Use Group Policy to block multiple URLs in Google Chrome and Microsoft Edge

#Powershell #Windows

A company I'm working for is decommissioning a Meraki firewall in the near future. With this piece of hardware gone, there would be no web content filtering for all users in the organization.

As a temporary workaround, I moved all of the existing URL blocks from the Meraki dashboard into a Group Policy Object that targets Chrome and Edge. When creating the policy, the Group Policy Management MMC tool only allows you to put one entry in at a time for the URL Blocking. I would need to copy and paste hundreds of entries to get this updated.

There has to be a faster way. I read through this post [A] and it gave me some information about updating a GPO generally. I tweaked it a bit and targeted both Chrome and Edge in my environment.

Here's how I did it.

ADMX template check

Before you can continue, make sure you have the ADMX files added to the Domain Controller.

I won't cover that in this post (basically download the files and copy over to \\domain.com\SYSVOL\domain.com\Policies\PolicyDefinitions and en-US folders), but check the following guides for deployment information:

When these ADMX templates are added, go to the next step.

Create a Group Policy Object

Now, let's create a GPO policy and change one option per app (Chrome or Edge).

Open the Group Policy Management MMC. Right click on the “Group Policy Objects” container/folder and select “New”:

In the popup, give your GPO a name that you'll remember. Keep the “Source Starter GPO” set to (none).

When that's created, move to the next step to define your blocked sites.

Create the URL list file

The Chromium documentation for this Group Policy Object [A] states that putting in a simple domain name of example.com will block all http and https requests to any subdomains and the root.

I created a list of URLs in Notepad with one entry on each line, like this example:

facebook.com
twitter.com
youtube.com

This was an easy copy and paste from the Meraki Group Policies page at Network Wide > Configure > Group Policies:

Run some Powershell commands

For these Powershell commands to run, first make sure you are able to connect to a writable Domain Controller. It might be easier to remote into the server and run the commands locally.

I would also recommend appending -whatif to the end of the Set-GPRegistryValue in the command below if you're not sure you've done everything correctly.

Also make sure to change the -name of your GPO to match the one you created in the first few steps.

For adding the URL blocks in Google Chrome, use this command:

Get-Content .\URLlist.txt | foreach {
     Set-GPRegistryValue -Name 'XXXyourGPOnameXXX' -ValueName $_ -Type String -Value $_ -Key "HKLM\Software\Policies\Google\Chrome\URLBlocklist"    
}

For adding the URL blocks in Microsoft Edge, use this command:

Get-Content .\URLlist.txt | foreach {
     Set-GPRegistryValue -Name 'XXXyourGPOnameXXX' -ValueName $_ -Type String -Value $_ -Key "HKLM\Software\Policies\Microsoft\Edge\URLBlocklist"    
}

Caveats

Running these Powershell commands can take a long time if you have a lot of entries. My final version had over 100 lines and took about 15 minutes to complete.

You can verify that this worked by opening the Group Policy Management Editor again and clicking on your Policy Object. Select the “Settings” tab. Click “Show All” at the right side and scroll down to the section labelled “Block access to a list of URLs”:

If you need to add/update or remove a URL from this list later on, right click on the Policy Object and select “Edit”. Navigate to the following location:

From there, you can click on the “Show” button to make changes to each line.

Discuss...