Enforce Chrome Auto-Updates via Intune: Step-by-Step

Google patched 8 actively exploited Chrome zero-days in 2025 alone, all rated high severity, according to CyberSecurityNews. Left unpatched, those vulnerabilities hand attackers a direct path into your managed fleet. Enforcing updates through Intune closes that gap regardless of what any individual user has done locally.

For context on how browser-level threats intersect with endpoint policy failures, see how Edgecution malware abuses Edge native messaging to deploy ransomware - a sharp reminder that browser policy hygiene is a frontline security control, not an IT housekeeping task.

Which Files Do You Need Before Starting?

Before touching the Intune admin center, gather everything listed below. Missing any single file causes the import to fail or leaves settings incomplete in the profile editor.

Requirements:

• An active Microsoft Intune tenant with device enrollment in place.
• Global Administrator or Intune Administrator role in Azure AD / Entra ID.
• Access to the Chrome Enterprise bundle download page for the latest ADMX files.
• At least one test Azure AD group to validate the policy before broad rollout.
• Familiarity with Intune configuration profiles and the Imported Administrative Templates profile type.

If you are new to managing Windows policies through Intune, the guide on disabling WinRM Basic Authentication via Intune covers the same profile-creation workflow and is a good warm-up before this procedure.

How Do You Download the Chrome ADMX Templates?

Go to the Chrome Enterprise download page and download two separate packages. Under Policy templates, select Chrome ADM/ADMX templates. Under Update management templates, select Google Updater ADMX template update. Accept the license agreement and download both.

You will receive:

• policy_templates.zip - contains chrome.admx, Google.admx, and their .adml files.
• googleupdateadmx.zip - contains GoogleUpdate.admx and its .adml file.

Extract both archives into one working folder. Everything in one place makes the upload step faster and reduces the chance of pairing the wrong ADML with its ADMX. Per the Prajwal Desai walkthrough on enabling Chrome auto-updates via Intune, if you hit a NamespaceMissing:Microsoft.Policies.Windows error during import, upload Windows.admx before the Chrome-specific files.

# Optional: use Expand-Archive to unzip both packages into one folder
Expand-Archive -Path "policy_templates.zip" -DestinationPath "C:\ChromeADMX"
Expand-Archive -Path "googleupdateadmx.zip" -DestinationPath "C:\ChromeADMX"

How Do You Import Chrome ADMX Files into Intune?

Sign in to the Intune admin center and go to Devices > Manage Devices > Configuration. Select the Import ADMX tab, then click + Import. Upload the files one at a time, pairing each .admx with its .adml counterpart.

Upload in this order:

1. Google.admx + Google.adml
2. chrome.admx + chrome.adml
3. GoogleUpdate.admx + GoogleUpdate.adml

After each upload, click Refresh and confirm the file shows a status of Available before uploading the next one. All three must reach Available status before you build the profile. For the full Microsoft documentation on importing ADMX files into Intune, see the Intune ADMX import reference on Microsoft Learn.

Expected import list after upload:
  Google.admx        - Available
  chrome.admx        - Available
  GoogleUpdate.admx  - Available

Step 3: Create the Chrome Auto-Update Configuration Profile

Still in the Intune admin center, go to Devices > Windows > Configuration and click + Create > New Policy. Set the following options:

• Platform: Windows 10 and later
• Profile type: Templates
• Template name: Imported Administrative Templates

Click Create. On the Basics tab, name the profile something descriptive - for example, Enforce Automatic Updates - Google Chrome. Add an optional description, then click Next.

How Do You Configure the Update Policy Override Setting?

On the Configuration settings tab, use the navigation tree to reach:

Computer Configuration > Google > Google Update > Applications > Google Chrome

Locate Update policy override and open it. Set the toggle to Enabled, then pick your preferred option from the drop-down. The table below maps each choice to its behavior and the scenarios where it fits.

Select Always allow updates for standard production fleets. Click OK to save, then click Next.

For related reading on how attackers exploit gaps created by disabled browser updates, see the CVE-2026-11645 Chrome V8 out-of-bounds read/write write-up - a concrete example of what an unpatched Chrome instance exposes.

Step 5: Assign the Policy to Device or User Groups

On the Scope tags tab, add any relevant tags for your RBAC model or skip this step. Click Next.

On the Assignments tab, add your target groups. Start with a pilot group of representative devices before expanding to the full fleet. That window lets you confirm no conflicts with existing policies before a broad rollout causes noise.

Click Next, review the summary on the Review + Create page, then click Create. The new profile appears in your configuration profiles list immediately.

How Do You Trigger a Manual Sync to Speed Up Deployment?

Intune devices check in on their own schedule. Force the process by navigating to the target device record in the Intune admin center and issuing a Sync action. On the device itself, open Settings > Accounts > Access work or school, select the enrollment, and click Info > Sync.

# Force an Intune sync from an elevated PowerShell session on the managed device
Get-ScheduledTask -TaskPath "\Microsoft\Windows\EnterpriseMgmt\" | Start-ScheduledTask

For a deeper look at managing Windows devices remotely through Intune without requiring user interaction, the Intune unattended Remote Help guide covers the access model in detail.

Did the Policy Land? How to Verify It Worked

Open Chrome on a managed device that received the policy and go to:

chrome://policy

Scroll to the Google Update Policies section. The Update policy override entry should show a value of Always allow updates and a source of Platform. A Platform source confirms the setting arrived via a machine-level policy, not a user-level or cloud setting.

Checking Deployment Status in Intune

Return to Devices > Windows > Configuration in the Intune admin center, open the profile, and review the Device and user check-in status counters. Use Per-settings status to confirm the specific \Google\Google Update\Applications\Google Chrome path shows Succeeded across your target groups.

Troubleshooting Failed Devices

If any device shows a failed state, pull the Intune Management Extension logs from the affected machine at:

C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log

Search that log for GoogleUpdate to isolate ADMX namespace or assignment errors. The Microsoft Intune device profile troubleshooting reference covers the full range of check-in and assignment failure codes you may encounter.

For a comparable Intune policy deployment pattern using PowerShell and the admin center together, the Exchange Server Send Connector setup guide demonstrates a similar validate-then-expand rollout approach.