Blocking Chrome install via group policy

H

holden j caufield

Gawd
Joined
Mar 27, 2012
Messages
640
Chrome messes with some apps we use and links we use. It's not allowed and we've blocked it via group policy but it completely bypasses admin credentials and still installs. As it now uses different paths and methods.

We've blocked numerous path rules and exe in group policy and we've had to change it a few times. Is there a sure fire way as we keep having to mickey mouse it as chrome installer changes it's method to install.
 
Removes everyone's admin rights when they install shit they aren't supposed to?
 
chrome installer bypasses any need for admin rights. It installs on the users home folder, and even if we use variables %username%


disallow
C:\Users\%username%\AppData\Local\Google\Chrome\Application\chrome.exe

It still somehow is able to.
 
Chrome can be installed into the users appdata profile which does not require administrative permissions.

OP, you're going to have to use AppLocker if you want to stop this kind of stuff. That will block anything from running, including portable apps, except applications installed into Program Files which can only be done by administrators. You can even customize the directories that applications are allowed to run from.

As a secondary option, you can also try to create a software restriction policy that blocks "chrome.exe" but if someone renames the .exe then they can get around it. You could also try creating a software restriction directory and block the program files directory and also create a block for %userprofile%\AppData\Local\Google\Chrome\Application\chrome.exe

You could even push out a desktop shortcut to %public%\desktop for the application that forces it to be opened with Internet Explorer (or whatever your using).

But ultimately I think that educating your users on why they need to use browser X is needed for the application.
 
Last edited:
Not too familiar with this per se, but...you should be able to use something like this and set a 'Deny' permission on the default Chrome folder, at least for the Domain Users group. That may work. (Just kinda trying to cobble something together as an idea.)
 
holden j caufield said:
disallow
C:\Users\%username%\AppData\Local\Google\Chrome\Application\chrome.exe
Click to expand...

That's Chrome itself. You want to disable the installer application. The installer has a variable name but matches the pattern chrome*.exe and can be anywhere.
 
On our corporate network, they simply disabled access to the Chrome install domains via the firewall. This prevents the Chrome installer from retrieving the files it needs and it simply doesn't install.
 
You must log in or register to reply here.
Back
Top