure, which are corresponding to numbers. If we want to show a website on startup, we need to set the value to 4.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/RestoreOnStartup
  • Data type: String
  • Value:
<enabled/> <data id="RestoreOnStartup" value="4"/>

The next setting is to specify one or multiple URLs to show on startup, which is done with the policy RestoreOnStartupURLs.
Have a look at list id, this time the id is not similar to the policy name.

The value for this policy is not just a URL, like it was the case with HomepageLocation. Because you can specify multiple URLs in the policy, the URLs need to be separated with the (encoded) unicode character &#xF000, like it is also the case with managing some setting for Internet Explorer. The URLs also need to be numbered, 1,2,3 etc even if you only specify one URL.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/RestoreOnStartupURLs
  • Data type: String
  • Value:
<enabled/> <data id="RestoreOnStartupURLsDesc" value="1&#xF000;inthecloud247.com"/>

Manage the Password Manager

We have seen some examples in the Startup, Home Page and New Page Tab settings category, let`s move to another catagorie; PasswordManager.

By reading the article this far, you probably now know to get the required information from the Chrome ADMX file. But for those of you who just found the article to manage the Password Manager in Chrome, just have another look at the information in the ADMX file.
The policyname is PassWordManagerEnabled. The parent category, which we also need in the OMA-URI, is PasswordManager. As we can see, we can only enable or disable the Password Manager.

Now switch back to the Intune portal to add a new row for the Password Manager policy.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~PasswordManager/PasswordManagerEnabled
  • Data type: String
  • Value: <disabled/>

This is the only setting I want to manage in the Password Manager category, let`s move to another interesting category; Extensions.

Manage Google Chrome Extensions

The last category I want to discuss here is extensions. In Google Chrome we can add several extensions to the browser with several functions like the Windows Defender Browser Protection and Windows 10 Accounts extensions.

I want the two mentioned extension to be installed automatically, which can be achieved by using the policy Configure the list of force-installed apps and extensions (ExtensionInstallForcelist).
Let`s skip the info from the ADMX file this time, but let`s have a look at the policy via Gpedit. Here we find info how this is done with the GPO, using the custom policy we do something similar.
In the GPO we need to specify the extension id followed by the Chrome webstore update URL https://clients2.google.com/service/update2/crx. using Intune we also need the extension id and use the webstore url.

The extension id can be found by looking up the extension in the Chrome webstore. The extension id can be found in the url.

The extension id followed by the URL is ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx for the Windows 10 Accounts extension. Every extension needs to be separated again with the (encoded) unicode character &#xF000 and because we need to number the extensions, the unicode character is also used between the number and the extension string. For two extensions the value is like below example.

  • Open your existing custom policy or create a new policy
  • On the settings tab click Add
  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
  • Data type: String
  • Value:
<enabled/> <data id="ExtensionInstallForcelistDesc" value="1&#xF000;ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx&#xF000;2&#xF000;bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx"/>

As I want to be in full control which extensions are used, I want to block all extensions besides the extensions I force to install. This can be achieved by using an extension blacklist. To block all extensions we need to add * to the blacklist, like we would do by using the GPO. The * needs to be specified in the value section of the custom policy.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallBlacklist
  • Data type: String
  • Value:
<enabled/> <data id="ExtensionInstallBlacklistDesc" value="1&#xF000;*"/>

And last I will whitelist the two extension which I force to install using the force install policy setting.
In the value of this setting we need to specify the extension id, number the extension ids and separated them by the unicode character.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallWhitelist
  • Data type: String
  • Value:
<enabled/> <data id="ExtensionInstallWhitelistDesc" value="1&#xF000;ppnbnpeolgkicgegkbkbjmhlideopiji&#xF000;2&#xF000;bkbeeeffjjeopflfhgeknacdieedcoml"/>

The extensions are in control by these policies.

End-user experience

Let`s have a look at the end-user experience.
When we logon to an Intune managed Windows 10 device, open the Chrome browser and click on the three dots in te right top, the menu is shown. At the bottom a message is shown Managed by your organization.

When we open the settings of the browser, we can see the deployed policies are indeed applied. For example the Show home button setting is enabled and marked with a building icon.

Enter chrome://policy in the address bar of the Chrome browser to see a complete list of applied settings.

And if we open the extensions section, we can see the two forced extensions are installed en we cannot switch them off.

That`s it for this time. I hope you find the post informative and helps you to manage the Chrome web browser using Microsoft Intune.

A related post about managing Google Update setting with Intune can be found here.

If you`re also interested in managing setting with Intune for Mozilla Firefox, read this post.

NB: Don`t just copy/ paste the policy values into your own custom policies. Unfortunately WordPress converts the double quotes and sometimes removes the unicode character. So please replace the quotes from the article before deploying the settings and have a good look on the screen shots where the unicode characters are placed.

53 Comments

  1. Hi Peter,
    I have managed to perform these steps for Chrome and they work great.
    I wanted to add some trusted sites on my google chrome, how I can perform as I cannot find anything related to it on ADMX file. Normal GPO, google takes from Internet Explorer so can you please help me.
    Regards
    Kumar

  2. Thank you sir, a guide that actually does the job. There are many out of date guides in web with oma-uri values being wrong.

      • Yes it does on AAD joined devices. I have this running on AAD joined devices, without a problem.
        Doesn`t the policy get applied? Then have a look at the DeviceManagement-Enterprise-Diagnostics-Provider events to see what`s the issue.
        If you`re not sure the setting is applied enter chrome:policy in the address bar to see if the setting is applied or not.

        • I have this too, under chrome://policy I get Error,Ignored and then further details of the error I get: This Policy is blocked, it’s value will be ignored.

          The machine is Azure Joined only not hybrid. Running Windows 10 Pro. I’ve heard it works with Win 10 Enterprise but haven’t got a build of that on hand to test.

          • Just to add, I also get this with Edge Chromium using their ADMX/Device restriction settings in Intune also. These are clean machines provisioned using AutoPilot and successfully registered and showing in Azure AD and Intune. Also to be precise I’m using Pro Education sorry, not Pro

          • Sorry to spam this thread. Just to add, I’ve rebuilt a machine with Windows 10 Pro and not Windows 10 Pro Education and the policies now work. One to note for future reference, I’ll see if I can raise this with Google/Microsoft

          • Hi Jack,

            I got some info via Twitter about this issue;
            For the “This Policy is blocked, it’s value will be ignored.”, this error is displayed when a Chromium based browser sees a policy but the device doesn’t look like it is managed.

            ‘Normal’ Pro and Pro Edu should behave the same.

            Regards,

            Peter

    • I’m curious, do you get a remediation failure? Cause the devices I’m testing this on are getting said error.

  3. Hi Peter –
    Great info and thanks a lot.

    Any chance you can tell me how to setup or a policy for “Open a specific page On Startup?”
    I have successfully completed Home Button and Home Button URL.

    Thanks

    • Hi Tyson,

      You should use the setting RestoreOnStartup and set it to 4, which means you set the startup action to Open a list of URLs.
      With RestoreOnStartupURLs you can define those URLs.
      Both are described in the article.

      Regards,

      Peter

      • Hi Peter, thanks for putting this together! Would you be able to help me with my issue: I am trying to specify 2 URLs in the restoreonstartupURLs but I am unclear on the syntax. I have got it to work with 1 URL but what is the proper way to add 2 or more?

        I have tried many combinations including like separating the URLs with ;
        which I found in some related google docs:

          • It did not allow me to post code so hopefully this helps and show up: at the end of the first URL you have to add &#xF000 then a semi colon to end the first URL then (make sure you number it right) 2&#xF000 followed by the second URL, no need to add the &#xF000 at the end unless you add a third

  4. Thanks great article was killing myself trying to get a homepage setup through Intune and Chrome ADMX

  5. Hi Peter,

    Thank you for this guide, really helpful. I followed the above steps for installing an extension but I always get remediation failed. Any idea why?

    • Hi Josh,

      Might be something wrong in the OMA-URI or the value. A space, double quote which is wrong etc. These could all cause an issue.
      If you cannot figure out what`s wrong, send me your config in a txt file and I try it in my lab tenant.

      • Thanks this is what I have:

        Chrome – ADMX – ExtensionInstallForcelist

        Installs the Extension

        ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist

        I saw somewhere that I might not need the http://google.store so I left it off.

      • I apologize, I re followed your guide and it worked this time. Must have been a typo or something, thanks again for the guide.

          • Also wanted to say I had an issue when applying these configurations to a device group. The extensions only seemed to work when applying to a Users group. Just hoping this can help someone out.

  6. Just wondering if you can offer any advice on managing bookmarks in Chrome via Intune? I’ve got a small set of bookmarks published and working, but now I find If I try to expand on this by adding any further bookmarks (to any url !) it just breaks and doesn’t work any more. This is my ‘working’ config (real urls removed).

    Advice welcomed… is it a syntax thing ? do I need to add additional parentheses at the end if I add another menu entry or something?

  7. I was able to successfully use this to prevent users from installing their own extensions in a test group of users. However now I’m trying to remove the policy and I’m running into trouble. I’ve tried removing all assignments, excluding the target group, and even targeting the group but changing the policy to . The policy will not remove from the machines, Chrome~Policy~googlechrome~Extensions continues to show up in the applied policies, and I can see it still being applied under chrome://policy. Any Advice for removing this?

  8. Hi Peter, thanks for this useful post.

    I am wondering if you know if there is a way to automatically bypass the ‘Pick an account’ for an Office 365 homepage? The devices are full AAD joined and there is only one account in the list to choose from.

  9. We’re also trying to install the Microsoft Defender Browser Protection extension on our computers. We’ve already ingested the ADMX template a long time ago and could apply policies (e.g. ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome_recommended~Startup_recommended/HomepageLocation_recommended).

    However for ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist it gets -2016281112 (Remediation failed) error on our test computers.

    The local MDM event logs show

    MDM PolicyManager: ADMX ingestion given payload expect True or False string. Id (ExtensionInstallForcelistDesc). Result:(0x82B00004) Unknown Win32 Error code: 0x82b00004.

    MDM PolicyManager: Set policy string, Policy: (ExtensionInstallForcelist), Area: (Chrome~Policy~googlechrome~Extensions), EnrollmentID requesting set: (25555F16-A24E-440B-AC01-F40FE88EEDAE), Current User: (Device), String: (
    ), Enrollment Type: (0x6), Scope: (0x0), Result:(0x82B00004) Unknown Win32 Error code: 0x82b00004.

    MDM ConfigurationManager: Command failure status. Configuration Source ID: (25555F16-A24E-440B-AC01-F40FE88EEDAE), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist), Result: (Unknown Win32 Error code: 0x82b00004).

    Hmmm, why would ExtensionInstallForcelistDesc be considered a boolean field in the first error?

    • Found the problem with my string value. There were too many  separators and I also placed it between the extension id and Google update URL instead of using literal ; character. The policy can be applied properly now.

  10. Need help with following things that need to change on chrome.

    Block third party cookies
    Block webpages from automatically running Flash plugins
    Disable ‘Continue running background apps when Google Chrome is closed’
    Disable ‘Allow running plugins that are outdated’

    • BackgroundModeEnabled ./Device/Vendor/MSFT/Policy/Config/chrome~Policy~googlechrome/BackgroundModeEnabled “Setting the policy to Enabled turns background mode on. In backgroudn mode a Google Chrome process is started on OS sign-in and keeps running when the last browser window is closed allowing background apps and the browsing session to remain active including any session cookies. The background process displays an icon in the system tray and can always be closed from there.

      Setting the policy to Disabled turns background mode off.

      If you set the policy users can’t change it in the browser settings. If unset background mode is off at first but users can change it.”

    • CookiesBlockedForUrls ./Device/Vendor/MSFT/Policy/Config/chrome~Policy~googlechrome~ContentSettings/CookiesBlockedForUrls “Setting the policy lets you make a list of URL patterns that specify sites that can’t set cookies.

      Leaving the policy unset results in the use of DefaultCookiesSetting for all sites if it’s set. If not the user’s personal setting applies.

      While no specific policy takes precedence see CookiesAllowedForUrls and CookiesSessionOnlyForUrls. URL patterns among these 3 policies must not conflict.

      For detailed information on valid url patterns please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.

      Example value:

      https://www.example.com
      [*.]example.edu”

    • AllowOutdatedPlugins ./Device/Vendor/MSFT/Policy/Config/chrome~Policy~googlechrome~RemovedPolicies/AllowOutdatedPlugins

  11. If I wanted to set the users homepage in Chrome but also allow them to add other startup pages that they want as well is that possible?

    • Not sure about that. Don’t know if you apply the setting as a user setting instead of a device setting if that allows the user to configure the setting.
      You could give it a try by replacing device in the OMA-URI for User. So the OMA-URI starts with ./User/Vendor

  12. Does Anyone know what the Value has to be when configuring the AutoOpenFileType Policy for Chrome? I’m Trying to set that .ICA files (Citrix) are opened automatically. But I keep getting complaint errors after syncing…

    The OMA-URI = ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/AutoOpenFileTypes

    99% positive that the URI is correct. (when giving value the complaincy is succeeded)
    But when giving Value String:

    It’s not getting a succeeded complaince….
    Anyone know what the value should be?

    Confirmed that the present .ADMX does have AutoOpenFileTypes policy as a possible setting….

    Thanks in advance.

  13. Hi! This has been very helpful Thank you!

    however I am getting a Remediation failed error when I try to add a policy thats under just “Chrome~Policy~googlechrome” directly (such as RelaunchNotification). I am wondering what my OMA-URI should look like.

    Currently it is — “./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/RelaunchNotification”

    and my string value is following:

    Any help would be greatly appreciated! Thanks!

      • Hi,

        Your OMA-URI is fine.
        It’s indeed a String type.
        The value is equal to the one described above for RestoreOnStartup. Take that one as an example and as data id “RelaunchNotification” and replace the value with your value.

        • Hi! Thanks so much! That did it. I was using the data id as “RelaunchNotification_Recommended” and the value. Now I get it!

          Thanks again!

  14. Hi Peter,
    I am stumped on this one. I want all browser data cleared upon exit. Let me know if you have any ideas. The group policy is called “Clear Browsing Data on Exit”. You enable it then fill in values (EG: browsing_history, download_history).

    This is what I have been using for the OMA-URI (I’ve tried many others but I think this is the right one): ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ClearBrowsingDataOnExistList

    I have tried all of these Values:

    Thanks so much!
    Steve

    • Like everyone else here, it looks like my strings didn’t make it through 🙂

      enabled
      for data id I used ClearBrowsingDataOnExitListDesc
      values I tried:
      1browsing_history
      1*
      1browsing_history&#xF000

  15. Is there a command line argument or something I can add to remove the desktop icon after the application is installed?

  16. Hi Peter
    is there a way to force pin an extension in Chrome once it has been deployed via the ADMX rules? I can only find the “toolbar_pin”:”force_pinned”‘ command, but this does not seem to be working

    Thanks

  17. I am trying to configure one of the newer settings using the ADMX. But keep getting an error. The setting is: RestoreOnStartupIsLastSessionAndURLs have you had any luck configuring that one?

  18. Hi,

    Do you know how I can add multiple Managed Bookmark Folders through Intune for Chrome?

    I have tried to do this a few times, but I’m not getting anywhere with it

  19. Do we have an option to force chrome update on all windows machines where Chrome is not deployed from Intune?

Leave a Reply

Your email address will not be published.


*