Microsoft Intune CSP for Google Chrome DISA STIG

Hey everyone, Theron (aka T-) here, Senior Consultant with Microsoft Consulting Services (MCS), deeply involved in a project to configure Intune for managing AADJ laptops with a Federal customer’s use.

Been working a lot lately with ‘hardening’ the laptops following DISA STIGs. As a result I’ve developed a few Intune CSPs and security baselines to meet STIG compliance for various technologies like Windows 10, Office, Edge, IE11, Chrome, WDAV, etc. As such, I’ll start posting the JSON files for this CSPs, which you can use to import into Intune as a starting point for your own CSPs.

The CSP related to this post is for Google Chrome meeting DISA STIG compliance for v2r2.

Full disclosure, there are about 4 settings missing at the moment, but I’ll get them in place soon and update this post. Compliance on a device is validated using DISA’s SCAP scanning tool and the Chrome v2r2 benchmark. Interesting enough, the missing settings from this JSON aren’t in the SCAP scan, so there’s that.

There are 4 finding from the SCAP scan results and they’re related to deprecated settings in Chrome:

STIG IDRule TitleRemarks
DTBC-0005Extensions installation must be blacklisted by default.This policy is deprecated, please use the ‘ExtensionInstallBlocklist’ policy instead.
DTBC-0006Extensions that are approved for use must be whitelisted.This policy is deprecated, please use the ‘ExtensionInstallAllowlist’ policy instead.
DTBC-0021The URL protocol schema javascript must be disabled.This policy is deprecated, please use the ‘URLBlocklist’ policy instead.
DTBC-0038Safe Browsing must be enabled,This policy is deprecated in Google Chrome 83, please use ‘SafeBrowsingProtectionLevel’ instead.

It includes the Google Chrome ADMX for ingestion.

You can get the JSON here.

Have fun, stay safe, and as always, Roll Tide!


Leave a Reply