Managing Browsers At Scale: Adblocking

UNDERGOING EDIT

[Article last updated 2022-09-16]

This will guide you through deploying fully managed adblocking for Edge, Chrome, Firefox (and even Internet Explorer for some reason).

1. Install Group Policy templates

Group Policy templates tell your Group Policy Management what settings it can use. Otherwise, you’d have to research and deploy each registry value manuall. The Group Policy templates are in two files: ADMX with the settings, and ADML with the language strings.

• Edge: Select version and click “Get Policy Files”

• Chrome

• Firefox

Put the ADMX files in: \\company.com\sysvol\company.com\policies\PolicyDefinitions
Put the ADML files in: \\company.com\sysvol\company.com\policies\PolicyDefinitions\en-US

If you don’t have SYSVOL access but still have Group Policy access, you can install the files locally and use a registry value to point Group Policy Management locally.

Put the ADMX files in: C:\Windows\PolicyDefinitions
Put the ADML files in: C:\Windows\PolicyDefinitions\en-US

Set this registry key on your machine ONLY:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\EnableLocalStoreOverride = 1 (DWORD)

2. Deploying uBlock Origin to Microsoft Edge

In Group Policy Management, go here:
Computer > Policies > Administrative Templates > Microsoft Edge > Extensions > Configured force-installed

In Group Policy Management, go here:
Computer > Policies > Administrative Templates > Google > Google Chrome > Extensions > Configured force-installed

Click the "Show" button to be presented with a list you can enter. This is the format:

<extension ID>;<HTTPS download source>

For uBlock Origin enter this on a line: 
cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx

4. Chrome safety settings

These will enforce best-practices safety for your users:

In Group Policy Management, go here:
Computer > Policies > Administrative Templates > Google > Google Chrome

• Allow users to opt in to Safe Browsing extended reporting: Enabled

• Disable proceeding from the Safe Browsing warning page: Enabled

• Enable reporting of usage and crash-related data: Enabled

• Enable Safe Browsing: Enabled

Note: You do not need to configure the minimum TLS/SSL version, those are already set to safe defaults
Note: Do not enable the SafeSearch setting, that's just the kid-mode search and has nothing to do with security.

5. Disable Chrome Remote Desktop

Did you know Chrome can be used like TeamViewer, allowing someone to remotely control their computer from home? To disable that, do the following:

In Group Policy Management, go here:
Computer > Policies > Administrative Templates > Google > Google Chrome > Extensions > Configured extension blacklist

• gbchcmhmhahfdphkhkmpfmihenigjmpp

For good measure, I also configure the following settings:
In Group Policy Management, go here:
Computer > Policies > Administrative Templates > Google > Google Chrome > Configure remote access options

• Enable or disable PIN-less authentication for remote access hosts: Disable

• Configure the required domain name for remote access clients: disabled.com

• Configure the required domain name for remote access hosts: disabled.com

• Enable firewall traversal from remote access hosts: Disabled

• Enable curtaining of remote access hosts: Disabled

6. Disable Adobe Acrobat from injecting extension

To disable Adobe Acrobat DC from injecting an extension into Google Chrome, do the following:

Computer > Policies > Administrative Templates > Google > Google Chrome > Extensions > Configured extension blacklist

• efaidnbmnnnibpcajpcglclefindmkaj

This is the unique Chrome Web Store ID for the the Acrobat extension. By adding it to the blacklist you'll kill it off from touching the browser.

About this website