Let’s discuss how to Block Malicious Downloads and Dangerous File Types in Google Chrome with Intune Policy. The Allow download restrictions setting helps you to control how Chrome handles file downloads and protects users from unsafe files.
When this policy is turned on, users cannot bypass Chrome’s security decisions for downloads. Chrome uses Safe Browsing technology to check files and warn about possible risks like viruses, malware, or unsafe content.
There are different types of risky downloads that Chrome can block. These include malicious files (detected by Safe Browsing servers), uncommon or unwanted files that could harm devices or change settings, and dangerous file types such as .exe or .swf that are often abused by attackers. Depending on how strict the policy is set, Chrome will block different combinations of these categories.
In this post, you will learn how to block malicious downloads and dangerous file types in Google Chrome using an Intune policy. This setting helps protect users by making sure they cannot bypass Chrome’s security checks when downloading files.
Table of Contents
How to Block Malicious Downloads and Dangerous File Types in Google Chrome with Intune Policy
With this policy, admins can decide whether to block only harmful files, uncommon files, or even all downloads, depending on the level of protection needed. It’s a useful way to keep devices safe from viruses, unwanted software, and risky file types while still giving flexibility to organisations.
- Sign in to the Microsoft Intune Admin Center.
- Navigate to Devices.
- Under Manage devices, select Configuration.
- Go to Policies > Create > New policy.
- In the Create a profile window:
- Select Platform: Windows.
- Select Profile type: Settings Catalog.
- Click the Create button to proceed.
- Block Password Manager on Google Chrome Browser using Microsoft Intune Policy Settings Catalog
- Enhanced Application Security with Copilot and Endpoint Privilege Management
- Importance of Potentially Unwanted App Protection in Microsoft Edge
Basic Settings
In the Basics tab, provide the policy details clearly so it is easy to identify later. For the Name, you can enter something like Allow Download Restrictions – Block Malicious Downloads and Dangerous File Types, which directly explains the purpose of the policy. In the Description, you can mention that this policy is used to block unsafe downloads in Google Chrome and is deployed through Intune.
Intune Settings Catalog
With the help of Intune settings catalog you can choose which settings you want to configure. Click on Add settings to browse or search the catalog for the settings you want to configure. The below screenshot helps you to show more details.
Google Chrome to View the Available Configuration Options
In the Settings picker window, search for Google Chrome to view the available configuration options. You will see different categories of Chrome settings, such as Default Settings users can override Content settings, Default Settings users can override Default search provider, Default Settings users can override Deprecated policies, and more.
These options allow you to control how Chrome behaves on managed devices. By selecting the right category, you can configure specific policies like download restrictions, ensuring that users cannot change or bypass the rules set by the administrator.
- Here i select the Google Chrome – Default Settings users can override
- There are 58 results under Google Chrome – Default Settings users can override Content settings. Now I select the Allow Download restrictions policy
Allow Download Restrictions
After selecting Allow download restrictions, you will notice that the policy is set to Disabled by default. This means no special download restrictions are applied unless you change the setting. To enforce security, you need to configure this policy to block malicious files, dangerous file types, or other categories based on your organisation’s needs.
Enable Download Restrictions Policy
Once you enable the Allow download restrictions policy, you will see an additional option called Download restrictions. By default, this setting is set to No special restrictions, which means Chrome will not block any downloads unless you choose a stricter level. You can then change this value to block malicious files, dangerous file types, uncommon files, or even all downloads, depending on the security needs of your organization.
Download Restrictions Device Settings
Under the Download restrictions device settings, you will find multiple options to choose from. In this case, we select the option Block malicious downloads and dangerous file types. This ensures that Chrome will automatically block files flagged as harmful by Safe Browsing, as well as risky file types like executable files that could damage the device. It provides strong protection for users while still allowing safe and trusted downloads.
| Download Restrictions (Device) |
|---|
| No special restrictions. Default. |
| Block malicious downloads and dangerous file types. |
| Block malicious downloads, uncommon or unwanted downloads and dangerous file types. |
| Block all downloads. |
| Block malicious downloads. Recommended. |
Control Who can See and Manage Specific Policies
In Intune, a scope tag is a way to control who can see and manage specific policies or profiles. It’s mainly used when different administrators are responsible for different groups of devices or users. The below window helps you to show more details.
User or Device Groups to Receive the Policy
The Assignments step is the fourth stage, where you choose which user or device groups should receive the policy. This allows you to target the right set of people in your organization. Here i select the HTMD CPC – Test group.
Review + Create Step
In the Review + Create step, you can go through all the details you have configured for the policy. This gives you a final chance to confirm everything is correct before applying the policy. Once you are satisfied, click on Create.
Device and User Check in Status
After deploying the Allow Download Restrictions device configuration profile, you can check the device and user check-in status to confirm if the policy is applied successfully. In this case, the report shows Succeeded: 1, which means the policy has been applied correctly to one device or user.
There are no errors, conflicts, or pending actions, as the values for Error, Conflict, Not applicable, and In Progress are all 0. This confirms that the policy is working as expected without any issues.
Client Side Verification
The log entry from MDM PolicyManager shows that the Download Restrictions (recommended) policy has been set for Google Chrome through Intune. It confirms that the policy is enabled and the value is set to 1, which means it will block malicious downloads and dangerous file types.
MDM PolicyManager: Set policy string, Policy: (DownloadRestrictions_recommended), Area:
(chromelntuneV1~Policy~gooqlechrome_recommended), EnrollmentlD requestinq merge:
(EB427D85-802F-46D9-A3E2-D5B414587F63), Current User: (Device), Strinq: (), Enrollment Type: (0x6), Scope: (0x0).
- Event Viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin
- Search for Event ID 813 or 814 for configuration profile status updates.
How to Remove the Assigned Group from the Download Restrictions Policy
If you no longer want a specific group to be targeted by the Download Restrictions policy, you can remove it from the assignments. Read more – How to Remove Assigned Group from Energy Saver Battery Threshold Policy in Intune Settings Catalog.
How to Delete the Download Restrictions Policy
To completely remove the Download Restrictions policy, you can delete it from the Intune portal. This is useful when the policy is no longer needed or if you want to replace it with an updated configuration.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.