For administrators who manage Chrome browser on Windows for a business or school.
As a Chrome Enterprise administrator, you can use Microsoft Intune to deploy and manage Chrome browser on Windows devices.
Before you begin
- You need an administrator account to access the Microsoft Endpoint Manager admin center.
- To apply Chrome policies that are labeled as working only when joined to a Microsoft Active Directory domain, you need:
- Chrome browser version 69 or later.
- Any edition of Windows 10 and 11 but not Windows Home.
Step 1: Deploy Chrome browser
- Download the Chrome browser executable and select the channel taking into account your audience.
- When the executable is downloaded, you need to prepare it so that it can be uploaded in Intune.
- Download Microsoft’s Win32 Content Prep tool.
- Follow these instructions to prepare the Chrome browser app.
- Sign into the Microsoft Endpoint Manager admin center.
- Click AppsWindowsAdd.
- Click Add.
- For App type, select Windows App (Win32) and then click Select.
- In the App information page, click Select app package file and search for the file you prepared in step 2.
Note: The file must have the .intunewin extension. - When the file is uploaded, click OK.
- On the App information page, add your app details.
Some details of the Chrome browser app might be automatically filled in. - Click Next.
- In the Program page, configure the app installation and removal commands for the app by following these steps.
- Click Next.
- Configure any of the following as required:
- In the Requirements page, configure the requirements the device must meet before Chrome browser is installed and click Next.
- In the Detection rules page, configure any rules you require and click Next.
- In the Dependencies page, configure any dependencies you require and click Next.
- In the Supercedence page, configure any supercedences you require and click Next.
- In the Assignments page, configure any assignments you require and click Next.
- Select any applicable Included groups and Excluded groups.
- Click NextCreate.
Step 2: Configure Chrome browser with Settings Catalog
- Still in the Microsoft Endpoint Manager admin center, select DevicesWindowsConfiguration Profiles.
- Click Create Profile.
- In Platforms, select Windows 10 and later.
- In Profile type, select Settings Catalog (preview).
- Enter a configuration name, for example Chrome browser configuration.
- In the Configuration Settings page, select Add Settings.
- In the search box, search for Chrome. You can now select from and configure a multitude of settings as detailed in the examples below.
Note: You don’t need to create separate policies to configure the different examples below. You can configure the examples below, and more, under the same policy. - Click Next.
- Select any applicable Included groups and Excluded groups, and respective Filters.
- Click Next.
- Select any applicable Scope tags.
- Click NextCreate.
Example A: Enable home button
- Double click Administrative Templates\Google\Google Chrome\Startup, Home page and New Tab Page.
- Scroll down and select the Show Home button on toolbar setting.
- Enable the setting and click Next.
Example B: Configure URL for homepage button
- Double click Administrative Templates\Google\Google Chrome\Startup, Home page and New Tab Page.
- Scroll down and select the Configure the home page URL setting.
- Enable the setting and in the Home page URL (Device), paste your URL. For example, https://www.google.com.
- Click Next.
Example C: Enable site isolation for specified origins
- Double click Administrative Templates\Google\Google Chrome\Startup.
- Scroll down and select the Enable Site Isolation for specified origins setting.
- Enable the setting and in Enable Site Isolation for specified origins (Device), define the origins.
- Click Next.
Example D: Configure Legacy Browser Support
- Double click Administrative Templates\Google\Google Chrome\Legacy Browser Support.
- Scroll down and select the following settings:
- Alternative browser to launch for configured websites
- Enable the Legacy Browser Support feature
- Keep last tab open in Chrome
- Websites to open in alternate browsers
- Enable the setting and do the following:
- In the Alternative browser to launch for configured websites box, select one of the following:
- ${ie}
- ${firefox}
- ${safari}
- ${opera}, ${edge}
- a file path
- In the Websites to open in alternate browsers box, define the URLs you want to open in the alternative browser.
- In the Alternative browser to launch for configured websites box, select one of the following:
- Click Next.
Example E: Allow specific extensions
- Double click Administrative Templates\Google\Google Chrome\Extensions.
- Scroll down and select the Configure extension installation allow list setting.
- Enable the setting and under Extension IDs to exempt from the blocklist (Device), add the IDs of the extensions you want to add to your allowlist.
- Click Next.
Example F: Block external extensions from being installed
- Double click Administrative Templates\Google\Google Chrome\Extensions.
- Scroll down and select the Block external extensions from being installed setting.
- Enable the setting and click Next.
Example G: Manage bookmarks
- Double click Administrative Templates\Google\Google Chrome.
- Scroll down and select the Enable Bookmark Bar and Managed Bookmarks settings.
- Enable both settings and in the Managed Bookmarks box paste the URLs you want to add to your list.
- Click Next.
Step 3: Confirm that the policy is set
After you apply any Chrome policies, users need to restart Chrome browser for the settings to take effect. You can check users’ devices to make sure the policy was applied correctly.
Note: Allow time for Intune to propagate the policy to Chrome on the devices you’re managing. If the policy is taking some time to push, verify that the device is enrolled and you have synced the device to get the latest policies from Intune.
- On a managed device, open Chrome browser.
- In the address bar, enter chrome://policy.
- Click Reload policies.
- Verify that the policy you set is enabled.
Step 4: Confirm the policy is set (Intune)
Allow time for Intune to propagate the policy to Chrome on the devices you’re managing. If the policy is taking some time to push, verify that the device is enrolled and you have synced the device to get the latest policies from Intune.
- In the Microsoft Endpoint Manager admin center, select DevicesWindowsConfiguration Profiles, and click on the policy you just created.
- If want to see which devices have been targeted by the policy, including devices in a pending policy assignment state, click Device assignment status report.
- If want to view the configuration status of each setting for the policy across all devices and users, select the Per setting status report.
Related topics
Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.