Recently, it appears that Chrome and Edge notifications are being hijacked into pushing people onto fake antivirus websites, such as the one in the example image below. As part of my work on the helpdesk, I often see firsthand how users are tricked into opening PDFs or clicking on links. Thus, we decided to disable Chrome notifications. The procedure described here also works for Microsoft Edge.
Avatar
Malware exploiting Chrome notifications

Malware exploiting Chrome notifications

These sites switch to full screen mode, often playing beeping alert sounds and trying to scare the victim into following the instructions on screen.

The problem with these sites is that they are spun up so fast that before you have a chance to report the URL, it's been taken down and replaced with a different one.

To proactively stop this on the systems we manage, we have taken advantage of a Chrome policy to block all site notifications by default, allowing only exceptions to show notifications.

For environments with Group Policy, you can manage these settings through the Chrome ADMX templates, which you can download from Google. You will need to copy the ADMX and ADML files to your PolicyDefinitions (usually c:\windows\policydefinitions) folder. You need only copy the two ADMX files and the folder for your language.

ADMX files with language folder

ADMX files with language folder

Once you have copied the files, open your Group Policy editor, and browse to:

Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings

Default notification settings can be set as follows:

SettingDword Value
Allow sites to show desktop notifications1
Do not allow any site to show desktop notifications2
Ask every time a site wants to show desktop notifications3
Disable Chrome browser notifications with Group Policy

Disable Chrome browser notifications with Group Policy

Then, under Allow notifications on these sites, we can configure our exceptions.

Configuring the site exceptions

Configuring the site exceptions

For environments without Group Policy, we can achieve the same results using direct registry edits or PowerShell.

Disable Chrome notifications in the Registry

Disable Chrome notifications in the Registry

As the above table shows, setting the value of DefaultNotificationsSetting to 2 blocks all sites from sending notifications.

Once the policy is applied, you will see under notification settings for a site that they are now blocked and cannot be changed.

Notifications are blocked

Notifications are blocked

Setting up exceptions requires additional policy settings. Exceptions can be for a specific domain or a wildcard subdomain.

Once the policy is applied, you will see notifications for that site are allowed and cannot be disabled.

Allow notifications for site

Allow notifications for site

To do this, you need to add a new Registry key called NotificationsAllowedForUrls and then set string properties for each URL you want to allow. Like our earlier work with extensions, these must be named as integers, with the value being the relevant URL.

In the example below, we are adding 3cx.co.uk with all subdomains whitelisted.

Whitelisted subdomain 3cx

Whitelisted subdomain 3cx

The [*.] part of the string is what allows us to whitelist subdomains. Otherwise, the notifications would only apply to 3cx.co.uk.

We need to make some scripts that you have to deploy to your desktop computers.

First, a script to disable notifications.

# Chrome
New-ItemProperty HKLM:\Software\Policies\Google\Chrome -Name DefaultNotificationsSetting -value 2 -propertyType dword -force
Disable Chrome notifications with PowerShell

Disable Chrome notifications with PowerShell

Second, and a little more involved, a script to add on site exceptions. We can do this with the script below.

Similar to our previous example with Extensions, if you want to deploy this with Microsoft Intune, scripts do not accept parameters. Therefore, you would need to remove the parameter section and replace it with a static URL.

param(
    [string]$url
)
$url = "[*.]",$url -join ""
if(!($url)){
    # Empty Extension
    $result = "No Extension ID"
}
else{
    Write-Information "Allow Notifications for $url"
    $regKey = "HKLM:\SOFTWARE\Policies\Google\Chrome\NotificationsAllowedForUrls"
    if(!(Test-Path $regKey)){
        New-Item $regKey -Force
        Write-Information "Created Reg Key $regKey"
    }
    # Add Extension to Chrome
    $urlList = New-Object System.Collections.ArrayList
    $number = 0
    $noMore = 0
    do{
        $number++
        Write-Information "Pass : $number"
        try{
            $install = Get-ItemProperty $regKey -name $number -ErrorAction Stop
            $urlObj = [PSCustomObject]@{
                Name = $number
                Value = $install.$number
            }
            $urlList.add($urlObj) | Out-Null
            Write-Information "URL List Item : $($urlObj.name) / $($urlObj.value)"
        }
        catch{
            $noMore = 1
        }
    }
    until($noMore -eq 1)
    $urlCheck = $urlList | Where-Object {$_.Value -eq $url}
    if($urlCheck){
        $result = "URL Already Exists"
        Write-Information "URL Already Exists"
    }else{
        $newURL = $urlList[-1].name + 1
        New-ItemProperty HKLM:\SOFTWARE\Policies\Google\Chrome\NotificationsAllowedForUrls -PropertyType String -Name $newUrl -Value $url
        $result = "Installed"
    }
}
$result
Allow notifications for 4sysops.com_

Allow notifications for 4sysops.com_

Site has been added to Allow list

Site has been added to Allow list

If you do not want to allow an entire URL, you can remove line 4 of the script, which currently adds the whitelisting string automatically to the URL you specify.

Remove whitelisting string

Remove whitelisting string

I am curious to learn if you disable Browser notification for Chrome and Edge in your organization.

avataravatar
4 Comments
  1. Avatar

    Excellent writeup. already using this gpo setting in my domain to get rid of notifications.

  2. Avatar

    Thank you. This is useful.

  3. Avatar
    Scott 1 year ago

    I’m struggling with the syntax in powershell to add multiple URL’s into the same script, eg. [*.]3cx.co.uk and [*.]3ccx.uk.

    Are you able to give an example of how I’d achieve this?

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account