Disable browser notifications in Chrome

• Author
• Recent Posts

Robert Pearman

Robert is a small business specialist from the UK and currently works as a system administrator. He was a Microsoft MVP for eight years and has worked as a technical reviewer for Microsoft Press. You can follow Robert on Twitter and in his blog.

Latest posts by Robert Pearman (see all)

• Run Exchange Online commands using Azure Automation - Tue, Jul 25 2023
• Connect to Exchange Online with PowerShell and certificate-based authentication - Wed, Jul 19 2023
• Office Deployment Tool (ODT): Deploy Office using custom XML files - Thu, Mar 30 2023

Malware exploiting Chrome notifications

These sites switch to full screen mode, often playing beeping alert sounds and trying to scare the victim into following the instructions on screen.

The problem with these sites is that they are spun up so fast that before you have a chance to report the URL, it's been taken down and replaced with a different one.

To proactively stop this on the systems we manage, we have taken advantage of a Chrome policy to block all site notifications by default, allowing only exceptions to show notifications.

For environments with Group Policy, you can manage these settings through the Chrome ADMX templates, which you can download from Google. You will need to copy the ADMX and ADML files to your PolicyDefinitions (usually c:\windows\policydefinitions) folder. You need only copy the two ADMX files and the folder for your language.

ADMX files with language folder

Once you have copied the files, open your Group Policy editor, and browse to:

Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings

Default notification settings can be set as follows:

Disable Chrome browser notifications with Group Policy

Then, under Allow notifications on these sites, we can configure our exceptions.

Configuring the site exceptions

For environments without Group Policy, we can achieve the same results using direct registry edits or PowerShell.

Disable Chrome notifications in the Registry

As the above table shows, setting the value of DefaultNotificationsSetting to 2 blocks all sites from sending notifications.

Once the policy is applied, you will see under notification settings for a site that they are now blocked and cannot be changed.

Notifications are blocked

Setting up exceptions requires additional policy settings. Exceptions can be for a specific domain or a wildcard subdomain.

Once the policy is applied, you will see notifications for that site are allowed and cannot be disabled.

Allow notifications for site

To do this, you need to add a new Registry key called NotificationsAllowedForUrls and then set string properties for each URL you want to allow. Like our earlier work with extensions, these must be named as integers, with the value being the relevant URL.

In the example below, we are adding 3cx.co.uk with all subdomains whitelisted.

Whitelisted subdomain 3cx

The [*.] part of the string is what allows us to whitelist subdomains. Otherwise, the notifications would only apply to 3cx.co.uk.

We need to make some scripts that you have to deploy to your desktop computers.

First, a script to disable notifications.

# Chrome
New-ItemProperty HKLM:\Software\Policies\Google\Chrome -Name DefaultNotificationsSetting -value 2 -propertyType dword -force

Disable Chrome notifications with PowerShell

Second, and a little more involved, a script to add on site exceptions. We can do this with the script below.

Similar to our previous example with Extensions, if you want to deploy this with Microsoft Intune, scripts do not accept parameters. Therefore, you would need to remove the parameter section and replace it with a static URL.

param(
    [string]$url
)
$url = "[*.]",$url -join ""
if(!($url)){
    # Empty Extension
    $result = "No Extension ID"
}
else{
    Write-Information "Allow Notifications for $url"
    $regKey = "HKLM:\SOFTWARE\Policies\Google\Chrome\NotificationsAllowedForUrls"
    if(!(Test-Path $regKey)){
        New-Item $regKey -Force
        Write-Information "Created Reg Key $regKey"
    }
    # Add Extension to Chrome
    $urlList = New-Object System.Collections.ArrayList
    $number = 0
    $noMore = 0
    do{
        $number++
        Write-Information "Pass : $number"
        try{
            $install = Get-ItemProperty $regKey -name $number -ErrorAction Stop
            $urlObj = [PSCustomObject]@{
                Name = $number
                Value = $install.$number
            }
            $urlList.add($urlObj) | Out-Null
            Write-Information "URL List Item : $($urlObj.name) / $($urlObj.value)"
        }
        catch{
            $noMore = 1
        }
    }
    until($noMore -eq 1)
    $urlCheck = $urlList | Where-Object {$_.Value -eq $url}
    if($urlCheck){
        $result = "URL Already Exists"
        Write-Information "URL Already Exists"
    }else{
        $newURL = $urlList[-1].name + 1
        New-ItemProperty HKLM:\SOFTWARE\Policies\Google\Chrome\NotificationsAllowedForUrls -PropertyType String -Name $newUrl -Value $url
        $result = "Installed"
    }
}
$result

Allow notifications for 4sysops.com_

Site has been added to Allow list

If you do not want to allow an entire URL, you can remove line 4 of the script, which currently adds the whitelisting string automatically to the URL you specify.

Remove whitelisting string

I am curious to learn if you disable Browser notification for Chrome and Edge in your organization.