- Run Exchange Online commands using Azure Automation - Tue, Jul 25 2023
- Connect to Exchange Online with PowerShell and certificate-based authentication - Wed, Jul 19 2023
- Office Deployment Tool (ODT): Deploy Office using custom XML files - Thu, Mar 30 2023
These sites switch to full screen mode, often playing beeping alert sounds and trying to scare the victim into following the instructions on screen.
The problem with these sites is that they are spun up so fast that before you have a chance to report the URL, it's been taken down and replaced with a different one.
To proactively stop this on the systems we manage, we have taken advantage of a Chrome policy to block all site notifications by default, allowing only exceptions to show notifications.
For environments with Group Policy, you can manage these settings through the Chrome ADMX templates, which you can download from Google. You will need to copy the ADMX and ADML files to your PolicyDefinitions (usually c:\windows\policydefinitions) folder. You need only copy the two ADMX files and the folder for your language.
Once you have copied the files, open your Group Policy editor, and browse to:
Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings
Default notification settings can be set as follows:
Setting | Dword Value |
Allow sites to show desktop notifications | 1 |
Do not allow any site to show desktop notifications | 2 |
Ask every time a site wants to show desktop notifications | 3 |
Then, under Allow notifications on these sites, we can configure our exceptions.
For environments without Group Policy, we can achieve the same results using direct registry edits or PowerShell.
As the above table shows, setting the value of DefaultNotificationsSetting to 2 blocks all sites from sending notifications.
Once the policy is applied, you will see under notification settings for a site that they are now blocked and cannot be changed.
Setting up exceptions requires additional policy settings. Exceptions can be for a specific domain or a wildcard subdomain.
Once the policy is applied, you will see notifications for that site are allowed and cannot be disabled.
To do this, you need to add a new Registry key called NotificationsAllowedForUrls and then set string properties for each URL you want to allow. Like our earlier work with extensions, these must be named as integers, with the value being the relevant URL.
In the example below, we are adding 3cx.co.uk with all subdomains whitelisted.
The [*.] part of the string is what allows us to whitelist subdomains. Otherwise, the notifications would only apply to 3cx.co.uk.
We need to make some scripts that you have to deploy to your desktop computers.
First, a script to disable notifications.
# Chrome New-ItemProperty HKLM:\Software\Policies\Google\Chrome -Name DefaultNotificationsSetting -value 2 -propertyType dword -force
Second, and a little more involved, a script to add on site exceptions. We can do this with the script below.
Similar to our previous example with Extensions, if you want to deploy this with Microsoft Intune, scripts do not accept parameters. Therefore, you would need to remove the parameter section and replace it with a static URL.
param( [string]$url ) $url = "[*.]",$url -join "" if(!($url)){ # Empty Extension $result = "No Extension ID" } else{ Write-Information "Allow Notifications for $url" $regKey = "HKLM:\SOFTWARE\Policies\Google\Chrome\NotificationsAllowedForUrls" if(!(Test-Path $regKey)){ New-Item $regKey -Force Write-Information "Created Reg Key $regKey" } # Add Extension to Chrome $urlList = New-Object System.Collections.ArrayList $number = 0 $noMore = 0 do{ $number++ Write-Information "Pass : $number" try{ $install = Get-ItemProperty $regKey -name $number -ErrorAction Stop $urlObj = [PSCustomObject]@{ Name = $number Value = $install.$number } $urlList.add($urlObj) | Out-Null Write-Information "URL List Item : $($urlObj.name) / $($urlObj.value)" } catch{ $noMore = 1 } } until($noMore -eq 1) $urlCheck = $urlList | Where-Object {$_.Value -eq $url} if($urlCheck){ $result = "URL Already Exists" Write-Information "URL Already Exists" }else{ $newURL = $urlList[-1].name + 1 New-ItemProperty HKLM:\SOFTWARE\Policies\Google\Chrome\NotificationsAllowedForUrls -PropertyType String -Name $newUrl -Value $url $result = "Installed" } } $result
If you do not want to allow an entire URL, you can remove line 4 of the script, which currently adds the whitelisting string automatically to the URL you specify.
I am curious to learn if you disable Browser notification for Chrome and Edge in your organization.
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
Excellent writeup. already using this gpo setting in my domain to get rid of notifications.
Thank you. This is useful.
I’m struggling with the syntax in powershell to add multiple URL’s into the same script, eg. [*.]3cx.co.uk and [*.]3ccx.uk.
Are you able to give an example of how I’d achieve this?
Script is written for a single url per run, but each run should add an additional url.