CIS Google Chrome 3.0.0

Overview

The Devicie CIS Google Chrome 3.0.0 - Level 1 provides configuration as per the Centre for Internet Securities (CIS) guidance for Google Chrome.

Intune Description:

Centre for Internet Security (CIS) Google Chrome Benchmark v3.0.0 Level 1 https://workbench.cisecurity.org/benchmarks/8691.

Scope:

This baseline should be applied to Windows devices.

Policy Impact Areas:

When deployed, this policy will impact:

Extensive security controls, specifically for Google Chrome.
Enable Safe Browsing Protection

Deployment Notes

Pre-Deployment Considerations:
- Review if Chrome is being utilized within the environment.
Post-Deployment Validation:
- Attempt to install an external extension.

Configuration Settings:

Name	Value
Google
Google Chrome
Allow download restrictions	Enabled
Download restrictions (Device)	Block malicious downloads. Recommended.
Allow Google Cast to connect to Cast devices on all IP addresses.	Disabled
Allow queries to a Google time service	Enabled
Allow remote debugging	Disabled
Allow the audio sandbox to run	Enabled
Allow user feedback	Disabled
Allow websites to query for available payment methods.	Disabled
Ask where to save each file before downloading	Enabled
Block third party cookies	Enabled
Continue running background apps when Google Chrome is closed	Disabled
Control how Chrome Cleanup reports data to Google	Disabled
Determine the availability of variations	Enabled
Determine the availability of variations (Device)	Enable all variations
Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities	Disabled
Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes	Disabled
Disable Certificate Transparency enforcement for a list of URLs	Disabled
Disable proceeding from the Safe Browsing warning page	Enabled
Disable saving browser history	Disabled
Disable synchronization of data with Google	Enabled
DNS interception checks enabled	Enabled
Enable alternate error pages	Disabled
Enable AutoFill for credit cards	Disabled
Enable component updates in Google Chrome	Enabled
Enable deleting browser and download history	Disabled
Enable globally scoped HTTP auth cache	Disabled
Enable network prediction	Enabled
Enable network prediction (Device)	Do not predict network actions on any network connection
Enable online OCSP/CRL checks	Disabled
Enable or disable spell checking web service	Disabled
Enable reporting of usage and crash-related data	Disabled
Enable Safe Browsing for trusted sources	Disabled
Enable security warnings for command-line flags	Enabled
Enable third party software injection blocking	Disabled
Enable URL-keyed anonymized data collection	Disabled
Enables managed extensions to use the Enterprise Hardware Platform API	Disabled
Ephemeral profile	Disabled
Import autofill form data from default browser on first run	Disabled
Import of homepage from default browser on first run	Disabled
Import saved passwords from default browser on first run	Disabled
Import search engines from default browser on first run	Disabled
List of names that will bypass the HSTS policy check	Disabled
List of types that should be excluded from synchronization	Enabled
List of types that should be excluded from synchronization (Device)	passwords
Origins or hostname patterns for which restrictions on insecure origins should not apply	Disabled
Proxy settings	Enabled
Proxy settings (Device)	ProxyMode
Require Site Isolation for every site	Enabled
Set disk cache size in bytes	Enabled
Set disk cache size: (Device)	250609664
Set the time period for update notifications	Enabled
Time period (milliseconds): (Device)	86400000
Suppress lookalike domain warnings on domains	Disabled
Suppress the unsupported OS warning	Disabled
URLs for which local IPs are exposed in WebRTC ICE candidates	Disabled
Content settings
Control use of insecure content exceptions	Enabled
Control use of insecure content exceptions (Device)	Do not allow any site to load mixed content
Default geolocation setting	Enabled
Default geolocation setting (Device)	Do not allow any site to track the users' physical location
Extensions
Blocks external extensions from being installed	Enabled
Configure allowed app/extension types	Enabled
Types of extensions/apps that are allowed to be installed (Device)	extension;hosted_app;platform_app;theme
Configure extension installation blocklist	Enabled
*Extension IDs the user should be prevented from installing (or for all) (Device)**	*
Google Cast
Enable Google Cast	Disabled
HTTP authentication
Cross-origin HTTP Authentication prompts	Disabled
Password manager
Enable saving passwords to the password manager	Disabled
Printing
Enable Google Cloud Print proxy	Disabled
Remote access
Allow remote access connections to this machine	Disabled
Allow remote users to interact with elevated windows in remote assistance sessions	Disabled
Configure the required domain names for remote access clients	Enabled
Configure the required domain names for remote access clients (Device)	deviciedemo.com
Enable curtaining of remote access hosts	Disabled
Enable firewall traversal from remote access host	Disabled
Enable or disable PIN-less authentication for remote access hosts	Disabled
Enable the use of relay servers by the remote access host	Disabled
Safe Browsing settings
Configure the list of domains on which Safe Browsing will not trigger warnings.	Disabled
Safe Browsing Protection Level	Enabled
Safe Browsing Protection Level (Device)	Safe Browsing is active in the standard mode.

Devicie Template Name	CIS Google Chrome 3.0.0 - L1
Default Intune Deployed Name	DEVICIE-PROD-CIS Google Chrome 3.0.0 - L1
Version	1.0
Template Last Updated	Nov 18, 2024
Document Status:	DRAFT
Document Last Updated:	Apr 10, 2025