Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 41 users
Status: WontFix
Owner: ----
Closed: Jul 2013
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment
Group Policies are ignored in enterprise version 28.0.1500.71
Reported by ulrike.h...@gmail.com, Jul 11 2013 Back to list
Version of Google Chrome (Wrench-> About Google Chrome): 28.0.1500.71
Version of MSI (if applicable): {93736860-390D-43E1-9566-5CA60ABE5BED}
Using group policy settings? Yes

Group policies did work in all former versions of chrome enterprise, I did not change anything. But in the new version 28 they are ignored. I do a new installation on a clean machine, no old chrome profile on it. PC is Windows 7 x64, no domain join.

I checked the new policy template for version 28, but no policy I use has changed or does not exist any more.

Registry entries exist under HKLM/Software/Policies/Google/Chrome

about:policy tells me, that no policies are set, if I try to load policies with the button in about:policy, nothing happens; the browser tells me that no policy is set.

I searched the forum but I did not find any answer.

Is there a bug in chrome which prevents chrome form reading group policies?
 
Have you configured your policy settings via GPO tools (gpedit/gpmc), or did you edit registry entries directly?

Chrome 28 has a change that queries Windows for GPO directly instead of going through the registry, hence registry settings that get created out of band will be ignored.
Thank you for the information.
I do not use GPO Tools. I made a mst-file which is used during installation to set registry keys.
Status: WontFix
Ah, that explains it. I'm sorry, but the MST way is no longer supported (in fact, we never intended it to be supported).
Ok, then I have to find a workaround for myself. There is no AD in our organization so central GPOs via AD are not possible. Thanks a lot for the fast answer.
Note that gpedit.msc allows you to write local group policy, you can play with it and configure user/machine group policy. If you need tools for deploying local GPO to machines, this may come in helpful: http://technet.microsoft.com/en-us/library/ee461027.aspx
 Issue 259470  has been merged into this issue.
It is worth noting that this explanation does not match documentation posted online: http://www.chromium.org/administrators/policy-list-3

Also, this change is not mentioned or hinted at anywhere in the Chrome 28 release notes - this caught us by surprise.
I've followed the directions on the technet link above, and it doesn't seem to work on most Windows installations (RSAT is not common): therefore, we are no longer able to enforce this group policy on a per-machine basis. Is there anything else I can try to make this work?
I tried to use the adm template of chrome on a machine without domain join, and it did not work. Chrome does not read the settings made via gpedit on the local machine.
As far as I know and understand from the links posted above you need an AD Central Store to deploy GPOs on clients. But we do not have an Active Directory.
I tried to find any other solution to customize the enterprise or non-enterprise Chrome Installer regarding the chrome user profile but I was not successful.
I work at an university with thousands of users. So Google Chrome will not be used any more if customization without Active Directory is not possible any more.
The gpedit approach should work. In fact, Microsoft documents that local group policy works without Active Directory: http://technet.microsoft.com/en-us/library/cc775702(v=ws.10).aspx

I've just verified that it works with Chrome 28.0.1500.71 on a machine that's not on an Active Directory domain. Here's what I did:

1. Make sure I have Chrome 28 installed.
2. Download policy templates from http://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
3. Fire up gpedit.msc and do "Computer Configurati0n" -> right-click "Administrative Templates" -> "Add/Remove templates" -> click "Add..." -> select "windows/adm/en-US/chrome.adm" from the policy_templates.zip download
4. In "Computer Configuration" -> "Administrative Templates" -> "Classic Administrative Templates" -> "Google" -> "Google Chrome" configure some policy settings
5. Fire up Chrome and policy works, chrome://policy lists the settings I made.

To troubleshoot your issue, can you:

* Run chrome with logging enabled per the instructions at http://www.chromium.org/for-testers/enable-logging and share the log file contents?
* Check about:histograms and share the Enterprise.PolicyLoadStatus block?
Comment 12 by tlsch...@mtu.edu, Jul 12 2013
Even if it works, a manual process is not very helpful when distributing across thousands of machines: does anyone know a way to automate this on normal Windows machines using a batch script, without special tools installed?
Comment 13 by Deleted ...@, Jul 12 2013
I have a solution for this, but I do not make it public. Find me on skype: xziderk
Does anyone have any publicly available advice for this issue?  Using regedit was easiest way for our non-AD deployment.  Most of these machines are XP so the recommended articles aren't useful (no ADMX options here)

I would like to use the Chrome Management policies via the Google Control Panel but those aren't being applied consistently at the org levels.  
This version seems to "sign out" users once they've signed in to chrome immediately after a successful login on Orgs with a Chrome Policy configured.
Non Chrome Policy orgs are able to stay signed in though there's nothing configured in Chrome Management Settings.
Cc: dconnelly@chromium.org
When you sign into an account that receives enterprise policy, Chrome should show you a dialog that explains what is happening (policy is about to be applied) and gives you the choice to proceed or to abort. Maybe your users chose to abort, thus signing out again?

Adding Daniel who implemented this dialog and knows precisely how it owrks.
I tried myself and I get the option to accept settings - I don't recall
seeing anything specific to policy settings being applied - but I'm
certainly not denying any dialogues.  The odd thing is the fact that it is
signing me out / stopping sync during this process.

I've opened a case with Google Enterprise support to see if there is
something I could be possibly doing wrong in the policy itself.
We have some chrome books in production and those are mostly receiving
policies -- they are experiencing the same sign out thing too however
Project Member Comment 17 by bugdroid1@chromium.org, Jul 15 2013
------------------------------------------------------------------------
r211645 | joaodasilva@chromium.org | 2013-07-15T15:33:06.855655Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/app/policy/policy_templates.json?r1=211645&r2=211644&pathrev=211645

Updated the generated policy documentation.

This update removes references to the Windows registry, and adds a note that
since Chrome 28 the registry isn't used anymore.

BUG= 259236 

Review URL: https://chromiumcodereview.appspot.com/19181002
------------------------------------------------------------------------
I found a simple way to use preferences without using an Active Directory or policy templates. There is a file named master_preferences in chromes` program files folder, which can be edited (see http://www.chromium.org/administrators/configuring-other-preferences). But note: all preferences set here are editable by the user. But for me, it works perfectly.
@Ulrike: master_preferences are not the same as policies though as they read are applied only once at first run and even if you change them they won't get reapplied, whereas polices are read on each startup and applied with their current values. 
Thanks for the tips.  That looks somewhat promising -- the problem here is
that we already have Chrome installed at our remote locations so we'd have
to delete the profiles/preferences before we could take advantage of the
master_preferences option.

We feel that if we are going to have to provide that much intervention for
our field machines we'd rather get the Chrome Sync option working properly
since it's centrally managed AND officially supported by Google.  The
alternatives for GPO for non-domain machines are also very ugly for XP.
 They will be the last resort

As far as Sync goes - What we are seeing currently is that in a number of
locations (they are different machines using different accounts) the Sync
isn't taking over the settings.  It's like they are syncing on a personal
account -- bookmarks, omnibox, etc are being sent to and from the browser
to the Dashboard but our Corporate settings aren't being applied.
In a few instances I've tried manually adding our extensions we Force
Install and we're getting errors that say "could not move extension
directory into profile."

If I delete the three Extensions related folders within the profile, I can
then load them, but only manually.  The Sync settings aren't being applied.

Deleting the whole profile and configuring Sync again results in the same
problem. I have even deleted the profiles, uninstalled Chrome, rebooted,
installed Chrome, rebooted again and then synced with the same problem.
The issues seems to be local as we can load that Sync profile on a clean
machine and get the desired results. I also have a case open with Google
Support and they asked for the information under Chrome:policy and it's
completely blank, as if there is no policy being applied.
It's all a mystery here.

No amount of uninstall, deleting profiles, user data folders, or creating
additional profiles seems to fix the problem at the affected sites.
What I think we need now is a method to "clean" Chrome completely from the
machine, if something like that exists.
We have users who use GMail using Chrome as the browser, is their anyway to pass through the GMail email address to the Chrome Sign-In to automatically register the user against the Admin Console and apply the relevant Policy from the Google Admin Console ?
Re #21: Do you mean actual GMail e-mail addresses (@gmail.com) or Google accounts at your own domain (e.g. @agbarr.co.uk)?

Users with @gmail.com addresses cannot be managed through the Admin Console because you are not the administrator of gmail.com. But if your users have addresses that belong to your own domain and you have the Admin Console enabled for that domain, yes, you configure policies through the Admin Console and the policies kick in when a user signs into Chrome with their e-mail address.
Yes, via the @agbarr.co.uk domain. 

But we are trying to automate the Chrome Sign-In process, rather than getting our users to manually Sign-In, I thought that as Google already had the authentication details (via the GMail authentication) we might be able to use these to pass to Chrome ? Any ideas ?
 
Re #23: In the current state of things, logging into GMail and logging into Chrome are two different things.
Same issue here. We deploy our GPO's in our 'old' environment via Group Policy Management which seems to work fine.
In our new environment policies are created through AppSense Environment Manager. This tool processes adm-templates and creates the corresponding entries in the registry without using Group Policy Management and this is not working. Keys are created in the registry (HKCU/software/policies/google/chrome) but aren't read anymore in chrome 28.
Typing Chrome://policy in the omnibox results in no policies...
This is a major issue for us. For the moment we cannot deploy a 28+ version of Chrome.
Some management products have ways to actually create proper Group Policy Objects instead of screwing with the registry. I don't know AppSense Environment Manager, and from a quick search on the net, it's unclear whether that product supports such a mode of operation. Does somebody have some good docs on it?

Note that it's highly unlikely that Chrome goes back to unconditional registry reads in the future (we've seen too much abuse). So unless AppSense supports proper GPO, Chrome will be incompatible moving forward.
The change generated in version 28 has many drawbacks as non-business environments conditions group policies are not widely used, according to this, how can Google help us restore this option?, There are several applications that work with these options released in previous versions, this change generates much impact and should be reconsidered.
Re comment #27: Can you please describe your use case in more detail?

We've found unconditional registry reads to cause more pain than benefit, so that's not coming back any time soon, but maybe we can help you find a different solution that works for you.
Normally in a controlled environment with limited rights for an enduser this should work fine.
During logon GPO's are processed and as Chrome policies are set through the adm-templates we work with true policies. These are policies written in the protected branch of the registry: HKCU\software\policies
A normal user has only read-access to this registry hive so I really don't see the risk  reading registry information directly from the registry when it concerns a protected registry branch.

Background: The issue here is malware. Unsuspecting users get it onto their machines by software installers, and these typically run with admin privileges. We have evidence that Chrome GPO registry key abuse is very wide-spread.

While this may not apply to controlled environments, Chrome obviously needs to take non-controlled-environment into account as well. Hence, the assumption that users don't have the privilege to write the registry isn't true in general and doesn't help us here. Essentially, we're using the "GPO is present" as a proxy for "are we in a managed environment". If people have more and/or better ideas for indicators to that affect, please let us know and we'll consider them.
Background: The issue here is malware. Unsuspecting users get it onto their machines by software installers, and these typically run with admin privileges. We have evidence that Chrome GPO registry key abuse is very wide-spread.

While this may not apply to controlled environments, Chrome obviously needs to take non-controlled-environment into account as well. Hence, the assumption that users don't have the privilege to write the registry isn't true in general and doesn't help us here. Essentially, we're using the "GPO is present" as a proxy for "are we in a managed environment". If people have more and/or better ideas for indicators to that affect, please let us know and we'll consider them.
Comment 32 Deleted
When I enable logging on a working system (XP SP3 in a windows domain with chrome 28 and  group policy enabled) I see this:
[2248:3644:0730/091100:VERBOSE1:policy_loader_win.cc(524)] Failed to read GPO files for 1 falling back to registry.
[2248:3644:0730/091100:VERBOSE1:policy_loader_win.cc(524)] Failed to read GPO files for 0 falling back to registry.
although policies are read fine in chrome (by verifying chrome://policy).
In out other environment where polices are set via a third-party tool I see this in the logging:
[10884:11300:0730/092134:VERBOSE1:policy_loader_win.cc(524)] Failed to read GPO files for 1 falling back to registry.
So essentially this error message is the same but in the latter case polices are not well applied.
Can anybody tell me what this means?
Re comment #33: Chrome falls back to reading the registry if it can't pull from GPO files directly. In your first log snippet, Chrome does this both for current machine and current user (HKLM and HKCU in the registry, respectively), whereas in your second snippet Chrome did only fall back for local machine, which indicates that GPO was read properly for current user.

Note that while this may work now, relying on the fallback-to-registry behavior is not something we'll be supporting, so this may change and/or break in the future. The recommended solution remains using GPO proper or using a 3rd-party tool that can inject its settings to proper local GPO.
This is interesting. Did first some further testing with chrome 28 on my XP SP3 workstation with domain based policy for Chrome.
Before starting chrome in debug mode I deleted the HKCU\software\policies\google branch. Normally Chrome 28 communicates directly with active directory to obtain the policy settings.
But that doesn't work. So pulling the GPO directly from active directory doesn't seem to work as expected.
Logfile for this case:
[2624:648:0730/104328:VERBOSE1:policy_loader_win.cc(524)] Failed to read GPO files for 1 falling back to registry.
[2624:648:0730/104328:VERBOSE1:policy_loader_win.cc(524)] Failed to read GPO files for 0 falling back to registry.

First line is normal as we don't have machine based settings for the Chrome GPO.
Second line is not normal as the domain based GPO exists and up to the previous version we had in PRD (26) this worked fine. Apparently chrome cannot find the policy on the domain controller.
As the policy branch was deleted manually by myself the fallback to registry is working neither (which is normal). If the policy branch exists the registry fallback works fine in this situation.

Second test: Chrome running in Citrix with Appsense Environment manager as tool for populating GPO's directly to the registry.
Logfile:
[10884:11300:0730/092134:VERBOSE1:policy_loader_win.cc(524)] Failed to read GPO files for 1 falling back to registry.

No GPO exist for machine and user settings. So I don't understand why I don't receive an error for the user part of the policy. Should be something like this: policy_loader_win.cc(524)] Failed to read GPO files for 0 falling back to registry.
So nothing is read and there is no fallback to the local registry although the settings exist in HKCU/software/policies

So it seems to me that only local policies are processed by Chrome 28 and not domain policies.
How can we troubleshoot this further?
Regarding your first experiment: The logic for falling back to the registry is not as simple as you presume. In fact, we fall back on various read errors, but also for the case when the GPO object indicates the GPO file is on a network drive, i.e. the domain controller. You might be on a laptop without connectivity, so we rather get the policy settings from the registry in that case. So what you're seeing is according to expectations.

Regarding the second experiment: The Win API call that chrome makes (GetAppliedGPOList()) doesn't give a perfect indication whether we have Chrome policy, but only whether there's some GPO object that's going to be dumped into the registry. If Windows tells us there is one or more we're trying to grab them (and fall back if it's on a network drive); this seems to be the case for HKLM where you probably have some other registry-based group policy configured. If Windows tells us there are no GPO objects to be dumped in the registry, we know that no Chrome policy can be present, so we don't read any policy for that case.

Does that answer your questions?


Ok. Generally this means that only local policies are processed through the Win API and that for domain policies (always on a network drive) fallback to local registry will be used. Is that correct and, if yes, will this continue working this way in future Chrome versions as well?
For the second case where user policies are set via the third party tool Chrome sees (via the API) that no user policies are present (local or domain) and thus no fallback will take place.
Indeed, in that setup we use GPO for machine settings and all user settings are processed via the third party tool.
So the only thing we can do is to transform this "GPO", processed by the third party tool, to a local policy. Is that correct.

Can creating an 'empty' user domain Chrome GPO do the trick as well? Chrome will see there are some user policies but no processing will be done because it's a domain (network) policy ==> registry will be processed.
Q: Ok. Generally this means that only local policies are processed through the Win API and that for domain policies (always on a network drive) fallback to local registry will be used. Is that correct and, if yes, will this continue working this way in future Chrome versions as well?

A: Correct, but we can't make any guarantees that Chrome behavior stays this way in future releases. If you want to be on the safe side, you should figure out a way to install GPO.

Q: For the second case where user policies are set via the third party tool Chrome sees (via the API) that no user policies are present (local or domain) and thus no fallback will take place.

A: Correct.

Q: Indeed, in that setup we use GPO for machine settings and all user settings are processed via the third party tool.
So the only thing we can do is to transform this "GPO", processed by the third party tool, to a local policy. Is that correct.

That's the recommended solution, yes.

Q: Can creating an 'empty' user domain Chrome GPO do the trick as well? Chrome will see there are some user policies but no processing will be done because it's a domain (network) policy ==> registry will be processed.

A: Yes, this is what Chrome 28 does. However, as explained above you're on your own when relying on this as we can't make any promises that the fallback behavior will stay the same moving forward.
Comment 39 by Deleted ...@, Aug 20 2013
The entire discussion here is pretty comprehensive and very informative. Thanks all for that.

My question is related to non-controlled environment, a.k.a individual personal computers that are not part of any organization's domain and hence there is no AD in play. You previously have said : 

Comment #30 mnissler@chromium.org

Background: The issue here is malware. Unsuspecting users get it onto their machines by software installers, and these typically run with admin privileges. We have evidence that Chrome GPO registry key abuse is very wide-spread.

How does directly reading GPO with the WinAPI help here. Correct me if I am wrong here, but from my understanding Local Group Policy stores registry based policy settings in a file called Registry.pol and this is a text file for which the Admins have write privileges. So can't the same installer which used to modify registry settings, also modify this Registry.pol file?

Or in a much more straight forward way can't the installer just add policies to the local GPO using the well defined Windows APIs? It is anyway running as an admin.

So is there a real benefit/protection for individual computers not being managed by an AD?

The benefit for enterprise setups is very clear. No doubt about that.
Re comment #39: Your analysis is correct. We're far from making it impossible to abuse GPO, we just made it a bit harder: Dumping a couple registry keys is easy, forging GPO is more involved (although not significantly more).

On the other hand, making registry edits is kind of a grey area when it comes to detecting malware (in particular for installers). However, most people here agree that forging GPO is outright unacceptable behavior, so sanctioning this behavior (for example by A/V products) is a much simpler case.

Finally, there'll never be a bullet-proof solution to this problem - as long as we have to assume Chrome is running in a compromised and thus hostile environment, there's only so much we can do from within the browser.
I understand security is very important for a browser but by eliminating the use of Domain Group Policies it is much harder to manage the Chrome browser in an enterprise environment in my opinion.
All Microsoft applications are configurable by GPO, including the Internet Explorer browser, so as I understand this all well this browser suffers as well from GPO abuse and Microsoft is just doing nothing about it.

Now (in the future), when we need to change a forced setting for the Chrome browser we need to open the local policy, make the necessary change and than copy the new registry.pol to all servers. Not that easy because all our GPO's are now in one console in Active Directory.
Can't there be a check that if the workstation is domain joined (thus in a 'controlled' environment) the GPO processing takes place? This approach seems to be risk free I think.

Re comment #41: Note that we're not eliminating GPO support. GPO is still honored by Chrome if you configure GPO properly (i.e. via AD or as local GPO).

Relaxing the restriction on the registry check for AD domains is something we can consider. However, I'd like to clarify your use case first: Do I understand correctly that you're running an Active Directory setup, but don't push group policy via it? Instead you're configuring local group policy? AD-configured GPO continues to be supported by Chrome, so I wonder why you're not just using it.
This is our current situation:
==>environment managed by Active Directory
Here we don’t have issues currently. Chrome checks if GPO is present. Is ok but as the GPO is on a network share GPO is not processed and fails back to registry which is ok because registry keys are set through GPO.
One reminder here: if a future version of chrome doesn’t support the fallback to registry anymore we have a problem. Only workaround is than to work with local GPO.

==>environment managed by AppSense Environment Manager
Here the adm-templates for chrome are processed by the third party tool (Appsense) and registry keys are set by this tool in policy branch (HKCU\software\policies) avoiding the use of Active Directory GPO’s.  Prior to Chrome version 28 this worked fine because Chrome always reads the settings located in the policy branch of the registry. Now with version 28 no Chrome GPO is found when the browser starts so no fallback to the registry is possible which results in an ‘open’, not managed Chrome browser.
For the time that Chrome still supports the fallback mechanism I could try to apply an ‘empty’ GPO for Chrome settings to force that fallback to registry takes place. But I need to test this first.
In my opinion the standard behavior, managing an application with Domain based GPO, should remain working, as this setup is widely used in enterprises.

Re comment #43:

Active Directory environment: AD+GPO is supported and will continue to be so. We're not intending to break setups with non-local GPO files at all.

non-GPO setup: The workaround you're proposing (i.e. installing empty GPO) will yield the desired result with Chrome 28 (i.e. triggering the registry fallback). However, we can't promise anything in terms of this workaround remaining functional moving forward.
We also have an issue since Chrome 28 with policies,

We use a 3rd party tool to apply our Policy settings (RES Workspace Manager) as we found Group Policy to be unreliable and still have some XP Desktops (which have known problems applying group policy when waking from sleep / hibernation)

We also have requirements to deploy settings based on more than just user and group membership, some of this we could replicate with WMI, but WIM queries with GPO are expensive and would not give us the login performance we expect, nor cover all situations.

We now have very unreliable policies being applied to Chrome - but 29 has brought changes we were waiting for (URL Blocklist including chrome:// and file:// as well as a bug fix for creating desktop icons when they should have been disabled)

Another way of checking the environment is secure would help us tremendously as assuming that every organisation with Active Directory is applying user Group Policies is just not correct.

Check if a Computer Group Policy is applied would probably hit a higher percentage of organisations, otherwise checking for domain membership would be certain for any computers who are domain joined.
So, to understand your situation better: You're running with all clients joined to an AD domain, but don't use GPO because it's not flexible enough for you?
So, to understand your situation better: You're running with all clients joined to an AD domain, but don't use GPO because it's not flexible enough for you?
Yes, we run the 3rd party tool to provide the flexibility and reliability we require
Just set up a GPO containing the adm-template for Google Chrome and further no settings applied. The GPO is linked to an ou where the Citrixserver on which I'm testing is located. To obtain that user settings are applied I have enabled 'loopback processing' in 'merge mode'. With Resultant Set Of Policies I verfied if the GPO was enabled and processed which was the case.
Unfortunately, the fallback to the registry is still not working although there is an empty GPO present.
The log shows this:
policy_loader_win.cc(524)] Failed to read GPO files for 1 falling back to registry
Should it be necessary that this GPO isn't empty? So that I need at least one active setting in this GPO?
I will test this anyway but maybe a Chrome developer can already have a short look.
The login line you mention indicates that Chrome is falling back to read policy from the registry for the HKLM hive. Can you double-check that you have Chrome policy settings present in HKLM\Software\Policies\Google\Chrome ?
I have created an empty GPO with loopback processing enabled and linked this GPO to an ou which contains a Google Chrome enabled workstation. Not working. No fallback to registry.

But when I enter a setting in this GPO Chrome sees this domain GPO and fallback to registry occurs. For me this is a solution (well, a workaround :-)).
I configure a GPO with one unimportant setting. For the other settings we will use our third-party tools and as fallback to registry occurs policy values will be read and locked-down Chrome can be used in our company.
Note that the fallback will only occur if you configure a registry GPO, i.e. one that is processed by the registry settings CSE (as described here: http://support.microsoft.com/kb/216357). Loopback processing likely isn't, I haven't checked though.
Comment 53 by Deleted ...@, Oct 11 2013
So if I'm running a Home Windows system without gpedit.msc, I no longer have any way to change my chrome policies?

All I want to do is turn off private browsing. I can't be the only one.
If you are the only user on a single machine, you can use the settings page to tweak Chrome to your liking. Policy is a mechanism to deliver and enforce settings in an enterprise context not needed in a single-user setup.
#53: why do you want to turn off private browsing? There may be better ways to achieve what you're trying to do.
Hi,

I was wondering if there is any update on if Google is considering adding options back in for those of us who use policies outside of Group Policy?

Thanks,
Comment 57 by Deleted ...@, Nov 4 2013
Have the same setup and question as #53 - want to disable the incognito mode option. Found that I could do it using the IncognitoModeAvailablity policy in the registry but it does not work since the registry is not being read.  Is there an alternative solution to that?
Comment 58 by smcon...@gmail.com, Nov 11 2013
I'm in the same situation as #53,#56, and #57. I'm using Windows Home Premium, which does not have a group policy editor (gpedit.msc). I'd like to disable incognito mode and set some other policies to lock down my browser. How do I do it now that Chrome ignores registry settings?
Comments #53, #57, #58: The only supported way to lock down Chrome is via GPO, sorry. What's your rationale for running a locked-down browser in an environment where GPO is unavailable?
Comment 60 by smcon...@gmail.com, Nov 18 2013
To protect my kids by enforcing Google safe search, disabling incognito mode, etc. Why is it necessary to configure Chrome to ignor registry settings?
Re #60: Enterprise policies are geared toward corporate uses of Chrome. It sounds like your use case may be best served by Chrome's new beta supervised users:

https://support.google.com/chrome/answer/3463947?p=ui_supervised_users&rd=1
Comment 62 by smcon...@gmail.com, Nov 18 2013
Re #61: I tried creating a supervised account, but it doesn't prevent incognito mode. It doesn't prevent the supervised user from going into settings, disconnecting the account, and browsing freely. Am I missing something, or is this a very inadequate substitute for group policy. Also, you didn't answer my question: Why was it necessary to configure chrome to ignore registry settings? 
Re #62: Your question actually was answered in #30 and #40. Malware is the reason.
Comment 64 by smcon...@gmail.com, Nov 18 2013
Re #61: "Enterprise policies are geared toward corporate uses of Chrome." This is not a satisfactory explanation. Why wouldn't you want non-corporate users to be able to take advantage of sophisticated tools to help them manage their environment. Basically, you are forcing us to pay Microsoft additional $$ to purchase Windows Professional edition. I'm surprised Google would want their customers to send more money to their competitor.
Comment 65 by smcon...@gmail.com, Nov 18 2013
Unfortunately, here is the solution for Windows Home Premium users:

1) Upgrade to Windows 7 Professional Edition (http://windows.microsoft.com/en-us/windows7/products/features/windows-anytime-upgrade)

2) Install Chrome Group Policy Templates (http://www.chromium.org/administrators/windows-quick-start)
Cc: pam@chromium.org
+Pam from the supervised-users team.

Pam, can you answer #62?

"I tried creating a supervised account, but it doesn't prevent incognito mode. It doesn't prevent the supervised user from going into settings, disconnecting the account, and browsing freely."

How does supervised mode handle these?
Comment 67 by Deleted ...@, Nov 26 2013
I employ a Samba 3 PDC and use WPKG to deploy software to Windows XP Pro workstations. I'm used to configuring Windows and software apps using Windows' reg command to edit the registry. I know nothing about GPO. Now that I can't use the registry to set DiskCacheDir and DiskCacheSize, how do you suggest deploying this configuration setting please?

I'm finding that setting the profile location with Chrome 30 still works using the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\UserDataDir=REG_SZ:"${roaming_app_data}\Chrome"
Is this not guaranteed to continue to work?

You can use the command line flags --disk-cache-dir and --disk-cache-size instead and simply add them to the shortcut used to start Chrome. The UserDataDir key still works but you can consider this an implementation detail that might not work in the future too.

In general I can suggest that you read a bit about Group Policy Objects and the GPEdit.msc snap-in which allows you to edit it even locally which is the only supported way to set policies in Chrome now.
I have Chrome installed on my company computer and it won't launch, after using Sawbuck I found that these are the errors "Failed to read GPO files for 1 falling back to registry." and "Failed to read GPO files for 0 falling back to registry." I do have an administrator account but I don't have access to AD. Here's the full log: http://pastebin.com/WTZRYHwh

Is there any way to fix this or do I have to live without Chrome at work?
Re comment #69: The diagnostics you're quoting are most certainly red herrings and have nothing to do with Chrome not starting. I suggest you open a separate bug for your issue.
Comment 71 by Deleted ...@, Feb 3 2014
I'm merely interested in customized builds. In fact, I'd like to build a pre-configured Chromium (fork) with custom extensions for Windows PE projects. Regular settings are done by a dynamically generated Preferences file, it's just the extensions that are missing. Although I might use cmd scripts, AutoIt, VBScript etc. to dynamically generate necessary Registry data (that worked until Chrome 28), I'm afraid GPO won't work within a PE. Is there *any alternative* way to get extensions integrated somehow?
 Issue 329130  has been merged into this issue.
Re comment #71: If you're building yourself, why don't you just switch unconditional GPO registry reads on again? Code is in policy_loader_win.cc.
Project Member Comment 74 by bugdroid1@chromium.org, Feb 26 2014
------------------------------------------------------------------------
r253358 | pastarmovj@chromium.org | 2014-02-26T05:14:25.026877Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/components/policy/core/common/policy_loader_win_unittest.cc?r1=253358&r2=253357&pathrev=253358
   M http://src.chromium.org/viewvc/chrome/trunk/src/components/policy/core/common/policy_loader_win.cc?r1=253358&r2=253357&pathrev=253358

On enterprise machines read policy from the registry.

This will allow the usage of third party policy management
software in enteprise deployments of Chrome on Windows.

BUG= 259236 

Review URL: https://codereview.chromium.org/152633003
------------------------------------------------------------------------
Project Member Comment 75 by bugdroid1@chromium.org, Feb 26 2014
------------------------------------------------------------------------
r253358 | pastarmovj@chromium.org | 2014-02-26T05:14:25.026877Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/components/policy/core/common/policy_loader_win_unittest.cc?r1=253358&r2=253357&pathrev=253358
   M http://src.chromium.org/viewvc/chrome/trunk/src/components/policy/core/common/policy_loader_win.cc?r1=253358&r2=253357&pathrev=253358

On enterprise machines read policy from the registry.

This will allow the usage of third party policy management
software in enteprise deployments of Chrome on Windows.

BUG= 259236 

Review URL: https://codereview.chromium.org/152633003
------------------------------------------------------------------------
Is this fix already integrated in the current stable release?
Not yet. If nothing bad happens with it it should arrive in Chrome 35. However it should already be visible on the dev channel for testing if you want.
Comment 79 Deleted
Comment 80 by jpsw...@gmail.com, May 2 2014
The status of this bug/issue is incorrect and needs to be updated.
Comment 81 by Deleted ...@, May 16 2014
So just to confirm, this bug fix will allow managed computers to respond to application of GPO from central Active Directory (using ADMX template) onto fleet of workstations?
Comment 82 by Deleted ...@, May 16 2014
...for clarification purposes, I have a mix of Windows XP SP3 and Windows 7 Professional, trying to deploy Chrome and GPOs to set home page, turn off Incognito and whitelist a few extensions. Doing these changes using local policies is not going to work, as we are globally distributed but centralized IT and centralized AD.

I have imported the ADMX file already, and can confirm it's reaching the managed computers, but the settings are ignored (as others indicate). These are all AD joined/managed computers.

Will Chrome 35 suddenly make Chrome respect these policies and work as we administrators were expecting?

What is ETA for Chrome 35?
jberisford: AD-administered GPO wasn't affected at all by any of the changes discussed on this bug and should work just fine in any Chrome version from the last 3 years.

If the policies don't take effect in your configuration, you're probably seeing a different issue. Please open a separate bug and supply more information, i.e.:
* which tools you use to push GPO (I assume standard AD)
* what GPO settings you configured and which values you set
* how you verified that the machine actually received the GPO
* Chrome's view of the policy settings (i.e. a screen shot of chrome://policy)
* if chrome://policy lists your settings as expected, how you came to the conclusion that they get ignored (i.e. differences between expected and observed behavior)
Local GPO or AD GPO both work fine to manage chrome settings. This bug is about editing the registry directly to create the same entries that the GPO creates. Editing the registry directly does not work as chrome currently does not look there, but only through the GPO API. This bug is requesting that Chrome also check the registry to honor the settings there directly.

I am using a management solution that would make it very easy to manage chrome settings through the registry. It is possible to work around it and use local GPO, but it is more difficult. This is my solution:  http://bigfix.me/fixlet/details/3747

Comment 85 by Deleted ...@, May 27 2014
I'm not sure if it should be a new bug or is related to this one, but local GPO settings no longer seem to have any effect if an AD level policy is being used. We have a default user data directory set in AD policy, which some users used to override if they wished, either through a local gpo or command line switch, neither of which seem to function in chrome 35. I'm really hoping that this wasn't intentional.
I believe that AD policy is supposed to be the highest priority and should not be overridable by local GPO.

There might be something you can do to change how the AD policy is applied to make it less forceful so that it can be overridden. I'm not certain this would work, but you might try "Action: Create" or "Apply once and do not reapply" in the AD GPO.

Per: #77 pastarmovj@chromium.org
Not yet. If nothing bad happens with it it should arrive in Chrome 35. However it should already be visible on the dev channel for testing if you want.

I looks like v35 is out now, was this fixed?
Comment 88 Deleted
Never mind, it looks like it has been fixed in v35.
This page should now be updated:
http://www.chromium.org/administrators/policy-list-3
Comment 90 Deleted
Comment 91 by Deleted ...@, Jun 11 2014
Hello, I don't understand how do you decided a problem about force install? 

I have chrome v35 working on Windows 8.
I change parameters in regedit - it doesn't work (i tried software/policies/chromium/ and also software/policies/Google/Chrome/). 
Also I tried to change in gpedit.msc (local GPO i think) - it doesn't work (chrome://policy/ - doesn't change [have status : not set]).
I set "ExtensionInstallForceList" like "extension_id_in_store;https://clients2.google.com/service/update2/crx".

I use extension which has already in store (i tried for start, than i'll want to try the same method with no-store extension). 

Can you explain me? 

PS::::

I decide this problem. I have a 64bit windows 8, so HKEY_LOCAL_MACHINE\SOFTWARE\(Wow6432Node)\Google\Chrome\Extensions it is here.

The next problem is why if i install extension with registry the extension is default off, and when i launch browser it is ask me to extension ON or delete?
Comment 92 by Deleted ...@, Jun 11 2014
Is it something like InstantEnabled (deprecated) now?
Comment 93 by Deleted ...@, Jul 20 2014
As #91, even using GPO change in policy settings doesn't reflect in chrome://policy/
version-36.0.1985.125 m
Comment 94 by Deleted ...@, Jul 20 2014
tried reloading, restarting chrome, machine but doesn't work
Cc: pastarmovj@chromium.org
What is the policy that you tried to set? Does it work for some policies but not for others, or it doesn't work at all?
Comment 96 by Deleted ...@, Sep 3 2014
I did the same thing ad #91, using gpedit.msc, but for me, looking into chrome://policy/, the policy is there. But, the extension doesnt seen to have been installed. I picked up some random extension from the store, just for testing.
What am I doing wrong?
@96: What did you put in the policy exactly?
Hi, I have same issue
How can I enable ShowModalDialog_EffectiveUntil20150430 on my home mashine
(Windows 8 Home)?
I have no gpedit.msc available
here what I've tried:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\EnableDeprecatedWebPlatformFeatures]
"1" = "ShowModalDialog_EffectiveUntil20150430"
Quick search on the internet show that you can get the gpedit.msc tool for home editions too. I would assume this is not supported my MS and neither is it supported by Chrome but you can try it out. One search result that seems to have it is this one http://www.askvg.com/how-to-enable-group-policy-editor-gpedit-msc-in-windows-7-home-premium-home-basic-and-starter-editions/ - with the disclaimer that I don't know this site and don't know if this download is legit and legal and whatever it was simply one of the first hits on my search so use on your own risk or pick your own trusted page. Also you a word of caution some policies are explicitly disabled for non-enterprise users due to their high risk of abuse (the one you want to set is not afaik).
Comment 100 by Deleted ...@, Sep 4 2014
#97: I did the steps discribed in #11. 
Then I configured the policy for ExtensionInstallForceList. 
I tried to configure like "lbfehkoinhhcknnbdgnnmjhiladcgbol;https://clients2.google.com/service/update2/crx", using a random extension as an example.
The extension was not installed, but in chrome://policy it shows like it is applied.
I don't know if it should work like that, or I did something wrong. Any ideas?
And what is shown exactly as a value for the policy in chrome://policy? Do you see the [BLOCKED] prefix in front of the ID? 
Comment 102 by Deleted ...@, Sep 4 2014
#101: No, it shows exactly as I configured. Here is a printscreen of it. It is in portuguese, but I believe you can see it.

policyvalue.png
11.0 KB View Download
Why do you think the extension is not installed?

Extensions will appear in chrome://extensions, Apps will appear in chrome://apps. ""lbfehkoinhhcknnbdgnnmjhiladcgbol" is " is an app so it does not appear in chrome://extensions.
#99: Still, can an exception be done for the EnableDeprecatedWebPlatformFeatures setting. Yes there are tools like Apply_LGPO_Delta, but I bet connecting to a VPN to browse internal Intranet sites are not particularly uncommon. http://blogs.technet.com/b/fdcc/archive/2009/09/15/new-and-updated-local-group-policy-utilities.aspx
Chrome Group Policies Not Being Recognized in version 38

2014-09-07 4:43 GMT-05:00 <chromium@googlecode.com>:
Comment 106 by Deleted ...@, Nov 24 2014
For policies that are not applying you may want to try doing a full uninstall and reinstall of Chrome.
Comment 107 by Deleted ...@, Feb 17 2015
Hi there

I am still missing a usable solution to deploy chrome policies to about 200 non-AD WinXP SP3 Machines.

So for my understanding: When Machine is not AD-Joined, you do read the registry, but GPO is available, and when the machine is not AD joined, you don't read the reg?? But how to deploy GPOs to non-AD machines? If the policies cannot be deployed to other machines it's useless, because if I have to access every computer manually, I can do the settings in chrome itself!?

Why did you guys not implement a switch for enabling the Reg read?? I understand the malware problem - but we're not @Apple here - I can decide for myself, I just need the option to choose.

The machines are in a secure environment, and malware is not a problem. All I need is to allow pop-ups on certain sites, as these clients are using chrome app-mode. Therefore I need to allow popups in advance, because clients are not supposed to be able to access the settings.

And there might be some more sites in future where I need to allow popups... 

PLEASE HELP! Many thanks in advance.
 




Comment 108 by Deleted ...@, Mar 3 2015
wwwabd
I configure Local Policy for Machine not AD-Joined. And now I see BLOCKED] prefix in front of the ID
Chrome version - 49.0.2623.87 m
How fix it?
Force installed extensions that are not coming from the webstore are blocked in non-AD setups. There is no way to reverse this decision for now because a lot of malware uses exactly this route to hijack the browser. There is no way around but to either create Active Directory setup and join your clients to it or manually install the extensions on the client machines.
Comment 5 by mnissler@chromium.org, Jul 11 2013
⚐
Note that gpedit.msc allows you to write local group policy, you can play with it and configure user/machine group policy. If you need tools for deploying local GPO to machines, this may come in helpful: http://technet.microsoft.com/en-us/library/ee461027.aspx


Just a comment on that.  Powershell doesn't work with local group policy.

No other windows app queries the gpo.  They go to the registry directly.

Admins without active directory are probably deploying their group policies through the registry directly (likely in education). 

For admins that are stuck though, I did find a contributed powershell module for editing gpo files directly called 'PolicyFileEditor':  http://brandonpadgett.com/powershell/Local-gpo-powershell/

Sign in to add a comment