This is a follow-up post on Managing Google Chrome settings with Microsoft Intune. In this post I will show how we can use Microsoft Endpoint Manager (Intune) to manage Google Update settings.
Like the Google Chrome settings, the Google Update settings can also be managed using a custom configuration profile for Windows 10. The policy consists of two parts. The first part is used to deploy the Google Update ADMX file to the Intune managed device. The second part of the policy is used to manage the settings of choice.
Note: most settings do only work on (Hybrid Azure) AD Joined devices.
Deploy the Google Update ADMX file
The Google Update ADMX file can be downloaded as part Chrome Enterprise bundle. After downloading the bundle, locate the ADMX file and open the file with a text editor.
Now open a browser to sign-in to the Microsoft Endpoint Manager portal.
- Sign-in to the Endpoint Manager admin center
- Browse to Devices – Windows
- On the Configurations profiles tab click + Create profile
- Choose Windows 10 and later as Platform
- Choose Custom as Profile type
- Click Create
- Give the configuration profile a Name
- Enter a Description (optional)
- Click Next
- Click Add
With this row we deploy the ADMX file to the Windows 10 device. As you can see the OMA-URI contains ADMXInstall.
More info on how the OMA-URI is build up and complementing information about ADMX-backed policies can be read in this article on Microsoft Docs.
Enter below information to the policy;
Name: Chrome ADMX Ingestion
OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/GoogleUpdate/Policy/GoogleUpdateAdmx
Data Type: String
Value: As value copy the entire content of the ADMX file in the value field
- Click Add
- Click Next
Assign the profile to a group.
The policy to deploy the ADMX file is ready. In the next steps we add the settings we manage with Intune to the same policy.
How to build up the OMA-URI
As with deploying the ADMX file, for the settings to manage we also need to know the OMA-URI which we need to use. But the OMA-URI for managing the settings consists of some information we need to collect ourselves from the Google Update ADMX file.
This is for example the OMA-URI to manage the Auto Update Check Period:
./Device/Vendor/MSFT/Policy/Config/GoogleUpdate~Policy~Cat_GoogleUpdate~Cat_Preferences/Pol_AutoUpdateCheckPeriod
Let`s split up the OMA-URI in seperate parts.
This is default for managing applications using an ADMX file:
./Device/Vendor/MSFT/Policy/Config/
The part that comes next is not always the same, we need to follow some rules:
GoogleUpdate~Policy~Cat_GoogleUpdate~Cat_Preferences/Pol_AutoUpdateCheckPeriod
It starts with GoogleUpdate (the ADMX file name), like in the ADMXInstall URI, followed by Policy. Between every part we have the ~ sign.
After Policy we see the name of two categories. These categories can be found in the Chrome ADMX file.
When we open the ADMX file in a text editor, we can see there are several categories. The first categorie we find in the ADMX file is the top category and as we can see that is Cat_GoogleUpdate. We put this in the OMA-URI after Policy.
Here we also see some sub categories, like Cat_Preferences and Cat_Applications.
If we search the ADMX file for the sub categorie Cat_Preferences, we find the actual policies we can manage. The policy name of such a setting is the last part of the OMA-URI, in this case Pol_AutoUpdateCheckPeriod.
Here we also find the Data ID of the setting, which we need later in the configuration.
Manage Google Update settings
As example I show two settings; Auto Update Check Period and Update Policy Google Chrome.
We have already seen how to build the OMA-URI for the policy Pol_AutoUpdateCheckPeriod, so let`s start with that one. The Data type for these settings is always String. Than we only need to know what our Value is.
The value starts with <enabled/> (or <disabled/> if you like to disable a setting).
If we have a setting which can only be set to enabled or disabled, than that`s the value.
But for Auto Update Check Period, we need to set a value which corresponds to minutes between update checks. In this case <enabled/> is followed by a data id. The data id is found again in the ADMX file, in below example the decimal id, Part_AutoUpdateCheckPeriod.
And as last we need to set a value, which is a number in this case.
Open the Endpoint Manager Portal.
- Open your existing custom policy or create a new policy
- Click Edit next to Configurations settings
- Click Add
- Give the Row a Name
- Fill in the OMA-URI: ./Device/Vendor/MSFT/Policy/Config/GoogleUpdate~Policy~Cat_GoogleUpdate~Cat_Preferences/Pol_AutoUpdateCheckPeriod
- Data type: String
- Value:
<enabled/> <data id="Part_AutoUpdateCheckPeriod" value="120"/>
- Click Add
- Click Review + Save
- Click Save
That`s it, the first Google Update setting is ready for deployment.
The next example is found under the Google Chrome categorie: Update Policy override. Open the Chrome ADMX file and search for UpdatePolicyGoogleChrome. With the information found in the ADMX file we can create the OMA-URI.
Here we find the policy name and the sub categorie. Cat_GoogleChrome is a categorie not directly located under the top categorie Cat_GoogleUpdate, there is a categorie between those. If we search back in the ADMX file, we see that the categorie between these is Cat_Applications.
We also find the Data id in the ADMX file and the values we can set are here located. We have four options we can set, I prefer to set Automatic Updates Only, I use the corresponding value 3 in my policy.
Open the Endpoint Manager Portal to add an extra row.
- Click Add
- Give the Row a Name
- Fill in the OMA-URI: ./Device/Vendor/MSFT/Policy/Config/GoogleUpdate~Policy~Cat_GoogleUpdate~Cat_Applications~Cat_GoogleChrome/Pol_UpdatePolicyGoogleChrome
- Data type: String
- Value:
<enabled/> <data id="Part_UpdatePolicy" value="3"/>
- Click Add
- Click Review + Save
- Click Save
Another example under the category Applications is Pol_TargetVersionPrefixGoogleChrome. This setting specifies which version Google Chrome should be updated to.
The data id for this policy setting is Part_TargetVersionPrefix. And the value is the Chrome version to which the browser needs to be updated to.
The OMA-URI is: ./Device/Vendor/MSFT/Policy/Config/GoogleUpdate~Policy~Cat_GoogleUpdate~Cat_Applications~Cat_GoogleChrome/Pol_TargetVersionPrefixGoogleChrome
Value:
<enabled/> <data id="Part_TargetVersionPrefix" value="100."/>
Add all the required settings of your choice and switch over to the Windows device.
The end result
The end-result is pretty short.
If the deployed settings are successful applied you can find this under the Settings. Browse to Accounts, Access work or School. Click on your account and click Info.
Here we see the two settings we have deployed.
If we have a look at the registry, we find the same settings under HKLM\Software\Policies\Google\Update
And when we open Google Chrome and enter Chrome://policy in the address bar we find the configured settings.
In the top right corner we can search for settings.
Thank you for reading. I hope you find it informative and if you have any question, please leave a comment.
14 Comments
Hi Peter,
I have a windows 10 device joined in Azure active directory.
I wanted to restrict Google Update to specific version Example: Chrome 80 version
./Device/Vendor/MSFT/Policy/Config/GoogleUpdate~Policy~Cat_GoogleUpdate~Cat_Applications~Cat_GoogleChrome/Pol_TargetVersionPrefixGoogleChrome
I have configured above in intune device configuration.
The policy is getting pushed but Google Chrome still updates to latest version..
Any help what setting is required to control the chrome update to specific version?
Thanks
Peter
Hi Dilip,
I`ve not tested that particular setting.
Another approach could be to set Update policy override to Updates disabled and deploy the Chrome version of your choice to the devices. When a newer version is tested by you, deploy the next version.
Thanks for your reply Peter.
The another approach you mentioned is via GPO right? The device is not connected to any domain windows active directory
The device is connected only to azure domain directory.Is it still possible to disable updates ?
No, have a look at the example in the post about Update policy override.
You should set this to 0, to disable the updates.
./Device/Vendor/MSFT/Policy/Config/GoogleUpdate~Policy~Cat_GoogleUpdate~Cat_Applications~Cat_GoogleChrome/Pol_UpdatePolicyGoogleChrome
Yea I tried that Peter, UpdateDefault is set to 0 but it didn’t work for me. When you go chrome about screen it still check for updates. Expected behaviour should be updates are disabled but it still updates. Appreciate your help. Thanks
Although the policy settings from Google Update are applied successful, they seem to have no effect on AAD joined devices.
The description of the Override settings:
This policy is available only on Windows instances that are joined to a Microsoft® Active Directory® domain.
And indeed, the settings does work on Hybrid AAD joined devices.
I put a note on this to the article.
Great article!
Don’t know if this has changed recently, but I was able to rollback to targetversion on AAD joined device.
./Device/Vendor/MSFT/Policy/Config/GoogleUpdate~Policy~Cat_GoogleUpdate~Cat_Applications~Cat_GoogleChrome/Pol_TargetVersionPrefixGoogleChrome
./Device/Vendor/MSFT/Policy/Config/GoogleUpdate~Policy~Cat_GoogleUpdate~Cat_Applications~Cat_GoogleChrome/Pol_RollbackToTargetVersionGoogleChrome
Thanks Peter for confirming. Keep up the good work. You have helped lot of people from your article with wide range of topics.
I have been pulling my hair out trying to figure out why this is not working on my AAD devices. Has anyone found a workaround? I need to keep my endpoints on the previous versions of Chrome for at least a couple weeks while QA continues to test our home grown applications.
Hi Peter,
I want to update the google chrome to the latest. how I can achieve that?
Thank you
This was exactly what I was looking for because the Google KB was very much lacking in details. It worked like a charm. Thanks!
I followed the instructions here and the configuration deployed successfully through Endpoint Manager to my Windows 10 AAD endpoints, but the Chrome version appears to be stuck on the version it was on when the config deployed. Any advice?
Hello,
Why not set only those two:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update]
“AutoUpdateCheckPeriodMinutes”=dword:00000078
“UpdateDefault”=dword:00000003
I have used the same settings. However, Chrome Apps are also getting installed.
Is there a way to restrict the installation of those apps or a way to block those application from installing?
Example: Google Drive, YouTube, Sheet, docs, Gmail, Slides.