Chrome Enterprise and Education Help Show
As a Microsoft Windows administrator, you can use Google Update to manage how your users' Chrome browser and Chrome apps are updated. You can manage Google Update settings using the Group Policy Management Editor. You can see the values of Google Update policies set for a computer in the Chrome policy list at chrome://policy. Note: Only domain-joined or MDM-managed computers honor policies set for the computer by Group Policy. Therefore, you must ensure that all your devices are joined to a Windows domain controller or Azure Active Directory domain, or are MDM-managed. Open all |F Close all Get the Google Update policy template Use an administrative template to install and define policies for Google Update. Microsoft Windows 7 and later supports both ADM and ADMX templates. Download the appropriate Google Update policy template for your Windows network: Step 2: Configure auto-updatesTurn on auto-updates (recommended)
Applies to Chrome browser and all apps managed by Google Update. Using Group PolicyWe recommend that you keep auto-updates turned on so that your users receive critical security fixes and new features as they become available. In Group Policy (Computer Configuration folder):
You can optionally override this setting for an individual app by using the Update policy override policy in the specific app folder. Turn off Chrome browser updates
If you need to stop Chrome Browser updates, you can turn off automatic updates and prevent users from manually updating the browser themselves. Even if you turn off updates, Google Update continues to check for new updates. Important: We do not recommend turning off browser updates. Doing so prevents software fixes and security patches from being applied to Chrome browser. You are also at risk of crashes and security vulnerabilities. If you must turn off updates, make sure you have a process to ensure timely updates throughout your network. Better yet, include a plan to re-enable updates as soon as possible. In Group Policy (Computer Configuration folder):
If you turned off Chrome browser updates, check to make sure they’re also turned off on users’ computers:
You should see a note that updates are disabled by an administrator. Turn off all app updates
Important: Turning off all app updates prevents software fixes and security patches from being automatically applied to all Google software. In Group Policy (Computer Configuration folder):
Even when app updates are turned off, Google Update continues to update itself. Turn off Chrome browser component updates (Optional)
Applies only to Chrome browser components Even if you turn off updates for Chrome browser, browser components, such as Widevine DRM, won’t automatically stop updating. In Group Policy (Computer Configuration folder):
Note: This policy does not apply to all components. For a full list of exempted components, see ComponentUpdatesEnabled. Step 3: Customize updatesSchedule auto-updates outside of work hours
Applies to Chrome browser and all apps managed by Google Update. You can prevent auto-updates from occurring during certain time periods, such as during your organization’s peak working hours. Using Group PolicyIn Group Policy (Computer or User Configuration folder):
Pin Chrome browser updates to a specific version
Applies only to Chrome browser updates. You can specify the Chrome browser version (major milestone or specific full version) that you want Windows computers to update to. Google gradually updates computers on the Stable channel to new versions of Chrome browser over a few weeks. Sometimes, updates might take longer.
In general, we recommend that you use the major milestone syntax, xx., to make sure that devices remain on the latest version for that milestone. However, sometimes you might need to specify a certain version using the full version syntax, xx.xx.xx.xx. For example, you might need to deploy a critical security fix and the Google Update ramp rate does not meet business needs. Or, a specific version has been certified based on your organization's internal testing. Sometimes, minor versions don't reach 100% rollout due to a bug or security fix that requires a new minor version. If you use full version syntax, xx.xx.xx.xx, you're at risk of deploying a version that is not the most recent or has known bugs. Caution: Pinning updates to a specific version of Chrome browser should be done only temporarily, such as while testing a new version of Chrome browser. Don't forget to unpin users' computers or they can fall behind on critical security updates and miss new features. Using Group PolicyIn Group Policy (Computer Configuration folder):
Roll back Chrome browser to a previous version
Applies only to Chrome browser updates. Use this policy at your own risk. To make sure that users are protected by the latest security updates, we recommend that they use the latest version of Chrome browser. Use the Rollback to Target version policy with Target version prefix override to temporarily roll back to a specific version of Chrome browser on Windows computers. By running earlier versions of Chrome browser, you will expose your users to known security issues. Chrome browser stores a snapshot of user information locally on devices after each major version update. By default, the three most recent snapshots are retained. You can use Group Policy to specify how many snapshots you want to keep on users’ devices. For details, read Keep data during version downgrade. If you don’t keep snapshots on users devices (Limits the number of user data snapshots retained for use in case of emergency rollback policy is set to 0), each user’s browsing data is automatically deleted unless you do one of the following options:
Note: You can only use this policy to roll back to the 3 latest major releases of Chrome browser. For information about how to downgrade to earlier Chrome browser versions, see Downgrade your Chrome version. Using Group PolicyIn Group Policy (Computer Configuration folder):
Set Chrome browser to a specific release channel
Applies only to Chrome browser updates. Starting in Chrome version 90, Google Update lets you choose the Stable, Extended stable, Beta, or Dev Chrome browser channel. By default, Chrome follows updates on the Stable channel. For information to help you decide which channel to have your users on, go to Chrome browser release channels. Things to consider
Set Chrome browser to the Stable or Extended stable channel
Stagger updates to reduce bandwidth
Applies to Chrome browser and all apps managed by Google Update.
You can increase the time between update checks to help reduce peak bandwidth use within a network. However, to minimize the total bandwidth used for updates, we recommend that you don’t delay updates. Using Group PolicyIn Group Policy (Computer or User Configuration folder):
Cache Chrome browser updates to reduce bandwidth If your organization has an intermediate proxy cache set up on its network, you can use it to cache Chrome browser updates. The updates downloaded from Google can be cached on most web-caching proxy servers. Proxy caches reduce bandwidth and improve response times by caching and reusing frequently requested webpages. However, many proxy cache default settings aren’t optimal for Chrome browser updates. To make sure that your proxy cache software can cache Chrome browser updates, experienced IT administrators can configure the following settings:
See all Google Update policiesDefault policies (Preferences)
Use Preferences policies to control the default behavior of Google Update. Using Group PolicyIn Group Policy (Computer Configuration folder):
App policies
Applies to Google apps only. Use app policies to control how Google Update interacts with some Google apps. Per-application policies override default policies. Change default app policies
Note: The Allow installation policy for individual apps can override this policy.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain. Update policy override default Available in Google Update version 1.2.145.5Specifies the default policy for software updates from Google.
This setting does not affect updates to Google Update. Google Update will continue to update itself. Change specific app policiesThe Applications folder in Group Policy contains all the Google apps that use Google Update. You can set policies for specific apps.
TroubleshootCreate a log file
If you have trouble with Google automatic updates, gather logs to troubleshoot the problem. To generate Google Update logs:
In C:\ProgramData\Google\Update\Log\GoogleUpdate.log, you should see a log file with details about attempted updates. See below for information about common log entries. View common log entries
[Ignoring group policy][machine is not part of a domain]—Google Update does not believe your computer is joined to a Windows domain controller. Only domain-joined computers will honor policies set for the computer by Group Policy or the registry, such as disabling auto-updates. [Send][url=https://tools.google.com/service/update2][request=>?xml...—Google Update sent a request to Google's servers to see if any updates are available. The request contains details, such as current app version and platform. Google's servers use the details to respond with the correct update. [Send response received][result 0x0][status code 200][<?xml... ...status="noupdate"...—The update check was successful, but Google's servers have no updates that match the client's request. [Send response received][result 0x0][status code 200][<?xml... ...<url codebase="...—The update check was successful and Google's servers recommended an updated version of the app. The response includes the updated version number as well as a number of URLs that the client can use to download the update binary. Verify policies are applied on devices
After you apply any Google Update policies, users need to restart Chrome browser for the settings to take effect. Check users’ devices to make sure the Google Update policies that you set were applied correctly.
QuestionsWhere is Google Update installed?
Depending on the type of installation(s) by the administrator, Google Update will be in one or both of these locations:
How often are Google Update tasks performed?
Google Update runs each hour to see what tasks need to be performed. It evaluates each individual policy setting to determine if a task should be performed in that hour. For example, if you set the Auto-update check period override policy to change the minimum time period between update checks to 480 minutes, then each hour Google Update checks to see if the last update check was more than 480 minutes ago. If not, Google Update waits for the next hourly run and checks again. Similarly, you can set an update suppression period (Time period in each day to suppress auto-update check) and each hour Google Update checks if the current time is within the suppression period, if it is then no update is performed and Google Update waits for the next hourly run and checks again. What URLs are used for Chrome browser updates?
Chrome browser sends requests to multiple URLs when it’s checking for and downloading updates. The order of requests is determined dynamically at runtime. Both HTTP and HTTPS protocols might be tried. The following URL list of hostnames and paths might change in the future:
Note: Although caching Chrome browser to download on computers across your organization isn’t officially supported, you can use the first 2 HTTP URLs in the list to cache the update files for your organization. What URLs are used for extension updates?
Due to the changing nature of the extensions platform and Chrome Web Store, this URL list is subject to change in the future:
What size are Chrome browser updates?
The initial Chrome browser installation is approximately 50 MB. Subsequent updates from one version to the next are approximately 10-15 MB. Patch updates are typically 3–5 MB. Updates from a major version to a later nonconsecutive major version usually require a new complete installation. What if users’ computers already have Chrome?
Chrome’s Enterprise installer (MSI) installs Chrome for all users of a computer. This installer will update the Chrome browser for all users, provided that the version you’re installing is the same or newer than the version previously installed on the computer. If the computer already has the Chrome browser installed for an individual user (in that user’s profile directory), that installation will not be modified by the Chrome Enterprise installer. Instead, the next time the user launches the installation of Chrome in their profile directory, Chrome will detect another installation of Chrome present for all users, uninstall itself, and launch the updated version of the Chrome browser for all users. Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.
|