Managing Browsers At Scale: Adblocking
UNDERGOING EDIT
[Article last updated 2022-09-16]
This will guide you through deploying fully managed adblocking for Edge, Chrome, Firefox (and even Internet Explorer for some reason).
1. Install Group Policy templates
Group Policy templates tell your Group Policy Management what settings it can use. Otherwise, you’d have to research and deploy each registry value manuall. The Group Policy templates are in two files: ADMX with the settings, and ADML with the language strings.
Put the ADMX files in: \\company.com\sysvol\company.com\policies\PolicyDefinitions
Put the ADML files in: \\company.com\sysvol\company.com\policies\PolicyDefinitions\en-US
If you don’t have SYSVOL access but still have Group Policy access, you can install the files locally and use a registry value to point Group Policy Management locally.
Put the ADMX files in: C:\Windows\PolicyDefinitions
Put the ADML files in: C:\Windows\PolicyDefinitions\en-US
Set this registry key on your machine ONLY:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\EnableLocalStoreOverride = 1 (DWORD)
2. Deploying uBlock Origin to Microsoft Edge
In Group Policy Management, go here:
Computer > Policies > Administrative Templates > Microsoft Edge > Extensions > Configured force-installed
In Group Policy Management, go here:
Computer > Policies > Administrative Templates > Google > Google Chrome > Extensions > Configured force-installed
Click the "Show" button to be presented with a list you can enter. This is the format:
<extension ID>;<HTTPS download source>
For uBlock Origin enter this on a line:
cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx
4. Chrome safety settings
These will enforce best-practices safety for your users:
In Group Policy Management, go here:
Computer > Policies > Administrative Templates > Google > Google Chrome
Allow users to opt in to Safe Browsing extended reporting: Enabled
Disable proceeding from the Safe Browsing warning page: Enabled
Enable reporting of usage and crash-related data: Enabled
Enable Safe Browsing: Enabled
Note: You do not need to configure the minimum TLS/SSL version, those are already set to safe defaults
Note: Do not enable the SafeSearch setting, that's just the kid-mode search and has nothing to do with security.
5. Disable Chrome Remote Desktop
Did you know Chrome can be used like TeamViewer, allowing someone to remotely control their computer from home? To disable that, do the following:
In Group Policy Management, go here:
Computer > Policies > Administrative Templates > Google > Google Chrome > Extensions > Configured extension blacklist
gbchcmhmhahfdphkhkmpfmihenigjmpp
For good measure, I also configure the following settings:
In Group Policy Management, go here:
Computer > Policies > Administrative Templates > Google > Google Chrome > Configure remote access options
Enable or disable PIN-less authentication for remote access hosts: Disable
Configure the required domain name for remote access clients: disabled.com
Configure the required domain name for remote access hosts: disabled.com
Enable firewall traversal from remote access hosts: Disabled
Enable curtaining of remote access hosts: Disabled
6. Disable Adobe Acrobat from injecting extension
To disable Adobe Acrobat DC from injecting an extension into Google Chrome, do the following:
Computer > Policies > Administrative Templates > Google > Google Chrome > Extensions > Configured extension blacklist
efaidnbmnnnibpcajpcglclefindmkaj
This is the unique Chrome Web Store ID for the the Acrobat extension. By adding it to the blacklist you'll kill it off from touching the browser.