How to deploy DoD Google Chrome STIG Computer Windows 10 policy with Intune – Mobile-First Cloud-First
Microsoft Intune does not have any build in GUI way of deploying Google Chrome policies, but we can leverage of the ADMX-backed policy option in Windows 10 and Intune. I wrote a blogpost on “How does a custom set of ADMX-based policies work with Intune” when you get the hang on how it is working, it just requires a lot of patience and manual work. In this blog post I will not comment on the settings in policy settings – I have created the settings 1:1 from the recommendation and as is says when you download the GPO from IASE – Information Assurance Support Environment do not try this in your production environment it can cause loss of required functionality, for Intune if you do not have a Intune test environment you can import the policy and only assign it to a couple of test devices before deploying it brought.
First we need to find all the settings that are set in the GPO as recommended when download the policy there is a folder for each policy – and in this case we are looking for the DoD Google Chrome v1r14
And in the report folder you find DoD Google Chrome STIG Computer v1r14.htm where you can see all the recommended settings
Then you need Chrome Browser for enterprise the link contains both the Google Chrome Enterprise MSI and the ADMX.
To be familiar with the settings to find the correct OMA-URI you need to look at 3 places:
- chrome.admx
- chrome.adml
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxDefault\Machine GUID\Chrome~Policy~googlechrome
All 3 places can be of help figuring out both the OMA-URI, and the String value, some settings is just or and other settings requires more information
In your environment you may need additional setting to get your environment running – one of the cases I see is:
In the default all browser extensions is blocked and that is always a good idea if you want completely control over what is running on your devices – but when we do MDM management of Windows 10 devices we often leverage AzureAD and Conditional Access and are running Windows Defender so there is some browser plugins that is need to have on the device – so if we are force installing them with another policy setting then it is allowed to run. The tree browser plugin I always uses are:
Where you need a extra policy settings
OMA-URI : ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
Data type : String
Value :
![Windows-Hello-For-Business-Active-Directory[1]](https://maciejrebisz.com/wp-content/uploads/2025/08/Windows-Hello-For-Business-Active-Directory1-1024x576-65x65.png "Windows-Hello-For-Business-Active-Directory[1]")
![B-Intune-Graphic[1]](https://maciejrebisz.com/wp-content/uploads/2025/08/B-Intune-Graphic1-1024x603-65x65.png "B-Intune-Graphic[1]")
![wp-1593849019379[1]](https://maciejrebisz.com/wp-content/uploads/2025/08/wp-15938490193791-65x65.jpg "wp-1593849019379[1]")