✅ Summary
This Intune Configuration Policy applies a medium‑impact Chrome browser hardening baseline aligned with ACSC and Microsoft guidance. It includes controls that:
block intrusive ads
restrict risky downloads
disable pop‑ups
disable developer tools
disable DoH (to keep enterprise DNS visibility)
enforce DNS interception checks
disable Chrome’s password manager
The policy is assigned to all devices, giving it organisation‑wide coverage.
This strongly aligns with Essential Eight – User Application Hardening (M1–M3).
🔍 Detailed Interpretation of All 7 Chrome Hardening Settings
Below is each policy item interpreted exactly from your JSON.
1. Block Intrusive Ads
Setting: googlechrome_adssettingforintrusiveadssites
Value: _2 (Block intrusive ads)
✔ Removes ads known to use malicious/misleading behaviour
✔ Reduces drive‑by downloads & exploit kit vectors
✔ Matching the same setting you enforced in Edge
2. Restrict Unsafe Downloads
Setting: googlechrome_downloadrestrictions
Value: _4 (Block dangerous downloads)
This is one of Chrome’s strictest download control modes.
✔ Blocks downloads flagged as dangerous by Safe Browsing
✔ Reduces malware exposure
✔ Strong alignment with E8 application hardening
3. Block Pop‑Ups
Setting: defaultpopupssetting
Value: _2 (Block all pop‑ups)
✔ Prevents malicious scripts, phishing pop‑ups and redirect chains
✔ Essential baseline control for reducing web threats
4. Disable Developer Tools
Setting: googlechrome_developertoolsavailability
Value: _2 (DevTools disabled)
✔ Prevents manipulation of browser‑side security
✔ Stops users bypassing controlled content settings
✔ Good for medium/high‑assurance environments
5. DNS over HTTPS (DoH) Disabled
Setting: googlechrome_dnsoverhttpsmode
Value: off
✔ Ensures DNS continues to use enterprise infrastructure
✔ Keeps DNS logging visible for IR & SOC
✔ Prevents bypass of web filtering or DNS monitoring
6. DNS Interception Checks Enabled
Setting: googlechrome_dnsinterceptionchecksenabled
Value: _1 (Enabled)
✔ Allows Chrome to detect and adapt to enterprise DNS
✔ Reduces false warnings
✔ Ensures web requests follow corporate policy
7. Disable Chrome Password Manager
Setting: passwordmanagerenabled
Value: _0 (Disabled)
✔ Prevents local and cloud password storage in Chrome
✔ Supports enterprise MFA/SSO credentials instead
✔ Reduces credential theft and sync exposure
✔ Aligns with E8 advice to reduce attack surface from browser credential stores
🎯 Assignment
This configuration is assigned to:
All devices (
#microsoft.graph.allDevicesAssignmentTarget)
✔ Broad enforcement ensures Chrome is hardened wherever it is installed
✔ Ideal for organisation‑wide User Application Hardening