Manage Google Chrome Policies via Intune
Welcome! In this second part of managing and deploying Google Chrome series, we’ll be looking into how to manage Google Chrome policies using Microsoft Endpoint Manager (aka Intune), if you missed the part on how to deploy Google Chrome, please find it here. In this post, I will list some of the common Google Chrome settings deployed via MEM. For the full list of available policies, please consult the Chrome.ADMX file downloaded below for any additional settings for your environment.
UPDATE: Microsoft have recently introduced Google Chrome policies within Intune administrative templates, see my blog post here on how to leverage these instead of custom policies
Objectives
As part of this post, I will demonstrate how to deploy the following Google Chrome policies:
- Deploy corporate-managed favourites
- Disable default browser check
- Disable outdated plugins
- Enable the bookmark bar
- Force the Windows 10 accounts and Windows Windows Defender Browser Protection extensions
- Hide the app’s icon in the bookmark bar
- Set a specific page to load on startup
- Set a specific homepage
Small introduction into OMA-URI’s
Because we’re deploying 3rd party application policies, the functionality to manage Google Chrome isn’t available out of the box via MEM, to get around this we’ll deploy a custom profile utilising OMA-URI’s (Open Mobile Alliance Uniform Resource Identifier), these settings are typically used by mobile device manufacturers to control features on a device, the purpose of custom OMA-URI’s is to deploy ADMX backed profiles that aren’t natively built into MEM. We won’t go into a deep dive on how OMA-URI’s work, but you can find out more information about ADMX backed OMA-URI’s here.
Prerequisites
- Administrative permissions within MEM Portal
- Test Windows 10 device enrolled into the MEM service
- Test account with a valid Intune license assigned
- Download the Google Chrome Enterprise x64 bundle here

Creating the custom profile
Log into the MEM portal, browse to the devices view, select configuration profiles and then create profile:

Select Windows 10 and later as the platform and profile type of Custom and then Create:

Name the Configuration Profile and set a description so suit your needs and then select Next:

On the next page, this is where we’ll be adding in the OMA-URI’s, select Add for each of the following entries (Note: all of the below OMA-URI’s entries were tested on Chrome version 84, the below settings are subject to change for upcoming versions of Chrome):

Ingesting the Google Chrome ADMX file
The first OMA-URI to create is to ingest the ADMX file downloaded earlier along with Google Chrome bundle, once extracted, you should see a chrome.admx file, keep this to one side for the moment. Add a new OMA-URI and insert the following:
Setting | Value |
---|---|
Name | Chrome ADMX Ingestion |
Description | Chrome ADMX Version – <Bundle version> |
OMA-URI | ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx |
Data Type | String |
Value | <Entire contents of Chrome.ADMX file> |
Managed Favourites
Change the data ID to match your corporate URL’s and site names, here’s an example:
Setting | Value |
---|---|
Name | ManagedFavourites |
OMA-URI | ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ManagedBookmarks |
Data Type | String |
Value | <enabled/><data id=’ManagedBookmarks’ value='[{“toplevel_name”:”Contoso Favourites”},{“url”:”https://microsoft.com/”,”name”:”Contoso Website”},{“url”:”https://m365x888364.sharepoint.com/sites/SalesAndMarketing”,”name”:”Contoso Sales and Marketing Team Site”},{“url”:”https://m365x888364.sharepoint.com/sites/Retail”,”name”:”Contoso Retail Team Site”},{“url”:”https://www.yammer.com/m365x888364.onmicrosoft.com/#/home”,”name”:”Contoso Yammer Portal”},{“name”:”Microsoft Portals”,”children”:[{“url”:”https://portal.office.com”,”name”:”Office 365″},{“url”:”https://passwordreset.microsoftonline.com/”,”name”:”Password Reset Portal”},{“url”:”https://myapplications.microsoft.com”,”name”:”MyApps”},{“url”:”https://portal.manage.microsoft.com/”,”name”:”Endpoint Manager Portal”}]}]’/> |
Disable Default Browser Check
Setting | Value |
---|---|
Name | Disable Default Browser Check |
OMA-URI | ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/DefaultBrowserSettingEnabled |
Data Type | String |
Value | <disabled/> |
Disable outdated plugins
Setting | Value |
---|---|
Name | Disable Outdated Plugins |
OMA-URI | ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/AllowOutdatedPlugins |
Data Type | String |
Value | <disabled/> |
Enable the bookmark bar
Setting | Value |
---|---|
Name | Bookmark Bar Enabled |
OMA-URI | ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/BookmarkBarEnabled |
Data Type | String |
Value | <enabled/> |
Force Browser Extensions
In this example, I am forcing the Windows 10 Accounts and Windows Defender Browser Protection extensions. To deploy browser extensions, you must browse to the Chrome store and obtain the application identifier in the URL, here’s an example, highlighted in red is the application identifier: https://chrome.google.com/webstore/detail/microsoft-defender-browse/bkbeeeffjjeopflfhgeknacdieedcoml which relates back to the Windows Defender Browser Protection extension, edit the data ID’s to suit the application ID’s that you wish to deploy:
Setting | Value |
---|---|
Name | Extension Install Force List (MS SSO Agent & MS Defender) |
OMA-URI | ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist |
Data Type | String |
Value | <enabled/><data id=”ExtensionInstallForcelistDesc” value=”1bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx2ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx”/> |
Hiding the ‘Apps’ icon in the bookmark bar
Setting | Value |
---|---|
Name | Hide Apps Icon in Bookmarks Bar |
OMA-URI | ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ShowAppsShortcutInBookmarkBar |
Data Type | String |
Value | <disabled/> |
Set specific URL to load on start-up
There are two OMA-URI’s required for this, one to set the start-up URL’s and the other to instruct Google Chrome to use the URL’s listed.
Setting | Value |
---|---|
Name | Restore on Startup |
OMA-URI | ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/RestoreOnStartup |
Data Type | String |
Value | <enabled/><data id=”RestoreOnStartup” value=”4″/> |
Replace the URL to suit your needs
Setting | Value |
---|---|
Name | Restore on Startup URLs |
OMA-URI | ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/RestoreOnStartupURLs |
Data Type | String |
Value | <enabled/><data id=”RestoreOnStartupURLsDesc” value=”1https://letsconfigmgr.com”/> |
Set a specific homepage URL
As above, three OMA-URL’s are required to set the homepage, edit the homepage URL to suit your requirements
Setting | Value |
---|---|
Name | Homepage Location |
OMA-URI | ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageLocation |
Data Type | String |
Value | <enabled/><data id=”HomepageLocation” value=”https://letsconfigmgr.com”/> |
Setting | Value |
---|---|
Name | Show Home Button |
OMA-URI | ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/ShowHomeButton |
Data Type | String |
Value | <enabled/> |
Setting | Value |
---|---|
Name | Disable Homepage is new tab page |
OMA-URI | ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageIsNewTabPage |
Data Type | String |
Value | <disabled/> |
The profile should look something like this:

Once all is set, deploy the configuration profile to a test device.
Verifying the results
On a sync’d Intune test device, open Google Chrome and the experience should be as follows:
Homepage, startup, managed favourites, bookmark bar, removal of the app’s icon and no default browser checks

Forced Extensions

Policy status from within Google Chrome
If you browse to chrome://policy, you’ll see policies set by the administrator, in this case from MEM:

Configuration profile status from MEM

Further reading
See my other posts on how to deploy customisations to Microsoft Edge and Mozilla Firefox.
I hope you found this blog entry useful, until next time….