Ultimate guide to managing Chrome on Windows for school IT admins

Ultimate Guide overview

This guide covers everything you need to know about how to manage Chrome on Windows within your school district, starting with a basic overview of all of the different management options and moving into key recommendations and important policies you need to configure. Beginners will learn a lot and experts will still learn something here, because there are a lot of ways you can set this up.

• Part 1: All the different ways you can manage Chrome on Windows
• Part 2: Why Chrome Browser Cloud Management + Workspace in combination work best for more schools
• Part 3: Troubleshooting complicated deployments with multiple management methods coming into conflict

All the different ways you can manage Chrome on Windows

GPO

If you're a long-time Windows and Active Directory admin you're probably familiar with GPO, or Group Policy Objects. These are collections of policies and can be applied to either the entire computer or to a user when they sign into the operating system.

The full collection of Chrome policies is available to set via GPO, and if you're already managing everything via Active Directory, this could be a good option. However, it has some downsides. You will not be able to configure your policies from the cloud via Google Admin Console (or its APIs), and you will not get key reporting information that is available exclusively with Chrome Browser Cloud Management. You also won't be able to align your Chrome policies across Windows and Chrome OS, if that is a consideration.

Chrome Browser Cloud Management

Chrome Browser Cloud Management (CBCM) allows you to manage Chrome on Windows from the Google Admin Console (and its associated cloud-based APIs). In order to set up CBCM, you set up a Google Admin Console, generate a CBCM token, and deploy that token via GPO, registry, or your Windows device MDM.

Once the token is deployed, the Chrome browsers on that machine will register with the Google Admin Console. Note that even though each Windows device might have multiple different users on it, CBCM manages at the device level.

Using CBCM is advantageous for a few reasons:

• All policies can be managed from the Cloud, so it is easy to audit and change policies remotely
• CBCM includes numerous reporting features so you will get better insights on your Windows devices. E.g. you will be able to see all extensions installed by users, all versions of Chrome deployed across your devices, etc.
• Because CBCM is deployed at the machine level (i.e. regardless of who signs in), you can enforce policies that control who is able to sign in to Chrome. For example, in a school setting you will want to block students from signing in with @gmail.com accounts and require that they sign in with @school.edu accounts

Full setup instructions for CBCM

Google Workspace User Policies

If your organization uses Google Workspace, you have likely seen already that the Chrome policies you apply in Google Admin Console will apply to Chrome on Windows when your users sign in with their accounts. For example, if you deploy a content filtering extension for students to monitor their Chromebook usage, that filtering extension will also show up when they sign into Chrome on Windows with their school accounts.

Managing Chrome policies based on the signed-in Google Workspace user is extremely convenient for schools that also uses Chromebooks. You can have a single set of policies that works wherever your users sign in, whether that's Chrome OS, Windows, Mac, Android, iOS, or even Linux.

Google Credential Provider for Windows (GCPW)

Google Credential Provider for Windows (GCPW) is somewhat independent of Chrome management, but it's important to mention because it can help you simplify your student and staff experience if you are already using Google Workspace.

GCPW allows your users to sign into Windows devices using their Google accounts. Rather than using Active Directory or a different username and password, users will see the regular Google sign-in screen and log in with their Workspace credentials. Once they do, they will be automatically signed into Chrome as well (and receive their Google Workspace User Policies). User passwords are managed via Google Admin Console, including if you sync in changes from another source.

What if you have policies set in all of the above ways?

An interesting (and confusing) aspect of managing Chrome on Windows is that you can use multiple of the above methods, and in fact most organizations will have some policies configured via GPO, some via CBCM, and still some via Workspace.

However, this introduces the possibility for conflicts to arise. If you block incognito mode in Workspace User Policy but enable it using CBCM, will it be available or not?

The answer is determined by the built-in precedence order that Chrome uses. Chrome will prioritize policies in the following order (top-most takes precdences over the ones below):

1. GPO policies set at the device level
2. CBCM policies
3. GPO policies set at the user level
4. Workspace User Policies

Even more confusingly, you can actually change this order of precedence using the CloudPolicyOverridesPlatformPolicy and CloudUserPolicyOverridesCloudMachinePolicy policies, but we really don't recommend this unless you have a strong reason to.

Chrome vs. Chrome Profiles

Chrome supports multiple "profiles," which can be useful for keeping personal and work browsing separate on the same computer. It's important to note that a Chrome Profile that isn't signed in will not receive any Google Workspace User Policies. On school computers, this means you should (1) force sign-in, and (2) limit sign-in to only your school accounts.

The best way to do it: Chrome Browser Cloud Management + Workspace

Here's the combination we recommend:

• Configure CBCM on your Windows devices in order to get the reporting & analytics from it.
• Keep your CBCM devices in a separate organizational unit subtree away from your Workspace users and Chrome OS devices. This will help you decide exactly which policies are set for CBCM vs. your users, and avoid confusion about some policies being shared across CBCM and users.
• Set up a handful of policies via CBCM to control sign-in to the browser (more details below). If you don't use Google Workspace, set the rest of your policies for your browsers here as well.
• If you do have Workspace, configure the vast majority of policies on your Workspace users (instead of in CBCM) so that they will work across Chrome OS, Windows, Mac, etc.

Recommended settings for CBCM

Troubleshooting complicated deployments with multiple management methods coming into conflict

If you've set up your devices but policy isn't working as you expect, it's time for some troubleshooting. Go through these steps in order:

1. Confirm that your CBCM devices are in a different part of the organizational unit tree as your Workspace users.
2. Confirm the policies set for your CBCM devices within the Google Admin Console
3. Confirm that you haven't configured the CloudPolicyOverridesPlatformPolicy and CloudUserPolicyOverridesCloudMachinePolicy policies, or that you understand the implications to policy precedence of configuring these.
4. From an affected device, type "chrome:policy" into the Chrome URL bar and press enter. This will take you to a debugging page where you can see all policies that are applied on your device, and where they come from.

Feedback on this tip?

Found a better way to manage Chrome on Windows? Want to share with other admins? As always, you can share your feedback on our public feedback tracker or privately via the contact page.