In this post, I’ll show you how to enable auto updates in Google Chrome using Intune. Chrome updates itself by default, but you can enforce this setting with Intune, so users cannot turn it off and the browser stays current. We’ll import Google Update and Chrome ADMX templates into Intune and create a policy to enforce automatic updates.
Contents
1. Download Chrome ADMX Files
For managing Google Chrome settings using Intune, the first step is to import chrome ADMX files. Importing ADMX file into Intune will allow us to configure auto update setting in chrome.
- Visit the link: Enterprise Browser Download for Windows & Mac – Chrome Enterprise.
- Use the drop-down to select Chrome ADM/ADMX templates and Google Updater ADMX template update. Click Accept and download.
- windows.admx and windows.adml templates are prerequisites for chrome admx template files. Visit the link: Download Windows 11 24H2 ADMX and install it on your device. It will place windows.admx and windows.adml files in C:\windows\Policydefinitions folder. We need these two files along with Google ADMX files.
- Now, you should have three files in your downloads file: googleupdateadmx.zip, policy_templates.zip and Administrative Templates (.admx) for Windows 11 Sep 2024 Update.msi. Extract the zip files into a folder and install the msi file on your device.
2. Import ADMX templates into Intune
Upload the ADMX files in Intune in the order listed below. You can find Google policy template files in the policy_templates.zip and googleupdateadmx.zip folders. After installing the Administrative Templates for Windows 11 (MSI file), windows.admx file will be available in the C:\Windows\PolicyDefinitions folder. You will also need the corresponding .adml file as well, which you can find in the same folder. For more information about uploading ADMX files in Intune, refer to the link: Import ADMX Templates Into Intune.
- windows.admx
- google.admx
- chrome.admx
- GoogleUpdate.admx
Please note if you get ADMX file referenced not found NamespaceMissing:Microsoft.Policies.Windows. Please upload it first. error while uploading ADMX files, ensure that you upload windows.admx first. For more details on fixing this error, refer to the post: NamespaceMissing: Microsoft.Policies.Windows. Please Upload It First ADMX Import Intune.
3. Create a Device Configuration Policy
After uploading the required ADMX files in intune, we will create a device configuration policy to configure Google update setting.
- Sign in to Intune admin center > Devices > Windows > Configuration > Create > New Policy.
- Platform: Windows 10 and later
- Profile type: Templates
- Template Name: Imported Administrative templates (Preview)
- On the Basics tab, provide a Name and Description of the policy and click Next.
- Under Configuration settings tab, Navigate to Computer Configuration > Google > Google Update > Applications > Google Chrome and select Update policy override policy setting. Enable this policy and set it to Always allow updates (recommended).
Specifies how Google Update handles available Google Chrome updates from Google. If this policy is not configured, Google Update handles available updates as specified by Update policy override default.
Always allow updates: Updates are always applied when found, either by periodic update check or by a manual update check.
Manual updates only: Updates are only applied when the user does a manual update check. (Not all apps provide an interface for this.)
Automatic silent updates only: Updates are only applied when they are found via the periodic update check.
Updates disabled: Never apply updates. If you select manual updates, you should periodically check for updates using the application’s manual update mechanism, if available. If you disable updates, you should periodically check for updates and distribute them to users. Check https://www.google.com/chrome/.
About Update policy override policy
- Scope tags (optional): A scope tag in Intune is an RBAC label you add to resources (policies, apps, devices) to limit which admins can see and manage them. For more Information, read: How to use Scope tags in Intune.
- Assignments: Assign the policy to Entra security groups that contain the target users or devices. As a best practice, pilot with a small set first; once validated, roll it out more broadly. For guidance on assignment strategy, see Intune assignments: User groups vs. Device groups.
- Review + create: Review the deployment summary and click Create.
Monitoring Intune Policy Deployment
- Sign in to the Intune admin center > Devices > Configuration.
- Select the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
- Click on View report to access more detailed information.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
Conclusion
In this post, we learned how to enable automatic updates in Google Chrome using the Intune Update policy override policy. You could also use the Update policy override default policy, but it can be superseded by Update policy override, so it’s best to use the latter.
