In this post I will be discussing on how to ingest Google Chrome policies using Intune. We can also say how to manage chrome policies using Intune. To deploy chrome policies, we need to Ingest the Chrome ADMX file into Intune which can be downloaded from Chrome ADMX templates. We will then proceed with creating the Configuration profile to add the ADMX templates there are proceeding with few other OMA-URI settings specific to Chrome settings we desire.

How to ingest ADMX files

To ingest ADMX files or we can say ADMX ingestion, we mean to say ingesting the policy information (which is there in ADMX files) into the Windows 10 / Windows 11 device using Policy CSP URI. We will be creating custom Configuration Profile in Microsoft Intune where we will be adding the ADMX files / importing the ADMX template into intune. Once this policy is applied on device (with device profile), the information of ADMX files will be saved in registry at a specific location ie. :

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxDefault
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled

Create Configuration Profile in Intune to ingest ADMX files.

Let’s first download Google Chrome ADMX templates, this can be downloaded from Chrome ADMX templates. Once downloaded, unzip the file GoogleChromeEnterpriseBundle64.zip and navigate to GoogleChromeEnterpriseBundle64\Configuration\admx\chrome.admx.

chrome.admx

The content of Chrome.admx is the one which we require, open the file in notepad and copy all the content which we will be pasting under Configuration Profile in next step.

chrome.admx

Create 1st Configuration Profile to ingest all Google Chrome ADMX file

Browse the URL for Microsoft Endpoint Manager admin center and navigate to Home > Devices > Configuration profiles and click on Create profile.

Create profile Configuration profiles

Under Create a profile blade, select:

Platform: Windows 10 and later

Profile type: Templates

Template name: Custom

and click Create.

Create a profile custom

On Basics page, specify name as Google Chrome ADMX, click Next.

Google Chrome ADMX

On OMA-URI Settings page, click on Add.

We need to follow a specific standard for OMA-URI setting, the following format should be used:

For Device profile: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{ApplicationName}/ {SettingType}/Unique ID or {AdmxFileName}
For User profile:  ./User/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{ApplicationName}/ {SettingType}/{AdmxFileName}

As we are going to use Device Profile, specify following values:

Name: Google Chrome Admx
Description: Ingesting Google Chrome Admx file
OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/GoogleChromeAdmx
Data type: String
Value: {Copy / paste all the content from chrome.admx file}

Click on Save.

ingest Google chrome admx file

We can see under OMA-URI Settings that one row has been added which ingest complete Google Chrome admx files, which will be used a reference on device. However it doesn’t apply any specific chrome policy. For that we need to create 1 or more OMA-URI Settings to applying settings such as HomePageLocation, RestoreOnStartup, show home button.

OMA-URI Settings

We can go on proceed with adding the additional OMA-URI Settings here only by clicking on Add, but for the sake of simplicity and dividing the workload between 2 different configuration profile, I would be creating it separately, hence click Next.

Click Next under Scope tags. Under Assignments click on Add groups to apply this configuration profile to devices / specific device. Once selected, click Next.

Assignments Add groups

Skip the Applicability Rules. Under Review + Create, verify the settings and click Next.

OMA-URI Settings

Create 2nd Configuration Profile that contains the actual settings we wanted to apply

We are now going to create another configuration profile. To demonstrate, I will be creating 3 policies:

  • HomePageLocation
  • Restore On Startup
  • Show Home Page

The format of creating the policy is following:

./Device/Vendor/MSFT/Policy/Config/<ADMXIngestName>~Policy~<ADMXNamespace>~<ADMXCategory>/<PolicyName>

Note: Notice a slight difference as compared to previously policy where we used ConfigOperations and now we are using Config.

Here ADMXIngestName is the Chrome which we used in 1st Configuration Profile, ADMXCategory is googlechrome and rest is the PolicyName.

Just to make the things easier, I would recommend to check the registry location where we have ingested the Chrome ADMX, once policy is applied on device open regedit and navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxDefault

Under AdmxDefault, we can see GUID containing all the policies for Chrome starting with Chrome~Policy~googlechrome~xxxxxx.

This registry location will also help us to identify what OMA URI settings we can use.

Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxDefault\611DBAFC-DB1F-4FEF-A709-F286B10DB117\Chrome~Policy~googlechrome~Startup we can see list of subkeys, we are interested for HomepageLocation, RestoreOnStartup, RestoreOnStartupURLs, ShowHomeButton.

Chrome~Policy~googlechrome~startup

For a list of value what we can specify can be checked by opening chrome.admx file. For reference you can also browse common chrome browser policies for Microsoft Intune.

Navigate back to Configuration Profile and create new policy with Template name as Custom and specify the name Google Chrome Custom Policy.

Google Chrome Custom Policy

Under Configuration settings > OMA-URI Settings, click on Add and specify multiple policies with following settings:

Name: HomePageLocation
Description:
OMA-URI:
./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageLocation
Data type:
String
Value:
<enabled/> <data id=”HomepageLocation” value=”https://www.google.com”/>

Name: RestoreOnStartUp
Description:
OMA-URI:
./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/RestoreOnStartup
Data type:
String
Value:
<enabled/> <data id=”RestoreOnStartup” value=”4″/>

Name: RestoreOnStartup URL’s
Description:
OMA-URI:
./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/RestoreOnStartupURLs
Data type:
String
Value:
<enabled/> <data id=”RestoreOnStartupURLsDesc” value=”1&#xF000;bing.com&#xF000;2&#xF000;https://www.google.com”/>

Name: ShowHomeButton
Description:
OMA-URI:
./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/ShowHomeButton
Data type:
String
Value:
<enabled/>

We can see 4 rows configured, click Next. Proceed with deploying the profile to the same device.

OMA-URI Settings Add Row

Login to the device and wait for synchronization. Once done, launch Google Chrome and we can see the Startup URL’s working as expected along with Home button enabled.

IngestChromePolicy 13

What is happening behind the scenes

To validate the ingestion process, we can look for registry and Event Viewer.

In Registry, there are 4 important locations:

  1. The location where AdmxDefault templated ingested.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxDefault\611DBAFC-DB1F-4FEF-A709-F286B10DB117

PolicyManager AdmxDefault

We can see list of of all Google Chrome policies

2. The location of admxInstalled, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\611DBAFC-DB1F-4FEF-A709-F286B10DB117\Chrome\Policy\GoogleChromeAdmx

PolicyManager AdmxInstalled

This identifies the Google Chrome Policy installation status with date time.

3. The location of Current policy we applied, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Chrome~Policy~googlechrome~Startup

PolicyManager Current Device

As we can see this section only shows the list of policies applied to the device.

4. And the last location, eventually where exactly the policy is getting applied through registry ie. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome

Google Chrome Policies RestoreOnStartupURLs

Open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin

Verification of Configuration Profile 1

We can see the app name “Chrome” which is a setting type “Policy” and have unique Id as “GoogleChromeAdmx”. These are the settings we specified in configuration profile.

ADMX Ingestion process

MDM PolicyManager: ADMX Ingestion: EnrollmentId (611DBAFC-DB1F-4FEF-A709-F286B10DB117), app name (Chrome), setting type (Policy), unique Id (GoogleChromeAdmx), area (NULL).
MDM PolicyManager: ADMX ingestion starting new Admx ingestion. EnrollmentId (611DBAFC-DB1F-4FEF-A709-F286B10DB117), app name (Chrome), setting type (Policy), unique Id (GoogleChromeAdmx).

IngestChromePolicy 20

Verification of Configuration Profile 2

Same way, we can see our custom configuration profile applied correctly:

MDM PolicyManager: Set policy string, Policy: (ShowHomeButton), Area: (Chrome~Policy~googlechrome~Startup), EnrollmentID requesting merge: (611DBAFC-DB1F-4FEF-A709-F286B10DB117), Current User: (Device), String: (<enabled/>), Enrollment Type: (0x6), Scope: (0x0).
MDM PolicyManager: Set policy string, Policy: (RestoreOnStartupURLs), Area: (Chrome~Policy~googlechrome~Startup), EnrollmentID requesting merge: (611DBAFC-DB1F-4FEF-A709-F286B10DB117), Current User: (Device), String: (<enabled/> <data id=”RestoreOnStartupURLsDesc” value=”1&#xF000;bing.com&#xF000;2&#xF000;https://www.google.com”/>), Enrollment Type: (0x6), Scope: (0x0).
MDM PolicyManager: Set policy string, Policy: (RestoreOnStartup), Area: (Chrome~Policy~googlechrome~Startup), EnrollmentID requesting merge: (611DBAFC-DB1F-4FEF-A709-F286B10DB117), Current User: (Device), String: (<enabled/> <data id=”RestoreOnStartup” value=”4″/>), Enrollment Type: (0x6), Scope: (0x0).
MDM PolicyManager: Set policy string, Policy: (HomepageLocation), Area: (Chrome~Policy~googlechrome~Startup), EnrollmentID requesting merge: (611DBAFC-DB1F-4FEF-A709-F286B10DB117), Current User: (Device), String: (<enabled/> <data id=”HomepageLocation” value=”https://www.google.com”/>), Enrollment Type: (0x6), Scope: (0x0).

IngestChromePolicy 21
IngestChromePolicy 22
IngestChromePolicy 23

Conclusion

Ingesting the Admx template is not a difficult task, but not an easier task either. To understand the correct format and what policy we need to applying along with acceptable values are important which can be a tough time for administrators to figure out unlike GPO (Group Policy object) where importing the ADMX templates are easy and implementing any policy is also quite easy. Reading the admx files for checking the values is an important task. The information can also be checked on 3rd party vendors website to look for any existing values to be specified.

Important Links

Win32 and Desktop Bridge app ADMX policy Ingestion – Windows Client Management | Microsoft Docs

Policy CSP – Windows Client Management | Microsoft Docs

Manage Chrome Browser with Microsoft Intune – Google Chrome Enterprise Help