enable Google Chrome policies otherwise only available with Active Directory

There are a number of settings for Google Chrome which are applied as "policies". Under the hood, these are registry entries, typically located at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome. These policies are nominally designed to be enabled by Group Policy in an Active Directory environment (using ADM or ADMX files). Many of them work whether the computer is joined to a domain or not; presumably Chrome is just reading the registry value.

However, some policies only work when the computer is joined to Active Directory or "or Windows 10 Pro or Enterprise instances that enrolled for device management" (see link). Since the policy configuration values are ultimately just registry entries, then Chrome must be going out of its way to check if the computer is in Active Directory.

What I want to know, is there a way to deceive Chrome about the computer's Active Directory membership, or some way to otherwise convince Chrome to honor these policies regardless?

William

Posted 2019-06-11T12:39:40.527

Reputation: 731

Chrome engages in a number of questionable privacy related actions - some are network related, such as reporting "metrics". Others are more invasive, like the software reporter tool or chrome cleanup. I want to disable these things, but the policy only works if your computer is in an Active Directory, and I don't have one of those. – William – 2019-06-11T12:41:33.823

You can configure group policies locally (gpedit.msc, run as admin) & Google does suggest doing it that way. However I can't speak to that specific policy or those that mentioned needing AD https://www.chromium.org/administrators/policy-templates

– gregg – 2019-06-18T16:45:52.583

The problem is Gregg that although you can set the policies through local group policy Chrome just ignores a few of them if you aren't domain joined or enrolled in some other device management – Patrick – 2019-06-24T15:28:51.677

Answers

I have found, or rather "created" a solution. I don't recommend this, but it has worked.

Here's some background. Google Chrome restricts certain policies to computers which are domain members. I have not found an explicit reason for this, but the gist I get from reading documentation and notes suggests that this is a security precaution, as if a domain administrator has magical security powers. Chrome checks for domain membership by using the IsOS function exported by the SHLWAPI dll. The DLL is imported into "chrome.dll", which is typically located in a directory like c:\Program Files (x86)\Google\Chrome\Application\75.0.3770.80\chrome.dll.

It is possible to apply a binary patch to chrome.dll to redirect calls to IsOS to another function exported by SHLWAPI. A good match I have found is "ChrCmpIA" which will always return true given the arguments which are otherwise passed to IsOS. chrome.dll imports IsOS by ordinal (rather than by name) - IsOS has an ordinal of 437, and ChrCmpIA has an ordinal of 587. An ordinal of 437, as stored in the DLL looks like this 0xb5,0x01,0x00,0x00,0x00,0x00,0x00,0x80 . It can be replaced with 0x4b,0x02,0x00,0x00,0x00,0x00,0x00,0x80 . As of version 75, Chrome has two ordinal exports of 437, only the first should be patched. A program like HxD can do this without too much trouble. I've used this on Chrome 75.0.3770.80 (64-bit), as installed by the enterprise MSI package; it may work on other versions too (as this recipe does not use hard-coded addresses).

Standard disclaimers - Back up your chrome.dll first (or be prepared to reinstall). Don't do this, except for "educational purposes". Use this strategy at your own risk; there is a slight possibility of data loss, being fired, deportation and revocation of citizenship, or even influenza.

William

Posted 2019-06-11T12:39:40.527

Reputation: 731

1I don't consider this to be a good answer; I think it's only adequate (so I'm not going to mark it as the accepted answer, at least not for a while). It's possible that there might actually not be a good answer; I've skimmed the Chromium source code, and the IsOS hack is the best I found. – William – 2019-06-18T20:16:01.517

Not sure why you got the downvote, this is the clearest, indeed only, attempt to provide a functional and useful answer to the question posed. It's brilliantly hacky though, which I appreciate, but I'm not sure I'm ready to roll this out across the estate just yet :) – Patrick – 2019-06-24T15:27:04.387

-2

You could:

Spin up a Linux VM.
Configure a SAMBA to act as a Domain controller.
Join your Windows PC to that domain

I don't think you would even need to leave the domain controller running. It would remain joined even when the VM is off.

SAMBA CONFIG: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

HackSlash

Posted 2019-06-11T12:39:40.527

Reputation: 3 174

1The question was specifically about getting the chrome policies to apply where no domain existed. A solution of 'get a domain' doesn't really answer the question that was asked, although it would of course resolve the issue. – Patrick – 2019-06-18T12:39:43.087

-2

A reduced version of such options seems to be available also for computers that are not connected to Active Directory.

For the policy given as example, one can find a similar option in chrome://settings under Advanced > Reset and clean up > Clean up computer, called "Find harmful software", that comes with a "FIND" button and with absolutely no documentation on what it does. This setting is reachable directly via chrome://settings/cleanup, with a sub-option for "Report details to Google about harmful software, system settings, and processes that were found on your computer during this cleanup".

Pressing the FIND button will launch a long process with only the message of "Checking for harmful software…", with, again, absolutely no information on what exactly it does, nor any way to cancel it. In my case it ended with the message of "No harmful software found".

Conclusion: The difference between stand-alone and Active Directory computers seems to be only that the scan is automatic and periodic for the second but manual for the first. But I wouldn't count on this malware scan to be as extensive as that done by an antivirus product.

For more information, see the article
Remove Malware and Other Harmful Software Using Google Chrome.

harrymc

Posted 2019-06-11T12:39:40.527

Reputation: 306 093

1The question "is there a way to [...] convince Chrome to honor these policies regardless [of active directory membership]?" - the point being that even without a domain, managed policies can be applied to a group of computers, Chrome for no discernible reason ignores a subset of those policies if no domain is present. Your example would require a visit to each machine to run, defeating the point of using policies in the first place. – Patrick – 2019-06-18T12:43:11.173

Why downvote an answer? I'm sure that for the Chrome developers there is a discernible reason for this limitation, having to do with some difference in the operating system. So, no, you cannot emulate AD. You can launch cleanup automatically via the Task Scheduler, but you need to search for the program in third-party sites, as Google has suppressed the stand-alone tool, and this will be an older version than the one inside Chrome. – harrymc – 2019-06-18T12:54:02.500

Your answer focuses only on the cleanup tool, which was only mentioned in a comment. Cleanup is only one of many policies that are affected by this decision and the question wasn't 'how do I run cleanup' it was 'how do we work around this limitation' which your answer doesn't address. – Patrick – 2019-06-18T13:08:14.897

Well, that's what you will need to do - handle them one by one. Your other option is to create an Active Directory domain server in your network, perhaps inside a virtual machine. If you have a Windows Server license see this tutorial. For a free Linux AD server see for example this SAMBA tutorial. In all cases, this won't come easily.

– harrymc – 2019-06-18T13:27:29.343

1We know that adding a domain or some other enterprise management system will resolve the issue. I was hoping that someone might have an alternative as it's an awful cost to install local hardware and configure a DC just to get 4 or 5 Chrome policies to apply when everything else works as expected. – Patrick – 2019-06-18T15:25:45.680

You don't need to install local hardware - a virtual machine will do as well as a domain server, as in my above comment. The only problem is that it needs to be always running. – harrymc – 2019-06-18T16:15:13.927

You do if you don't currently have any local hardware on which to run your DC, virtualised or not. – Patrick – 2019-06-18T16:21:30.517