Managing Google Chrome with adblocking and security

[Article last updated 2017-01-10]

This will guide you through configuring Google Chrome through Group Policy with a lot of the same settings I use in a large business.

Note that Windows 7 has a lot of Group Policy management bugs; I highly recommend you manage your domain from a Windows 8.1 or Windows 10 computer, though it's not required.

1. Install Group Policy templates

Group Policy templates are stored on your domain's SYSVOL and tell your Group Policy Management what settings it can use. The Group Policy templates are in two files: ADMX with the settings, and ADML with the language strings.
Get the files from here

Put the ADMX file in: \\company domain\sysvol\domain\policies\PolicyDefinitions
Put the ADML file in: \\company domain\sysvol\domain\policies\PolicyDefinitions\en-US

2. Understanding Chrome policies

The Group Policies for Chrome are extremely good. You can set default AND mandatory settings at both the Computer and User level. In practice, I use Computer-wide settings.

3. uBlock Origin and HTTPS Everywhere

It's very easy to have Chrome download any extension you want from the Chrome Web Store and install it for you. We use two:

  • uBlock Origin, which blocks ads
  • HTTPS Everywhere, which ensures that laptop users on public WiFi get as much delivered over HTTPS as possible

In Group Policy Management, go here:
Computer > Policies > Administrative Templates > Google > Google Chrome > Extensions > Configured force-installed

Click the "Show" button to be presented with a list you can enter. This is the format:

<extension ID>;<HTTPS download source>

For uBlock Origin enter this on a line: 
cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx

For HTTPS Everywhere, enter this on a line:
gcbommkclmclpchllfjekcdonpmejbdp;https://clients2.google.com/service/update2/crx

4. Chrome safety settings

These will enforce best-practices safety for your users:

In Group Policy Management, go here:
Computer > Policies > Administrative Templates > Google > Google Chrome

  • Allow users to opt in to Safe Browsing extended reporting: Enabled
  • Disable proceeding from the Safe Browsing warning page: Enabled
  • Enable reporting of usage and crash-related data: Enabled
  • Enable Safe Browsing: Enabled

Note: You do not need to configure the minimum TLS/SSL version, those are already set to safe defaults
Note: Do not enable the SafeSearch setting, that's just the kid-mode search and has nothing to do with security.

5. Disable Chrome Remote Desktop

Did you know Chrome can be used like TeamViewer, allowing someone to remotely control their computer from home? To disable that, do the following:

In Group Policy Management, go here:
Computer > Policies > Administrative Templates > Google > Google Chrome > Extensions > Configured extension blacklist

  • gbchcmhmhahfdphkhkmpfmihenigjmpp

For good measure, I also configure the following settings:
In Group Policy Management, go here:
Computer > Policies > Administrative Templates > Google > Google Chrome > Configure remote access options

  • Enable or disable PIN-less authentication for remote access hosts: Disable
  • Configure the required domain name for remote access clients: disabled.com
  • Configure the required domain name for remote access hosts: disabled.com
  • Enable firewall traversal from remote access hosts: Disabled
  • Enable curtaining of remote access hosts: Disabled

6. Disable Adobe Acrobat from injecting extension

To disable Adobe Acrobat DC from injecting an extension into Google Chrome, do the following:

Computer > Policies > Administrative Templates > Google > Google Chrome > Extensions > Configured extension blacklist

  • efaidnbmnnnibpcajpcglclefindmkaj

This is the unique Chrome Web Store ID for the the Acrobat extension. By adding it to the blacklist you'll kill it off from touching the browser.

About this website