Manage Google Chrome settings with Microsoft Intune

In the past I wrote two articles about managing Internet Explorer settings with Microsoft Intune. More recent I wrote an article about managing Edge for macOS settings using Intune. In this new article I show how the third-party Google Chrome browser can be managed using Microsoft Intune.

Google Chrome can be managed using a custom configuration policy for Windows 10. The policy consists of two parts. The first part is used to deploy the Chrome ADMX file to the Intune managed device. The second part of the policy is used to manage the settings of choice.

Deploy the Chrome ADMX file

The Chrome ADMX file can be downloaded as part Chrome Enterprise bundle. After downloading the bundle, locate the ADMX file and open the file with a text editor.

Now open a browser to sign-in to the Microsoft Intune portal.

  • Sign-in to the Device Management Portal
  • Browse to Devices – Windows
  • On the Configuration Profiles tab click Create profile
  • Give the configuration profile a Name
  • Enter a Description (optional)
  • Choose Windows 10 as Platform
  • Choose Custom as Profile type
  • Click the Settings tab
  • Click Add

With this row we deploy the ADMX file to the Windows 10 device. As you can see the OMA-URI contains ADMXInstall.
More info on how the OMA-URI is build up and complementing information about ADMX-backed policies can be read in this article on Microsoft Docs.

Enter below information to the policy;
Name: Chrome ADMX Ingestion
OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx
Data Type: String
Value: As value copy the entire content of the ADMX file in the value field

Click OK twice and click Create.

The policy to deploy the ADMX file is ready. In the next steps we add the settings we manage with Intune to the same policy.

How to build up the OMA-URI

As with deploying the ADMX file, for the settings to manage we also need to know the OMA-URI which we need to use. But the OMA-URI for managing the settings consists of some information we need to collect ourselves from the Chrome ADMX file.

This is for example the OMA-URI to manage the Homepage Location
./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageLocation
Let`s split up the OMA-URI in seperate parts.
This is default for managing applications using an ADMX file:
./Device/Vendor/MSFT/Policy/Config/

The part that comes next is not always the same, we need to follow some rules:
/Chrome~Policy~googlechrome~Startup/
It start with Chrome (the ADMX file name), like in the ADMXInstall URI, followed by Policy. Between every part we have the ~ sign.
After Policy we see the name of two categories. These categories can be found in the Chrome ADMX file.
When we open the ADMX file in a text editor, we can see there are several categories. The first categorie we find in the ADMX file is the top category and as we can see that is googlechrome. We put this in the OMA-URI after Policy.

If we search for the actual policy we want to control, in this case HomepageLocation, we also find there is a category mentioned for that policy. It is the parentcategory of HomepageLocation, Startup.
So startup is the next part of our OMA-URI.

la

The last part of our OMA-URI is the actual policy displayname, in this case HomepageLocation. If we put al this information together, we have our OMA-URI.

Manage Startup, Home page and New Tab page settings

We start with managing the settings in the Startup, Home page en New Tab page section. These are things like controlling the Homepage Location and showing the Home Button.

We have already seen how to build the OMA-URI for the policy HomepageLocation, so let`s start with that one. The Data type for these settings is always String. Than we only need to know what our Value is.

The value starts with <enabled/> (or <disabled/> if you like to disable a setting).
If we have a setting which can only be set to enabled or disabled, than that`s the value.

But for Homepage Location, we need to set the actual homepage location. In this case <enabled/> is followed by a data id. The data id is found again in the ADMX file, in below example the text id, HomepageLocation.
And as last we need to set a value, the valuename. This is the homepagelocation (which needs to start with http/https, information which you can fine when running GPeditor).

Switch over to the Intune portal.

  • Open your existing custom policy or create a new policy
  • On the settings tab click Add
  • Give the Row a Name
  • Fill in the OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageLocation
  • Data type: String
  • Value:
<enabled/> <data id="HomepageLocation" value="https://inthecloud247.com"/>
  • Click OK

That`s it! We have managed our first Google Chrome setting using Microsoft Intune.

The next example is the Homepage Is New Tab Page policy. Open the Chrome ADMX file and search for HomepageIsNewTabPage. With the information found in the ADMX file we can create the OMA-URI. As you can see in the screenshot we only have the option to enable or disable the policy, no id or value. I set the policy to disabled.

Switch to the Intune portal and add a new row to the custom policy.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageIsNewTabPage
  • Data type: String
  • Value: <disabled/>

I want to show the Home Button in the Chrome browser. In the ADMX file we can see again we have only the options to enable or disable the setting.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/ShowHomeButton
  • Data type: String
  • Value: <enabled/>

The next thing I want to control is the startup behavior. I want a website to open when Chrome is started. This can be achieved by setting the Restore On Startup to load a website (or multiple) and specifying a URL. But the solution consists of two policies.
The first one is RestoreOnStartup.

If we take a look at the ADMX file we see there are multiple options to configure, which are corresponding to numbers. If we want to show a website on startup, we need to set the value to 4.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/RestoreOnStartup
  • Data type: String
  • Value:
<enabled/> <data id="RestoreOnStartup" value="4"/>

The next setting is to specify one or multiple URLs to show on startup, which is done with the policy RestoreOnStartupURLs.
Have a look at list id, this time the id is not similar to the policy name.

The value for this policy is not just a URL, like it was the case with HomepageLocation. Because you can specify multiple URLs in the policy, the URLs need to be separated with the (encoded) unicode character &#xF000, like it is also the case with managing some setting for Internet Explorer. The URLs also need to be numbered, 1,2,3 etc even if you only specify one URL.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/RestoreOnStartupURLs
  • Data type: String
  • Value:
<enabled/> <data id="RestoreOnStartupURLsDesc" value="1&#xF000;inthecloud247.com"/>

Manage the Password Manager

We have seen some examples in the Startup, Home Page and New Page Tab settings category, let`s move to another catagorie; PasswordManager.

By reading the article this far, you probably now know to get the required information from the Chrome ADMX file. But for those of you who just found the article to manage the Password Manager in Chrome, just have another look at the information in the ADMX file.
The policyname is PassWordManagerEnabled. The parent category, which we also need in the OMA-URI, is PasswordManager. As we can see, we can only enable or disable the Password Manager.

Now switch back to the Intune portal to add a new row for the Password Manager policy.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~PasswordManager/PasswordManagerEnabled
  • Data type: String
  • Value: <disabled/>

This is the only setting I want to manage in the Password Manager category, let`s move to another interesting category; Extensions.

Manage Google Chrome Extensions

The last category I want to discuss here is extensions. In Google Chrome we can add several extensions to the browser with several functions like the Windows Defender Browser Protection and Windows 10 Accounts extensions.

I want the two mentioned extension to be installed automatically, which can be achieved by using the policy Configure the list of force-installed apps and extensions (ExtensionInstallForcelist).
Let`s skip the info from the ADMX file this time, but let`s have a look at the policy via Gpedit. Here we find info how this is done with the GPO, using the custom policy we do something similar.
In the GPO we need to specify the extension id followed by the Chrome webstore update URL https://clients2.google.com/service/update2/crx. using Intune we also need the extension id and use the webstore url.

The extension id can be found by looking up the extension in the Chrome webstore. The extension id can be found in the url.

The extension id followed by the URL is ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx for the Windows 10 Accounts extension. Every extension needs to be separated again with the (encoded) unicode character &#xF000 and because we need to number the extensions, the unicode character is also used between the number and the extension string. For two extensions the value is like below example.

  • Open your existing custom policy or create a new policy
  • On the settings tab click Add
  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
  • Data type: String
  • Value:
<enabled/> <data id="ExtensionInstallForcelistDesc" value="1&#xF000;ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx&#xF000;2&#xF000;bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx"/>

As I want to be in full control which extensions are used, I want to block all extensions besides the extensions I force to install. This can be achieved by using an extension blacklist. To block all extensions we need to add * to the blacklist, like we would do by using the GPO. The * needs to be specified in the value section of the custom policy.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallBlacklist
  • Data type: String
  • Value:
<enabled/> <data id="ExtensionInstallBlacklistDesc" value="1&#xF000;*"/>

And last I will whitelist the two extension which I force to install using the force install policy setting.
In the value of this setting we need to specify the extension id, number the extension ids and separated them by the unicode character.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallWhitelist
  • Data type: String
  • Value:
<enabled/> <data id="ExtensionInstallWhitelistDesc" value="1&#xF000;ppnbnpeolgkicgegkbkbjmhlideopiji&#xF000;2&#xF000;bkbeeeffjjeopflfhgeknacdieedcoml"/>

The extensions are in control by these policies.

End-user experience

Let`s have a look at the end-user experience.
When we logon to an Intune managed Windows 10 device, open the Chrome browser and click on the three dots in te right top, the menu is shown. At the bottom a message is shown Managed by your organization.

When we open the settings of the browser, we can see the deployed policies are indeed applied. For example the Show home button setting is enabled and marked with a building icon.

Enter chrome://policy in the address bar of the Chrome browser to see a complete list of applied settings.

And if we open the extensions section, we can see the two forced extensions are installed en we cannot switch them off.

That`s it for this time. I hope you find the post informative and helps you to manage the Chrome web browser using Microsoft Intune.

A related post about managing Google Update setting with Intune can be found here.

If you`re also interested in managing setting with Intune for Mozilla Firefox, read this post.

NB: Don`t just copy/ paste the policy values into your own custom policies. Unfortunately WordPress converts the double quotes and sometimes removes the unicode character. So please replace the quotes from the article before deploying the settings and have a good look on the screen shots where the unicode characters are placed.




23 Comments

  1. Hi Peter,
    I have managed to perform these steps for Chrome and they work great.
    I wanted to add some trusted sites on my google chrome, how I can perform as I cannot find anything related to it on ADMX file. Normal GPO, google takes from Internet Explorer so can you please help me.
    Regards
    Kumar

  2. Thank you sir, a guide that actually does the job. There are many out of date guides in web with oma-uri values being wrong.

      • Yes it does on AAD joined devices. I have this running on AAD joined devices, without a problem.
        Doesn`t the policy get applied? Then have a look at the DeviceManagement-Enterprise-Diagnostics-Provider events to see what`s the issue.
        If you`re not sure the setting is applied enter chrome:policy in the address bar to see if the setting is applied or not.

        • I have this too, under chrome://policy I get Error,Ignored and then further details of the error I get: This Policy is blocked, it’s value will be ignored.

          The machine is Azure Joined only not hybrid. Running Windows 10 Pro. I’ve heard it works with Win 10 Enterprise but haven’t got a build of that on hand to test.

          • Just to add, I also get this with Edge Chromium using their ADMX/Device restriction settings in Intune also. These are clean machines provisioned using AutoPilot and successfully registered and showing in Azure AD and Intune. Also to be precise I’m using Pro Education sorry, not Pro

          • Sorry to spam this thread. Just to add, I’ve rebuilt a machine with Windows 10 Pro and not Windows 10 Pro Education and the policies now work. One to note for future reference, I’ll see if I can raise this with Google/Microsoft

          • Hi Jack,

            I got some info via Twitter about this issue;
            For the “This Policy is blocked, it’s value will be ignored.”, this error is displayed when a Chromium based browser sees a policy but the device doesn’t look like it is managed.

            ‘Normal’ Pro and Pro Edu should behave the same.

            Regards,

            Peter

    • I’m curious, do you get a remediation failure? Cause the devices I’m testing this on are getting said error.

  3. Hi Peter –
    Great info and thanks a lot.

    Any chance you can tell me how to setup or a policy for “Open a specific page On Startup?”
    I have successfully completed Home Button and Home Button URL.

    Thanks

    • Hi Tyson,

      You should use the setting RestoreOnStartup and set it to 4, which means you set the startup action to Open a list of URLs.
      With RestoreOnStartupURLs you can define those URLs.
      Both are described in the article.

      Regards,

      Peter

  4. Thanks great article was killing myself trying to get a homepage setup through Intune and Chrome ADMX

  5. Hi Peter,

    Thank you for this guide, really helpful. I followed the above steps for installing an extension but I always get remediation failed. Any idea why?

    • Hi Josh,

      Might be something wrong in the OMA-URI or the value. A space, double quote which is wrong etc. These could all cause an issue.
      If you cannot figure out what`s wrong, send me your config in a txt file and I try it in my lab tenant.

      • Thanks this is what I have:

        Chrome – ADMX – ExtensionInstallForcelist

        Installs the Extension

        ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist

        I saw somewhere that I might not need the http://google.store so I left it off.

      • I apologize, I re followed your guide and it worked this time. Must have been a typo or something, thanks again for the guide.

  6. Just wondering if you can offer any advice on managing bookmarks in Chrome via Intune? I’ve got a small set of bookmarks published and working, but now I find If I try to expand on this by adding any further bookmarks (to any url !) it just breaks and doesn’t work any more. This is my ‘working’ config (real urls removed).

    Advice welcomed… is it a syntax thing ? do I need to add additional parentheses at the end if I add another menu entry or something?

Leave a Reply

Your email address will not be published.


*