Skip to main content

Windows Google Chrome Browser Policy

Updated over a week ago

The Windows Google Chrome Browser Policy lets you centrally manage key Chrome browser behaviors on Windows devices using Swif.ai. You can use this policy for both:

  • Company-owned devices, and

  • BYOD (Bring Your Own Device), where you want to harden browser behavior without fully locking down the device.

This policy is implemented via the Swif's Windows agent by writing settings to the Windows Registry under Chrome’s enterprise policy keys (for example, HKLM\Software\Policies\Google\Chrome). It does not depend on Windows CSP.

Overview

Policy name: Windows Google Chrome Browser Policy
Supported platforms: Windows 10 and newer
Use cases:

  • Enforce privacy controls by blocking third-party cookies

  • Restrict or force Incognito mode to meet compliance requirements

  • Control whether Chrome keeps running in the background after users close the last window

Once applied and the device syncs with Swif.ai, the agent updates the registry and Chrome begins enforcing the new settings. You can confirm the applied policies in Chrome by navigating to:

chrome://policy

Fields and Configuration

1. Enable Background Mode (backgroundModeEnabled)

Display name: Enable Background Mode
Type: Boolean (On/Off)
Default: true (background mode enabled if you don’t change it)
Supported OS: Windows 10+

What it does

Controls whether Chrome can continue running background apps after the last browser window is closed.

  • When enabled (true):
    Chrome is allowed to keep running background apps and extensions even after all windows are closed. This can improve responsiveness for background services (e.g., messaging extensions, mail checkers), but keeps Chrome processes running and may increase CPU and memory usage.

  • When disabled (false):
    Chrome fully exits when the last window is closed. Background apps and extensions will stop running. This can help reduce resource usage and align with stricter security and privacy postures.

Recommended configurations

  • Security/privacy-focused environments (most corporate setups):
    Set Enable Background Mode = Off (false) so that browser processes terminate when users close Chrome.

  • Use cases requiring persistent background apps:
    Leave Enable Background Mode = On (true) when you rely on extensions or apps that must run continuously.

2. Block Third-Party Cookies (blockThirdPartyCookies)

Display name: Block Third-Party Cookies
Type: Boolean (On/Off)
Default: false (do not block third-party cookies if you don’t change it)
Supported OS: Windows 10+

What it does

Controls whether Chrome blocks third‑party cookies on the browser.

  • When enabled (true):
    Chrome blocks cookies that originate from domains other than the site the user is actively visiting. This significantly reduces cross‑site tracking and can mitigate privacy‑related findings, including some items surfaced in security portals like Microsoft Defender for Endpoint.

  • When disabled (false):
    Third‑party cookies are allowed. This may be necessary for certain legacy web apps, SSO flows, or embedded content that relies on cross‑site cookies.

Recommended configurations

  • Privacy- and compliance‑oriented deployments (most organizations):
    Set Block Third-Party Cookies = On (true) to minimize cross‑site tracking and help address common browser privacy CVEs and security recommendations.

  • Compatibility mode (when specific apps break):
    Temporarily set Block Third-Party Cookies = Off (false) while you test or migrate affected applications.

3. Incognito Mode Availability (incognitoModeAvailability)

Display name: Incognito Mode Availability
Type: Integer (0, 1, or 2)
Default: 0
Range: 0–2
Supported OS: Windows 10+

What it does

Controls how Incognito mode is available in Chrome:

  • 0 – Available (Default)
    Users can choose whether or not to use Incognito mode. This is Chrome’s standard behavior: they can open an Incognito window from the menu.

  • 1 – Disabled
    Incognito mode is completely disabled. Users cannot open private windows. This is useful in highly regulated environments where all browsing activity must be logged or controlled, and where private browsing conflicts with monitoring/compliance requirements.

  • 2 – Forced
    Chrome runs in Incognito mode only. Normal browsing windows are not available. This is sometimes referred to as “Incognito mode only” and is helpful when you want Chrome to avoid persisting browsing history, cookies, or site data between sessions on shared or kiosk-like endpoints.

Recommended configurations

  • Standard corporate user with monitoring (moderate control):

    • Set Incognito Mode Availability = 0 if you allow users to decide on private browsing while other monitoring controls are in place.

  • Strict compliance environments:

    • Set Incognito Mode Availability = 1 to fully disable Incognito and ensure all browsing occurs in standard windows that follow your logging and protection controls.

  • Shared, kiosk, or high-privacy endpoints:

    • Set Incognito Mode Availability = 2 to force Incognito only, so that Chrome does not retain history or site data between sessions.

4. Cloud Management Enrollment Token (cloudManagementEnrollmentToken)

Display name: Cloud Management Enrollment Token
Type: String
Required: Optional
Default: (blank / not set)
Supported OS: Windows 10+

What it does

This field lets you automatically enroll Chrome into Google Chrome Browser Cloud Management on Windows devices.

  • Leave it blank if you do not want Chrome to auto-enroll into Google Cloud Management.

  • When you paste an enrollment token (issued by Google Chrome Enterprise for cloud management), Swif’s Windows agent writes the corresponding Chrome enterprise policy so that Chrome auto-enrolls into Google Cloud Management the next time it reads policy on the device.

Internally, when this field is set:

  • The Windows agent writes a registry value under:

HKLM\SOFTWARE\Policies\Google\Chrome CloudManagementEnrollmentToken REG_SZ <your-token>

  • If you later clear this field in the policy, Swif removes the CloudManagementEnrollmentToken registry value so Chrome is no longer instructed to enroll.

How to obtain the token

Use the Google Admin / Chrome Enterprise console to generate a Chrome Browser Cloud Management enrollment token, then paste that value into this field in the Swif Windows Google Chrome Browser Policy.

Verification (advanced)

After you apply the policy to a Windows device and allow it to sync:

  1. On the device, open an elevated PowerShell or Command Prompt and run:

    reg query "HKLM\SOFTWARE\Policies\Google\Chrome" /v CloudManagementEnrollmentToken

  2. Expected results:

    • If the token is set in the Swif policy:
      CloudManagementEnrollmentToken REG_SZ <your-token>

    • If the field is blank or has been cleared:
      The value does not exist, and reg query reports it cannot find CloudManagementEnrollmentToken.

You can also confirm that Chrome is seeing the policy by navigating to:

chrome://policy

in the browser and checking that CloudManagementEnrollmentToken is listed and marked as applied.

How the Policy Is Applied (Technical Notes)

This section is for admins who want to understand how Swif.ai enforces the settings on Windows.

When you configure this policy in Swif.ai, and a Windows device checks in:

  1. The Swif's Windows agent receives the Windows Google Chrome Browser Policy configuration.

  2. The agent writes the corresponding values into the Windows Registry under Chrome’s policy keys, such as:

    • HKLM\Software\Policies\Google\Chrome

    • On 64-bit systems, also under HKLM\Software\Wow6432Node\Policies\Google\Chrome if relevant.

  3. Chrome reads these policy values on startup and enforces them.

Internally, the registry behaves as follows (for reference):

  • Enable Background Mode (BackgroundModeEnabled)

    • 1 = Enabled

    • 0 = Disabled

  • Block Third-Party Cookies (BlockThirdPartyCookies)

    • 1 = Blocked

    • 0 = Allowed

  • Incognito Mode Availability (IncognitoModeAvailability)

    • 0 = Incognito available

    • 1 = Incognito disabled

    • 2 = Incognito forced only

You can verify the effective values either by:

  • Opening PowerShell and querying the registry, or

  • Opening Chrome and navigating to chrome://policy and confirming the policy values are listed and marked as “OK”.

Best Practices

  • Test on a small device group first.
    Especially when changing Incognito behavior or cookies, validate that key internal and SaaS apps continue to work as expected.

  • Align with your identity and security stack.
    For environments using Microsoft’s security recommendations (e.g., from the Microsoft 365 Defender portal), enabling Block Third-Party Cookies and controlling Incognito Mode can help close common findings related to browser tracking and data retention.

  • Communicate changes to end-users.
    Users may notice:

    • Chrome closing more “completely” when background mode is disabled,

    • Some sites behaving differently when third-party cookies are blocked, or

    • Incognito mode being missing or forced.

    Consider adding a brief user-facing note or FAQ when rolling out these controls widely.

Related Articles
Windows USB policy
Windows-specific MDM policies available in Swif
Managing Google Chrome Browser on macOS Devices with Swif.ai
Linux Google Chrome Browser Policy
Windows Registry Policy
Did this answer your question?