How to Enable Auto-Updates for Google Chrome Using Microsoft Intune

Start by downloading the latest Chrome ADMX templates from Google's official Chrome Enterprise site. These templates contain the policy definitions needed to manage Chrome through Intune.

Navigate to https://chromeenterprise.google/browser/download/ and locate the Policy templates section. Download the latest Policy templates ZIP file.

Extract the ZIP file to a local folder. You'll need these specific files:

• chrome.admx - Chrome browser policies
• Google.admx - Google application policies
• GoogleUpdate.admx - Google Update service policies
• Corresponding .adml files for your language (e.g., en-US folder)

Now you'll import the Chrome ADMX templates into Intune to make Chrome policies available for configuration.

Sign in to the Microsoft Intune admin center at https://endpoint.microsoft.com using your administrator credentials.

Navigate to Devices > Manage devices > Configuration. Click on the Import ADMX tab, then select + Import.

Upload the following files in this order:

1. First, upload Google.admx and its corresponding Google.adml file
2. Next, upload chrome.admx and its chrome.adml file
3. Finally, upload GoogleUpdate.admx and its GoogleUpdate.adml file

For each upload, select both the .admx file and the corresponding .adml file from the language folder (e.g., en-US/Google.adml).

Create a new configuration profile to enforce automatic Chrome updates across your managed devices.

In the Intune admin center, navigate to Devices > Windows > Configuration. Click Create > New policy.

Configure the profile settings:

• Platform: Windows 10 and later
• Profile type: Templates > Imported Administrative Templates
• Click Create

In the Basics tab:

• Name: Enforce automatic updates for Google Chrome
• Description: Configures Chrome to automatically download and install updates including security patches
• Click Next

In the Configuration settings tab, navigate through the policy tree:

Computer Configuration > Google Update > Applications > Google Chrome > Update policy override

Configure the update policy:

• Set the policy to Enabled
• From the dropdown menu, select Always allow updates (recommended)
• Click OK, then Next

Assign the Chrome update policy to your target device groups and configure any necessary scope tags.

In the Scope tags tab, add any relevant scope tags for your organization's compliance requirements, or leave empty if not using scope tags. Click Next.

In the Assignments tab, configure your target groups:

• Click + Add group under Included groups
• Select your target device groups (start with a test group for initial deployment)
• Choose Assignment type: Available or Required based on your deployment strategy

For production deployment, consider these assignment strategies:

• Pilot group: 10-20 test devices for initial validation
• Staged rollout: Deploy to departments or regions incrementally
• Full deployment: All managed Windows devices

Click Next to proceed to the review screen.

Review your configuration and deploy the Chrome auto-update policy to your managed devices.

In the Review + create tab, verify all settings:

• Profile name and description are correct
• Update policy is set to "Always allow updates"
• Target groups are properly assigned

Click Create to deploy the policy.

Monitor the deployment status:

1. Navigate to Devices > Configuration
2. Find your "Enforce automatic updates for Google Chrome" profile
3. Click on the profile to view deployment status
4. Check the Device status and User status tabs for success/failure rates

Force policy sync on test devices:

• On the target device, open Settings > Accounts > Access work or school
• Click on your work account > Info > Sync
• Or use PowerShell: Get-ScheduledTask | Where-Object {$_.TaskName -eq "PushLaunch"} | Start-ScheduledTask

Confirm that the Chrome auto-update policy is properly applied and functioning on your managed devices.

On a target device, open Google Chrome and navigate to chrome://policy/ to view applied policies.

Look for the Chrome update policies:

• Search for UpdatePolicy or scroll to the Google Update section
• Verify UpdatePolicy shows:
• Value: 1 (which means "Always allow updates")
• Source: Platform
• Status: OK

Test the update mechanism:

1. Navigate to chrome://settings/help in Chrome
2. Chrome should automatically check for updates
3. If updates are available, they should download and prompt for restart
4. If Chrome is current, you'll see "Chrome is up to date"

Verify update service status using Command Prompt:

sc query gupdate
sc query gupdatem

Both Google Update services should show STATE: RUNNING or STATE: STOPPED (normal when not actively updating).

Address common problems that may prevent Chrome auto-updates from working correctly on managed devices.

Policy Not Applying:

• Check Intune policy assignment: Ensure the profile is assigned to devices, not users
• Verify ADMX import: Confirm all three ADMX files (Google, Chrome, GoogleUpdate) imported successfully
• Force device sync: Use Get-ScheduledTask | Where-Object {$_.TaskName -eq "PushLaunch"} | Start-ScheduledTask

Updates Still Blocked:

• Check for conflicting Group Policies on domain-joined devices
• Verify no local registry keys are overriding the policy
• Test on a clean, non-domain device to isolate the issue

Chrome Not Updating Despite Policy:

Manually trigger an update check:

"C:\Program Files\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler

Check Windows Event Logs for Google Update errors:

Get-EventLog -LogName Application -Source "Google Update" -Newest 10

Registry Fallback Method:

If policy-based updates fail, configure registry keys directly:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update]
"UpdateDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update\Applications\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"Update"=dword:00000001