Manage Google Chrome settings with Microsoft Intune

From (Peter Klapwijk)

Google Chrome can be managed using a custom configuration policy for Windows 10. The policy consists of two parts. The first part is used to deploy the Chrome ADMX file to the Intune managed device. The second part of the policy is used to manage the settings of choice.

Deploy the Chrome ADMX file

The Chrome ADMX file can be downloaded as part Chrome Enterprise bundle. After downloading the bundle, locate the ADMX file and open the file with a text editor.

Now open a browser to sign-in to the Microsoft Intune portal.

  • Sign-in to the Device Management Portal
  • Browse to Devices – Windows
  • On the Configuration Profiles tab click Create profile
  • Give the configuration profile a Name
  • Enter a Description (optional)
  • Choose Windows 10 as Platform
  • Choose Custom as Profile type
  • Click the Settings tab
  • Click Add

With this row we deploy the ADMX file to the Windows 10 device. As you can see the OMA-URI contains ADMXInstall.
More info on how the OMA-URI is build up and complementing information about ADMX-backed policies can be read in this article on Microsoft Docs.

Enter below information to the policy;
Name: Chrome ADMX Ingestion
OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx
Data Type: String
Value: As value copy the entire content of the ADMX file in the value field

Click OK twice and click Create.

The policy to deploy the ADMX file is ready. In the next steps we add the settings we manage with Intune to the same policy.

How to build up the OMA-URI

As with deploying the ADMX file, for the settings to manage we also need to know the OMA-URI which we need to use. But the OMA-URI for managing the settings consists of some information we need to collect ourselves from the Chrome ADMX file.

This is for example the OMA-URI to manage the Homepage Location
Let`s split up the OMA-URI in seperate parts.
This is default for managing applications using an ADMX file:

The part that comes next is not always the same, we need to follow some rules:
It start with Chrome (the ADMX file name), like in the ADMXInstall URI, followed by Policy. Between every part we have the ~ sign.
After Policy we see the name of two categories. These categories can be found in the Chrome ADMX file.
When we open the ADMX file in a text editor, we can see there are several categories. The first categorie we find in the ADMX file is the top category and as we can see that is googlechrome. We put this in the OMA-URI after Policy.

If we search for the actual policy we want to control, in this case HomepageLocation, we also find there is a category mentioned for that policy. It is the parentcategory of HomepageLocation, Startup.
So startup is the next part of our OMA-URI.


The last part of our OMA-URI is the actual policy displayname, in this case HomepageLocation. If we put al this information together, we have our OMA-URI.

Manage Startup, Home page and New Tab page settings

We start with managing the settings in the Startup, Home page en New Tab page section. These are things like controlling the Homepage Location and showing the Home Button.

We have already seen how to build the OMA-URI for the policy HomepageLocation, so let`s start with that one. The Data type for these settings is always String. Than we only need to know what our Value is.

The value starts with <enabled/> (or <disabled/> if you like to disable a setting).
If we have a setting which can only be set to enabled or disabled, than that`s the value.

But for Homepage Location, we need to set the actual homepage location. In this case <enabled/> is followed by a data id. The data id is found again in the ADMX file, in below example the text id, HomepageLocation.
And as last we need to set a value, the valuename. This is the homepagelocation (which needs to start with http/https, information which you can fine when running GPeditor).

Switch over to the Intune portal.

  • Open your existing custom policy or create a new policy
  • On the settings tab click Add
  • Give the Row a Name
  • Fill in the OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageLocation
  • Data type: String
  • Value:
<enabled/> <data id="HomepageLocation" value=""/>
  • Click OK

That`s it! We have managed our first Google Chrome setting using Microsoft Intune.

The next example is the Homepage Is New Tab Page policy. Open the Chrome ADMX file and search for HomepageIsNewTabPage. With the information found in the ADMX file we can create the OMA-URI. As you can see in the screenshot we only have the option to enable or disable the policy, no id or value. I set the policy to disabled.

Switch to the Intune portal and add a new row to the custom policy.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageIsNewTabPage
  • Data type: String
  • Value: <disabled/>

I want to show the Home Button in the Chrome browser. In the ADMX file we can see again we have only the options to enable or disable the setting.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/ShowHomeButton
  • Data type: String
  • Value: <enabled/>

The next thing I want to control is the startup behavior. I want a website to open when Chrome is started. This can be achieved by setting the Restore On Startup to load a website (or multiple) and specifying a URL. But the solution consists of two policies.
The first one is RestoreOnStartup.

If we take a look at the ADMX file we see there are multiple options to configure, which are corresponding to numbers. If we want to show a website on startup, we need to set the value to 4.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/RestoreOnStartup
  • Data type: String
  • Value:
<enabled/> <data id="RestoreOnStartup" value="4"/>

The next setting is to specify one or multiple URLs to show on startup, which is done with the policy RestoreOnStartupURLs.
Have a look at list id, this time the id is not similar to the policy name.

The value for this policy is not just a URL, like it was the case with HomepageLocation. Because you can specify multiple URLs in the policy, the URLs need to be separated with the (encoded) unicode character &#xF000, like it is also the case with managing some setting for Internet Explorer. The URLs also need to be numbered, 1,2,3 etc even if you only specify one URL.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/RestoreOnStartupURLs
  • Data type: String
  • Value:
<enabled/> <data id="RestoreOnStartupURLsDesc" value="1&#xF000;"/>

Manage the Password Manager

We have seen some examples in the Startup, Home Page and New Page Tab settings category, let`s move to another catagorie; PasswordManager.

By reading the article this far, you probably now know to get the required information from the Chrome ADMX file. But for those of you who just found the article to manage the Password Manager in Chrome, just have another look at the information in the ADMX file.
The policyname is PassWordManagerEnabled. The parent category, which we also need in the OMA-URI, is PasswordManager. As we can see, we can only enable or disable the Password Manager.

Now switch back to the Intune portal to add a new row for the Password Manager policy.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~PasswordManager/PasswordManagerEnabled
  • Data type: String
  • Value: <disabled/>

This is the only setting I want to manage in the Password Manager category, let`s move to another interesting category; Extensions.

Manage Google Chrome Extensions

The last category I want to discuss here is extensions. In Google Chrome we can add several extensions to the browser with several functions like the Windows Defender Browser Protection and Windows 10 Accounts extensions.

I want the two mentioned extension to be installed automatically, which can be achieved by using the policy Configure the list of force-installed apps and extensions (ExtensionInstallForcelist).
Let`s skip the info from the ADMX file this time, but let`s have a look at the policy via Gpedit. Here we find info how this is done with the GPO, using the custom policy we do something similar.
In the GPO we need to specify the extension id followed by the Chrome webstore update URL using Intune we also need the extension id and use the webstore url.

The extension id can be found by looking up the extension in the Chrome webstore. The extension id can be found in the url.

The extension id followed by the URL is ppnbnpeolgkicgegkbkbjmhlideopiji; for the Windows 10 Accounts extension. Every extension needs to be separated again with the (encoded) unicode character &#xF000 and because we need to number the extensions, the unicode character is also used between the number and the extension string. For two extensions the value is like below example.

  • Open your existing custom policy or create a new policy
  • On the settings tab click Add
  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
  • Data type: String
  • Value:
<enabled/> <data id="ExtensionInstallForcelistDesc" value="1&#xF000;ppnbnpeolgkicgegkbkbjmhlideopiji;;2&#xF000;bkbeeeffjjeopflfhgeknacdieedcoml;"/>

As I want to be in full control which extensions are used, I want to block all extensions besides the extensions I force to install. This can be achieved by using an extension blacklist. To block all extensions we need to add * to the blacklist, like we would do by using the GPO. The * needs to be specified in the value section of the custom policy.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallBlacklist
  • Data type: String
  • Value:
<enabled/> <data id="ExtensionInstallBlacklistDesc" value="1&#xF000;*"/>

And last I will whitelist the two extension which I force to install using the force install policy setting.
In the value of this setting we need to specify the extension id, number the extension ids and separated them by the unicode character.

  • Give the Row a Name
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallWhitelist
  • Data type: String
  • Value:
<enabled/> <data id="ExtensionInstallWhitelistDesc" value="1&#xF000;ppnbnpeolgkicgegkbkbjmhlideopiji&#xF000;2&#xF000;bkbeeeffjjeopflfhgeknacdieedcoml"/>

The extensions are in control by these policies.

End-user experience

Let`s have a look at the end-user experience.
When we logon to an Intune managed Windows 10 device, open the Chrome browser and click on the three dots in te right top, the menu is shown. At the bottom a message is shown Managed by your organization.

When we open the settings of the browser, we can see the deployed policies are indeed applied. For example the Show home button setting is enabled and marked with a building icon.

Enter chrome://policy in the address bar of the Chrome browser to see a complete list of applied settings.

And if we open the extensions section, we can see the two forced extensions are installed en we cannot switch them off.

That`s it for this time. I hope you find the post informative and helps you to manage the Chrome web browser using Microsoft Intune.

A related post about managing Google Update setting with Intune can be found here.