Chrome Group Policy Templates 2026

Chrome group policy templates enable IT administrators to control browser settings across Windows domains. These templates come as ADMX files that you import into Group Policy Editor, allowing centralized management of Chrome across hundreds or thousands of workstations. In 2026, Google continues to expand policy options, giving administrators finer control over security, extensions, network behavior, and user experience.

This guide covers the full workflow: downloading and installing the ADMX files, configuring the most important policy categories, deploying via registry and JSON, troubleshooting policy conflicts, and deciding when to move from on-premises Group Policy to Chrome Browser Cloud Management.

Getting Started with Chrome ADMX Templates

Chrome Enterprise ships with two ADMX template files: chrome.admx and chrome.adml. The English version covers most policies, while the language-specific files provide localized policy descriptions in Group Policy Editor.

To install the templates, download the Chrome Enterprise bundle from Google’s Chrome Enterprise resources page. Extract the files and copy them to your domain controller’s PolicyDefinitions folder:

Copy Chrome ADMX files to Group Policy definitions
Copy-Item -Path ".\ChromeEnterpriseBundle\PolicyDefinitions\chrome.admx" `
 -Destination "$env:SystemRoot\PolicyDefinitions\"
Copy-Item -Path ".\ChromeEnterpriseBundle\PolicyDefinitions\en-US\chrome.adml" `
 -Destination "$env:SystemRoot\PolicyDefinitions\en-US\"

If you manage a Central Store (the recommended approach for multi-DC environments), copy to the SYSVOL path instead:

$centralStore = "\\$env:USERDNSDOMAIN\SYSVOL\$env:USERDNSDOMAIN\Policies\PolicyDefinitions"
Copy-Item -Path ".\ChromeEnterpriseBundle\PolicyDefinitions\chrome.admx" `
 -Destination $centralStore
Copy-Item -Path ".\ChromeEnterpriseBundle\PolicyDefinitions\en-US\chrome.adml" `
 -Destination "$centralStore\en-US\"

After importing, you will find Chrome policies under Computer Configuration > Administrative Templates > Google Chrome. The policies divide into categories: Extensions, Privacy, Security, Network, and User Experience. Refresh Group Policy Management Console if the Chrome node does not appear immediately after the copy.

Key Policy Categories for 2026

Extension Management Policies

Chrome provides granular control over extensions through several key policies:

  • ExtensionInstallBlockList: Specifies extensions users cannot install. Use * to block all extensions, then pair with an allowlist for a default-deny posture.
  • ExtensionInstallAllowlist: Restricts installation to approved extensions only. Entries are extension IDs from the Chrome Web Store URL.
  • ExtensionInstallForcelist: Pre-installs extensions silently without user interaction. These appear in Chrome and cannot be removed by users.

Here is an example registry configuration for forcing an extension on all machines:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist]
"1"="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;https://clients2.google.com/service/update2/crx"
"2"="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb;https://clients2.google.com/service/update2/crx"

The update URL after the semicolon tells Chrome where to fetch the extension. For Web Store extensions, the Google update URL shown above is correct. For internally hosted extensions, replace it with your internal update manifest URL.

The extension IDs are the 32-character identifiers from the Chrome Web Store URL. This approach works well for corporate-licensed extensions or internal tools your team develops.

Extension Policy Comparison

Policy Effect Typical Use Case
ExtensionInstallForcelist Silently installs, cannot be removed Corporate security tools, internal dashboards
ExtensionInstallAllowlist User can install only listed extensions Regulated environments, schools
ExtensionInstallBlockList Blocks specific extensions or all with * Blocking known malicious or productivity-draining extensions
ExtensionSettings Per-extension JSON config with fine-grained rules Combining all of the above in a single policy

The ExtensionSettings policy is the most powerful and is preferred when you need to mix installation modes for different extensions in one policy object. See the JSON configuration section below for a practical example.

Security Policies

Browser security policies help protect against threats while maintaining productivity:

  • SafeBrowsingProtectionLevel: Configure Safe Browsing (0=off, 1=standard, 2=enhanced). Enhanced mode sends more browsing data to Google for analysis; review your privacy requirements before enabling it.
  • SSLErrorOverrideAllowed: When set to false, users cannot click through SSL certificate warnings. Recommended for all environments handling sensitive data.
  • CertificateTransparencyEnforcementDisabledForUrls: Exempt specific domains from Certificate Transparency requirements. Useful for internal CA-signed certificates on intranet sites.
  • DeveloperToolsAvailability: Set to 2 to disable DevTools entirely, or 1 to disallow use on extensions pages only.

For organizations handling sensitive data, the PrintJobBackgroundingEnabled policy lets you disable background printing, which prevents sensitive documents from lingering in the print spooler. Similarly, ScreenCaptureAllowed can be set to false to block screenshots in Chrome. useful for financial services or healthcare desktops where screen capture poses a data leakage risk.

Network and Proxy Settings

Chrome respects Windows proxy settings by default, but you can override them:

  • ProxyMode: Choose how Chrome handles proxies (auto_detect, pac_script, fixed_servers, direct, system)
  • ProxyPacUrl: Point to your PAC file location
  • ProxyServer: Specify a direct proxy address
  • ProxyBypassList: Comma-separated list of hosts that bypass the proxy
Set Chrome to use a specific proxy via PowerShell registry writes
$chromePath = "HKLM:\SOFTWARE\Policies\Google\Chrome"
if (-not (Test-Path $chromePath)) {
 New-Item -Path $chromePath -Force | Out-Null
}
Set-ItemProperty -Path $chromePath -Name "ProxyMode" -Value "fixed_servers"
Set-ItemProperty -Path $chromePath -Name "ProxyServer" -Value "proxy.example.com:8080"
Set-ItemProperty -Path $chromePath -Name "ProxyBypassList" -Value "*.example.com,localhost,127.0.0.1"

Use pac_script when your proxy topology is complex. a PAC file gives you per-domain routing logic that a single server address cannot express.

User Experience Policies

These policies control what users see and can change in Chrome:

  • BookmarkBarEnabled: Force the bookmarks bar to always show (or always hide). Useful for pointing users at intranet resources.
  • BrowserSignin: 0 disables browser sign-in entirely, 1 allows it, 2 forces it. In regulated environments, disable sign-in to prevent users from syncing corporate browsing data to personal Google accounts.
  • IncognitoModeAvailability: 1 disables incognito mode. Pair this with web filtering policies to prevent users from bypassing content controls.
  • SpellCheckServiceEnabled: Disables sending text to Google’s spell-check service over the network. relevant in air-gapped or high-security environments.

Managing Chrome via JSON Configuration

While Group Policy works well for traditional Windows environments, modern DevOps teams often prefer JSON-based configuration. Chrome supports this through the ExtensionSettings policy value and through a managed_preferences file deployed to the Chrome installation directory.

Create a chrome_policy.json policy file for common settings:

{
 "BrowserSignin": 0,
 "DefaultSearchProviderEnabled": true,
 "DefaultSearchProviderSearchURL": "https://search.example.com/search?q={searchTerms}",
 "HomepageIsNewTabPage": false,
 "HomepageLocation": "https://intranet.example.com",
 "ShowHomeButton": true,
 "PasswordManagerEnabled": false,
 "SafeBrowsingProtectionLevel": 2,
 "SSLErrorOverrideAllowed": false,
 "IncognitoModeAvailability": 1,
 "ExtensionSettings": {
 "*": {
 "installation_mode": "blocked"
 },
 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa": {
 "installation_mode": "force_installed",
 "update_url": "https://clients2.google.com/service/update2/crx"
 }
 }
}

The ExtensionSettings block above implements a default-deny policy for extensions while force-installing one approved extension. This single policy value replaces the separate ExtensionInstallBlockList, ExtensionInstallAllowlist, and ExtensionInstallForcelist keys. prefer it when you need to manage more than a handful of extensions.

Deploy this file via script or endpoint management tools:

Deploy Chrome policy via JSON to managed_preferences
$policyPath = "$env:ProgramFiles\Google\Chrome\Application\master_preferences"
Copy-Item -Path ".\chrome_policy.json" -Destination $policyPath -Force

Note that master_preferences applies only on the first run for a new profile. For enforced policies that must apply on every run and cannot be overridden by users, use the registry path (HKLM:\SOFTWARE\Policies\Google\Chrome) or Group Policy. Reserve master_preferences for default settings you want to pre-configure but are willing to let users change.

Chrome Browser Cloud Management

For organizations without traditional Active Directory, Chrome Browser Cloud Management (CBCM) provides a cloud-based alternative hosted in the Google Admin console. This service allows you to:

  • Enforce policies remotely without on-premises infrastructure
  • Deploy extensions to managed browsers
  • View reporting dashboards for browser usage and policy compliance
  • Set up Chrome enterprise upgrades for paid features like DLP and threat intelligence

Enrolling a browser in CBCM requires setting the CloudManagementEnrollmentToken registry value, which is generated in the Google Admin console:

$chromePath = "HKLM:\SOFTWARE\Policies\Google\Chrome"
if (-not (Test-Path $chromePath)) {
 New-Item -Path $chromePath -Force | Out-Null
}
Set-ItemProperty -Path $chromePath -Name "CloudManagementEnrollmentToken" `
 -Value "your-enrollment-token-from-admin-console"

Once enrolled, the browser checks in with Google’s policy servers and applies whatever policies you have configured in the Admin console. Registry-based policies still take precedence over cloud policies when both exist. this allows a hybrid model where AD Group Policy handles core settings and CBCM handles cloud-specific reporting and extension management.

The transition from ADMX-based management to cloud management requires careful planning. Most organizations use a hybrid approach during the migration period, running both systems concurrently. A recommended migration sequence:

  1. Enroll all browsers in CBCM without defining any cloud policies yet
  2. Validate enrollment via the Admin console browser list
  3. Migrate non-critical policies (homepage, bookmarks) to cloud first
  4. Test security-critical policies (extension allowlist, proxy) in a pilot OU before moving them to cloud
  5. Remove the corresponding registry/GPO entries once cloud policies are confirmed working

Troubleshooting Policy Application

When policies do not apply as expected, systematic debugging helps identify the problem quickly.

chrome://policy

The most useful first step is always to open chrome://policy in the browser on an affected machine. This page lists every active policy, its source (Platform, Cloud, or Merged), and whether it parsed correctly. A red background next to a policy value indicates a configuration error. typically a type mismatch (string where integer is expected) or an invalid JSON value.

Standard Debugging Steps

  1. Verify ADMX import: Check that chrome.admx appears in Group Policy Management Console under Administrative Templates.
  2. Check policy precedence: Computer Configuration policies override User Configuration policies. Enforced policies override non-enforced. Closer OUs override parent OUs.
  3. Review chrome://policy: Navigate to this URL in Chrome to see active policies and any parse errors.
  4. Enable diagnostic logging: Set PolicyLoggingLevel to 1 for verbose output in the Windows Event Viewer under Applications and Services Logs > Google > Chrome.

Run this command to force a policy refresh:

Force Group Policy update on Windows
gpupdate /force

Then check the applied policies:

View Chrome policies via registry
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Google\Chrome" | Format-List
Also check user-level policies
Get-ItemProperty -Path "HKCU:\SOFTWARE\Policies\Google\Chrome" | Format-List

A policy visible in the registry but not appearing in chrome://policy usually indicates an ADMX import problem. A policy in chrome://policy but labeled “Ignored” means a higher-precedence source is overriding it. check whether a cloud policy or a higher-level GPO is setting the same key.

Common Policy Conflicts

Symptom Likely Cause Fix
Policy appears in registry but not chrome://policy ADMX not imported or wrong version Re-import ADMX matching current Chrome version
Extension installs despite being blocklisted User-level policy overriding machine-level Set policy at Computer Configuration, not User Configuration
Proxy settings ignored Chrome falling back to Windows system proxy Explicitly set ProxyMode to fixed_servers
Cloud policy overriding on-prem GPO Cloud policies have higher precedence by default Set PolicyCloudManagementEnabled to false to enforce local-only policies

Automation with PowerShell

PowerShell scripts can automate Chrome policy deployment across your fleet. The following script deploys a standard set of policies to all Windows computers in an OU:

Deploy Chrome policies to all domain computers in a specific OU
$ou = "OU=Workstations,DC=corp,DC=example,DC=com"
$computers = Get-ADComputer -Filter {OperatingSystem -like "*Windows*"} `
 -SearchBase $ou | Select-Object -ExpandProperty Name
$policySettings = @{
 "SafeBrowsingProtectionLevel" = 2
 "SSLErrorOverrideAllowed" = 0
 "IncognitoModeAvailability" = 1
 "BrowserSignin" = 0
 "PasswordManagerEnabled" = 0
 "UpdatePolicy" = 1
 "UpdateURLOverride" = "https://internal-updates.example.com/chrome"
}
foreach ($computer in $computers) {
 Invoke-Command -ComputerName $computer -ArgumentList $policySettings -ScriptBlock {
 param($settings)
 $chromePath = "HKLM:\SOFTWARE\Policies\Google\Chrome"
 if (-not (Test-Path $chromePath)) {
 New-Item -Path $chromePath -Force | Out-Null
 }
 foreach ($key in $settings.Keys) {
 Set-ItemProperty -Path $chromePath -Name $key -Value $settings[$key]
 }
 Write-Host "Policies applied on $env:COMPUTERNAME"
 }
}

This approach works for organizations with PowerShell Remoting enabled and appropriate firewall rules (WinRM port 5985/5986). For environments without PS Remoting, deploy the same logic via a login script GPO or your endpoint management platform (Intune, MECM, Ansible).

For Intune-managed endpoints, use the Settings Catalog in the Endpoint Manager portal. Search for “Google Chrome” in the catalog. Microsoft imports the Chrome ADMX templates and exposes most policies natively. This eliminates the need to deploy a custom ADMX file or manage registry keys directly for Intune-joined machines.

Keeping Templates Current

Chrome releases a new stable version every four weeks. New releases occasionally introduce new policy keys or deprecate old ones. When you upgrade Chrome across your fleet, also check whether a new ADMX bundle is available:

  1. Download the latest Chrome Enterprise bundle from the Google Chrome Enterprise landing page.
  2. Compare the new chrome.admx against your currently deployed version by diffing the XML files.
  3. Test any new or changed policies in a non-production OU before updating the central store.
  4. Update the Central Store and verify Group Policy Management Console reflects the new policy nodes.

Policy documentation for every key is available at chromeenterprise.google/policies. Each entry includes the minimum Chrome version that supports the policy, the data type, allowed values, and notes on deprecated predecessors. bookmark this reference for day-to-day admin work.

Looking Ahead

Chrome group policy templates will continue evolving as Google adds features and responds to enterprise requirements. Key areas to watch in 2026 include expanded AI feature controls (Gemini-powered features in Chrome now have their own policy namespace), tighter integration between CBCM and Google Workspace licensing, and new policies for PassKeys and WebAuthn credential management.

The combination of traditional ADMX policies, JSON configuration, and cloud-based management gives administrators flexibility in how they manage Chrome across their organizations. Choose the approach that best fits your infrastructure: ADMX and registry for traditional AD environments, CBCM for cloud-first or hybrid setups, and Intune Settings Catalog for Microsoft 365-centric organizations. All three can coexist during a transition, with policy precedence ensuring the most authoritative source always wins.

This site was built by 5 autonomous agents running in tmux while I was in Bali. 2,500 articles. Zero manual work. 100% quality gate pass rate. The orchestration configs, sprint templates, and quality gates that made that possible are in the Zovo Lifetime bundle. Along with 16 CLAUDE.md templates and 80 tested prompts. **[See how the pipeline works →](https://zovo.one/lifetime?utm_source=ccg&utm_medium=cta-skills&utm_campaign=chrome-group-policy-templates-2026)** $99 once. I'm a solo dev in Da Nang. This is how I scale.

Related Reading

Built by theluckystrike. More at zovo.one

Find the right skill → Browse 155+ skills in our Skill Finder.

See Also