You can use the official Group Policy Templates (ADMX files) to centrally manage Google Chrome browser settings on computers in an Active Directory domain. In this article, we’ll show you how to install and configure Google Chrome browser settings on users’ computers via GPO.
Deploy Google Chrome on Domain Computers via GPO
You can use Group Policies to deploy programs to users’ computers.
- Download the Google Chrome installer in MSI format https://chromeenterprise.google/browser/download/#windows-tab
- Extract the GoogleChromeEnterpriseBundle64.zip archive and copy the
GoogleChromeStandaloneEnterprise64.msi
file to the SYSVOL directory on the domain controller (\\woshub.com\SysVol\woshub.com\scripts
); - Open the Group Policy Management Console (
gpmc.msc
); - Create a new GPO (gpoInstallChrome) and link it to a container (Organizational Unit) with user computers (Create a GPO in this domain, and link it here);
- Open the new GPO and navigate to Computer Configuration -> Policies -> Software Settings -> Software installation;
- Select New -> Package and specify the UNC path to the GoogleChromeStandaloneEnterprise64.msi file on SYSVOL;
- Select the “Advanced” option and press OK;
- Go to the Deployment -> Advanced tab and enable the option Ignore language when deploying this package (this will allow ignoring Windows language on client computers);
- Reboot the user’s computer to update the Group Policy settings. The Google Chrome installation will start when Windows boots. Check that it appears in the list of installed programs on Windows.
winget install --id=Google.Chrome -e
Install Group Policy Administrative Template Files (ADMX) for Google Chrome
In order to centrally manage Google Chrome settings on users’ computers, you need to download and install the administrative GPO Templates (ADMX files).
- Download and extract an archive with ADMX Group Policy template files for Google Chrome ( http://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip — archive size is about 100 MB);
- There are 3 directories in the policy_templates:
* chromeos – administrative templates for Chromium;
* common – contains HTML files with a description of all Chrome policy settings – see chrome_policy_list.html file;
* windows – contains Chrome policy templates in two formats: ADM and ADMX (admx is a newer GPO templates format, that should be used for current versions of Windows 11/10/8.1 and Windows Server 2022/2019/2016/2012R2);There is a chrome.reg file in this folder. It contains an example of Chrome registry settings that can be set via the GPO. You can use the examples in this REG file to directly set Chrome settings in the registry via Group Policy Preferences. - Copy the ADMX GPO template file to ..SYSVOL\PolicyDefinitions folder (Group Policy Central Store on Active Directory domain controllers)
\\woshub.com\SYSVOL\woshub.com\Policies\PolicyDefinitions
. You need to copy all *.admx files and directories with localization ADML files (in our example, these are en-US and de-DE);We always recommend you back up the PolicyDefensions directory before installing/updating ADMX policy files. - Open the domain Group Policy Management Console (
gpmc.msc
) and edit any existing GPO (or create a new one). Make sure that a new Google folder containing several new subsections (Google Chrome, Google Chrome – Default Settings (users can override), Google Update, Legacy browser support, User-agent switcher for Chrome) appeared both in the User and Computer sections of Policies -> Administrative Templates.
There are 400+ different browser options available in GPO Administrative Templates for Google Chrome.
Customizing Google Chrome Settings via Group Policy
Note that Google Chrome settings are located in two different Group Policy sections (both in Computer and User Configuration):
- Google Chrome – users (and even the local administrator) cannot change the Chrome settings on their computer specified in this GPO section;
- Google Chrome – Default Settings (users can override) – recommended browser settings that users can change.
Let’s consider the basic Chrome settings that are often centrally configured in an enterprise environment:
- Set Google Chrome as Default Browser: Enabled;
- Set disk cache directory – the path to the Chrome disk cache (usually this is
“${local_app_data}\Google\Chrome\User Data”
); - Set disk cache size – disk cache size (in bytes);
- Set Google Chrome Frame user data directory – Chrome directory with user settings;
“${local_app_data}\Google\Chrome\User Data”
; - Managed Bookmarks;
- Disable Chrome auto-update: Chrome -> Google Update -> Applications -> Google Chrome: Update Policy Override: Updates disabled;
- Add certain websites to the trusted sites list – Policies HTTP Authentication -> Authentication server whitelist;
- Allow Kerberos authentication in Chrome for specific sites. Add a list of servers and site addresses to the policy settings under HTTP Authentication -> Kerberos Delegation Server Whitelist and Authentication Server Whitelist;
- Send anonymous usage statistics and crash information: False;
- Block access to a list of URLs: add a list of websites to be blocked (also, you can block websites in Windows using PowerShell scripts);
- Change the location of the download folder: Set download directory: c:\temp\downloads;
- Block website notifications on Chrome (Computer Configuration -> Administrative Templates -> Google -> Google Chrome -> Content Settings -> Default notification settings: Do not allow any site to show desktop notifications);
- Prevent users from saving website passwords in the browser: Google Chrome -> Password manager -> Enable saving passwords to the password manager: Disabled;
- You can clear Chrome browsing data folders in a user’s profile using the Clear Browsing Data on Exit option; Enable the policy, click Show, and specify which Chrome directories should be automatically cleaned up. Available values:
browsing_history download_history cookies_and_other_site_data cached_images_and_files autofill password_signin site_settings hosted_app_data
- Use a temporary Chrome profile (data is deleted after the user session ends). Ephemeral profile -> Enabled.The last two option is useful for Remote Desktop Services (RDS) farms with local or roaming profiles (in User Profile Disk or FSLogix format) when you want to reduce the user profile’s size.
Note that the ${local_app_data} directory corresponds to the folder %username%\AppData\Local
, and ${roaming_app_data}
– to \%username%\AppData\Roaming
.
To set proxy server settings for Chrome (may differ from proxy settings in Windows), go to Google Chrome -> Proxy settings – enable the policy and specify the proxy server address and port in the following format – 192.168.1.123:8080
Set a home page: Google Chrome -> Startup, Home page and New Tab page-> Configure the home page URL: https://woshub.com/
It remains to link the GPO with the Chrome browser settings to the desired container (OU) in Active Directory.
Update the GPO settings on the client, run Chrome and check if the new settings have been applied to the browser.
Notice that the Chrome settings page now displays “Your browser is managed by your organization”.
If you have prevented users from changing specific Chrome settings, the browser settings window will display the message “This setting is enforced by your administrator”.
You can display all Google Chrome settings configured with a GPO. Open Chrome://policy address in your browser. Chrome settings you set through the registry or ADMX GPO templates are displayed here.
Installing Google Chrome Extensions Using Group Policy
You can install specific Google Chrome extensions for all domain users using GPO. For example, you want to install the AdBlock extension on all computers automatically. Open the chrome://extensions settings page and install the extension you need on a reference computer.
Now you need to get the extension ID and the URL from which the extension is updated. The Google Chrome Extension ID can be found in the extension properties (Developer mode must be enabled).
Chrome installs the extension to the user profile C:\Users\%Username%\AppData\Local\Google\Chrome\User Data\Default\Extensions\{extension_id_here}
.
Find and open the manifest.json file in the extension folder and copy the value of the update_url. Most likely, you will see the following URL: https://clients2.google.com/service/update2/crx
.
Now, in the GPO editor console, go to Computer Configuration -> Policies -> Administrative Templates -> Google -> Google Chrome -> Extensions. Enable the policy Configure the list of force-installed extensions.
Click the Show button and add a line for each extension that you want to install. Use the following format:
{extension_id_here};https://clients2.google.com/service/update2/crx
Update the Group Policy settings on the user’s computer:
gpupdate /force
Close and restart the browser. Now the specified extension will be automatically installed in Chrome in silent mode without user interaction.
You can prevent users from installing Chrome extensions using the GPO option Configure extension installation blocklist: * and allow users to install only approved extensions (Configure extension installation allow list).