As a Microsoft Windows administrator, you can use Google Update to manage how your users' Chrome browser and Chrome apps are updated. You can manage Google Update settings using the Group Policy Management Editor.
You can see the values of Google Update policies set for a computer in the Chrome policy list at chrome://policy.
Note: Only domain-joined or MDM-managed computers honor policies set for the computer by Group Policy. Therefore, you must ensure that all your devices are joined to a Windows domain controller or Microsoft Entra ID domain, or are MDM-managed.
Step 1: Install Google Update
Use an administrative template to install and define policies for Google Update. Microsoft Windows 7 and later supports both ADM and ADMX templates. Download the appropriate Google Update policy template for your Windows network:
Microsoft Windows Vista and later
- Download and unzip the administrative template XML-based (ADMX).
- Open the GoogleUpdateAdmx folder.
- Copy google.admx and GoogleUpdate.admx and put them in your Policy Definitions folder. (Example: C:\Windows\PolicyDefinitions)
- In the GoogleUpdateAdmx/en-US folder, copy the google.adml and GoogleUpdate.adml files and put them in the en-US folder in Policy Definitions. (Example: C:\Windows\PolicyDefinitions\en-US)
- Open Group Policy and go to Computer ConfigurationPoliciesAdministrative TemplateGoogleGoogle Update to verify that the template loaded correctly.
Microsoft XP
- Download the administrative template (ADM).
- Copy the GoogleUpdate.adm file into the Policy Definitions folder. (Example: C:\Windows\PolicyDefinitions)
- Open Group Policy and go to Computer ConfigurationPoliciesAdministrative TemplateGoogleGoogle Update to verify that the template loaded correctly.
Step 2: Configure auto-updates
Applies to Chrome browser and all apps managed by Google Update.
Using Group Policy
We recommend that you keep auto-updates turned on so that your users receive critical security fixes and new features as they become available.
In Group Policy (Computer Configuration folder):
- Go to GoogleGoogle UpdateApplications.
- Enable the Update policy override default policy.
- Under Options, choose Allow updates (recommended).
- Go to GoogleGoogle UpdateApplicationsGoogle Chrome and repeat steps 2 and 3 to make sure auto-updates are also always allowed for Chrome browser.
You can optionally override this setting for an individual app by using the Update policy override policy in the specific app folder.
If you need to stop Chrome browser updates, you can turn off automatic updates and prevent users from manually updating the browser themselves. Even if you turn off updates, Google Update continues to check for new updates.
Important: We do not recommend turning off browser updates. Doing so prevents software fixes and security patches from being applied to Chrome browser. You are also at risk of crashes and security vulnerabilities. If you must turn off updates, make sure you have a process to ensure timely updates throughout your network. Better yet, include a plan to re-enable updates as soon as possible.
In Group Policy (Computer Configuration folder):
- Go to GoogleGoogle UpdateApplicationsGoogle Chrome.
- Turn on Update policy override.
- Under Options, choose Disable updates.
If you turned off Chrome browser updates, check to make sure they’re also turned off on users’ computers:
- On each user computer, open Chrome browser and at the top, click More Settings.
- On the left, click MenuAbout Chrome.
You should see a note that updates are disabled by an administrator.
Important: Turning off all app updates prevents software fixes and security patches from being automatically applied to all Google software.
In Group Policy (Computer Configuration folder):
- Go to GoogleGoogle UpdateApplications.
- Turn on Update policy override default.
- Under Options, select Disable updates.
Even when app updates are turned off, Google Update continues to update itself.
Applies only to Chrome browser components
Even if you turn off updates for Chrome browser, browser components, such as Widevine DRM, won’t automatically stop updating.
In Group Policy (Computer Configuration folder):
- Go to GoogleGoogle Chrome.
- Disable Enable component updates in Google Chrome.
- Click Apply.
Note: This policy does not apply to all components. For a full list of exempted components, see ComponentUpdatesEnabled.
Step 3: Customize updates
Applies to Chrome browser and all apps managed by Google Update.
You can prevent auto-updates from occurring during certain time periods, such as during your organization’s peak working hours.
Using Group Policy
In Group Policy (Computer or User Configuration folder):
- Go to GoogleGoogle UpdatePreferences.
- Enable Time period in each day to suppress auto-update check.
- Under Options, set values for Hour, Min, and Duration to prevent Google Update from checking for updates during the time you specify.
Note: Duration is the only required field, and you must enter at least 1.
Applies only to Chrome browser updates.
You can specify the Chrome browser version (major milestone or specific full version) that you want Windows computers to update to. Google gradually updates computers on the Stable channel to new versions of Chrome browser over a few weeks. Sometimes, updates might take longer.
- Specify the major milestone using the xx. syntax—Computers continue to receive security updates for as long as the milestone that you specified is the major version on the Stable channel. Chrome browser updates to the latest minor release after rollout reaches 100%. This can take a few weeks.
- Specify the full version using the xx.xx.xx.xx syntax—Computers update to the exact version that you specify as soon as it's available.
In general, we recommend that you use the major milestone syntax, xx., to make sure that devices remain on the latest version for that milestone. However, sometimes you might need to specify a certain version using the full version syntax, xx.xx.xx.xx. For example, you might need to deploy a critical security fix and the Google Update ramp rate does not meet business needs. Or, a specific version has been certified based on your organization's internal testing.
Sometimes, minor versions don't reach 100% rollout due to a bug or security fix that requires a new minor version. If you use full version syntax, xx.xx.xx.xx, you're at risk of deploying a version that is not the most recent or has known bugs.
Caution: Pinning updates to a specific version of Chrome browser should be done only temporarily, such as while testing a new version of Chrome browser. Don't forget to unpin users' computers or they can fall behind on critical security updates and miss new features.
Using Group Policy
In Group Policy (Computer Configuration folder):
- Go to GoogleGoogle UpdateApplicationsGoogle Chrome.
- Enable Target version prefix override.
- Under Options, enter the Chrome browser version that you want users to receive.
If you want to pin updates to the highest available major version, include a period (.) after the version number. For example, enter 90. to allow browsers to update to the highest available version of Chrome 90.
Note: You can use version numbers with up to 4 parts, such as 90.0.3945.117.
Applies only to Chrome browser updates. Use this policy at your own risk.
To make sure that users are protected by the latest security updates, we recommend that they use the latest version of Chrome browser. Use the Rollback to Target version policy with Target version prefix override to temporarily roll back to a specific version of Chrome browser on Windows computers. By running earlier versions of Chrome browser, you will expose your users to known security issues.
Chrome browser stores a snapshot of user information locally on devices after each major version update. By default, the three most recent snapshots are retained. You can use Group Policy to specify how many snapshots you want to keep on users’ devices. For details, read Keep data during version downgrade.
If you don’t keep snapshots on users devices (Limits the number of user data snapshots retained for use in case of emergency rollback policy is set to 0), each user’s browsing data is automatically deleted unless you do one of the following options:
- Turn on Chrome sync—You can use group policy to turn on Chrome sync for all users or advise them to turn it on themselves. For details, see Force users to sign in to Chrome browser. After you roll back, users need to sign in again to Chrome browser to see their synced information.
- Turn on roaming user profiles—If you turn on the roaming profile policy in Chrome browser, users who sign in to a Windows computer in your organization will automatically see their synced information when they open Chrome browser. For details, see Use Chrome browser with Roaming User Profiles.
Note: You can only use this policy to roll back to the 3 latest major releases of Chrome browser. For information about how to downgrade to earlier Chrome browser versions, see Downgrade your Chrome version.
Using Group Policy
In Group Policy (Computer Configuration folder):
- (Recommended) Turn on Chrome sync for all users in your organization.
- Go to GoogleGoogle UpdateApplicationsGoogle Chrome.
- Enable Rollback to Target version.
- Click OK.
- Enable Target version prefix override.
- Under Options, in the Target version prefix box, enter the release number of the major version of Chrome browser that you want users to roll back to. For example, enter 89. to roll back to the latest release of version 89.
- Click OK.
Applies only to Chrome browser updates.
Starting in Chrome version 90, Google Update lets you choose the Stable, Extended stable, Beta, or Dev Chrome browser channel. By default, Chrome follows updates on the Stable channel.
For information to help you decide which channel to have your users on, go to Chrome browser release channels.
Things to consider
- Moving to a more stable channel— When you move a browser to a more stable channel, such as from Beta to Stable, the more stable channel is likely to have a lower version number.
For example, Stable is on version 90 when Beta is on version 91. By default, Chrome will wait to switch channels until a higher version of Chrome is available. It will not downgrade to a lower version. - Moving to an extended stable channel— When you move to an extended stable channel, we recommend you use the Rollback to Target version policy to let Chrome browser roll back to a previous version. Otherwise, Chrome browser might not get the latest security fixes.
For example, if you’re on Chrome version 95 and you switch from Stable channel to Extended stable channel, the browser no longer gets security fixes for Chrome version 95. Chrome only gets security fixes when you roll back to Chrome version 94—the previous extended stable version. -
To switch Chrome to a channel with a lower version, set TargetChannel to your desired channel and instruct Chrome to rollback to your desired version. For details, see Roll back Chrome browser to a previous version above.
Set Chrome browser to the Stable or Extended stable channel
- (Recommended) Turn on Chrome sync for all users in your organization.
- In Group Policy (Computer Configuration folder), go to GoogleGoogle UpdateApplicationsGoogle Chrome.
- Enable Target Channel override.
- Under Options, set Target Channel. Enter the value stable or extended.
- Click OK.
- To get Chrome to switch to a more stable channel immediately, enable Rollback to Target version.
- Click OK.
Applies to Chrome browser and all apps managed by Google Update.
You can increase the time between update checks to help reduce peak bandwidth use within a network. However, to minimize the total bandwidth used for updates, we recommend that you don’t delay updates.
Using Group Policy
In Group Policy (Computer or User Configuration folder):
- Go to Google Google Update Preferences.
- Enable Auto-update check period override.
- Under Options, in the Minutes between update checks box, enter a value between 1 and 43,200 to specify the number of minutes between updates.
If your organization has an intermediate proxy cache set up on its network, you can use it to cache Chrome browser updates. The updates downloaded from Google can be cached on most web-caching proxy servers. Proxy caches reduce bandwidth and improve response times by caching and reusing frequently requested webpages.
However, many proxy cache default settings aren’t optimal for Chrome browser updates. To make sure that your proxy cache software can cache Chrome browser updates, experienced IT administrators can configure the following settings:
- Maximum file object size— Updates are downloaded as one file, so make sure that the maximum file object size is 100mb.
To cache updates, enable the Google Update policy and set the Download URL class override option to cacheable.
- URL settings—If the server allows you to add settings for particular domains, give preference to dl.google.com/* and google.com/dl/*. This is where devices get Chrome browser updates.
- Cache space—The total amount of space that the server can use to cache objects. If you have more than 30 GB of cache storage, you can increase the value to cache more objects.
See all Google Update policies
Use Preferences policies to control the default behavior of Google Update.
Using Group Policy
In Group Policy (Computer Configuration folder):
- Go to GoogleGoogle UpdatePreferences.
- Enable the policy and set the Options that will govern all the apps listed in Group Policy. (Examples below)
Note: These policies can be overridden if conflicting policies are set at the app level.
Policy | Description |
---|---|
Auto-update check period override | Available in Google Update version 1.2.145.5 Minimum number of minutes between automatic update checks. When enabled, the policy overrides the default period. Allowed values are between 1 and 43,200 minutes. We recommend that you don’t disable all auto-update checks. Disabling sets the value of UpdatedDefault to zero (0) in the Windows registry. If you do disable all checks, apps that use Google Update no longer automatically update. And, you can’t update apps that don’t have the manual update feature. To prevent updates for a specific app, you should instead use the Update policy override policy for that app (details below). |
Download URL class override | Available in Google Update version 1.3.26.1 Provides a hint for the update servers about the update payload URLs returned in the update response. Currently, you can only choose cacheable. When enabled, this policy might result in the server responding with a payload that could be cached by downstream proxies or similar types of content-caching solutions. The server can ignore it, depending on load and several other reasons. By default, the update payloads can’t be cached in most cases. Usually, it isn't an issue for consumer instances of Chrome, but it might be a problem for some enterprise environments. |
Time period in each day to suppress auto-update check | Available in Google Update version 1.3.33.6 If this setting is enabled, update checks will be suppressed during each day starting from Hour:Minute for a period of Duration (in minutes). Duration does not account for daylight savings time. For example, if the start time is 22:00 and the duration is 480 minutes, the updates will be suppressed for 8 hours regardless of whether daylight savings time changes happen in between. |
Cloud policy takes precedence over group policy |
Available in Google Update version 1.3.35.441 Enables cloud policies from the Admin console to override group policies. |
Applies to Google apps only.
Use app policies to control how Google Update interacts with some Google apps. Per-application policies override default policies.
Change default app policies
- In Group Policy, go to GoogleGoogle UpdateApplications.
- Open, turn on, and set the policy options for all apps (details below).
Policy | Description |
---|---|
Allow installation default |
Available in Google Update version 1.2.145.5 Note: The Allow installation policy for individual apps can override this policy.
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain. |
Update policy override default | Available in Google Update version 1.2.145.5 Specifies the default policy for software updates from Google.
This setting does not affect updates to Google Update. Google Update will continue to update itself. |
Change specific app policies
The Applications folder in Group Policy contains all the Google apps that use Google Update. You can set policies for specific apps.
- In Group Policy, go to GoogleGoogle UpdateApplicationsapp name.
- Turn on the policy that you want to change (details below).
Policy | Description |
---|---|
Allow installation |
Available in Google Update version 1.2.145.5
This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain. |
Rollback to Target version |
Specifies that Google Update should roll back installations of the Google app to the version dictated by Target version prefix override or Target channel override. When this policy is turned on, installs with a version higher than that specified by the target overrides are rolled back to the highest available version that matches the target version. If no target override is set, this policy has no effect. This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain. |
Target Channel override | Specifies the name of the release channel that the Google app should follow when receiving updates. Google Chrome supports Stable, Beta, and Dev. |
Target version prefix override | Available in Google Update version 1.3.33.5 Specifies which version the Google app should be updated to. When this policy is turned on, the app will be updated to the version prefixed with this policy value. For example, entering 90, 55.24, or 90.24.34 are all valid values for Google Chrome. As with the other values, entering 90 will allow Google Update to continue getting released updates until the first version of 91 is released. |
Update policy override | Available in Google Update version 1.2.145.5 Specifies how Google Update handles available updates for a specific app.
|
Troubleshoot
If you have trouble with Google automatic updates, gather logs to troubleshoot the problem.
Create the log file
Windows: System-wide installations
C:\Program Files (x86)\Google\GoogleUpdater\updater.log
Windows: Per user installations
%LOCALAPPDATA%\Google\GoogleUpdater\updater.log
[Ignoring group policy][machine is not part of a domain]—Google Update does not believe your computer is joined to a Windows domain controller. Only domain-joined computers will honor policies set for the computer by Group Policy or the registry, such as disabling auto-updates.
[Send][url=https://tools.google.com/service/update2][request=>?xml...—Google Update sent a request to Google's servers to see if any updates are available. The request contains details, such as current app version and platform. Google's servers use the details to respond with the correct update.
[Send response received][result 0x0][status code 200][<?xml... ...status="noupdate"...—The update check was successful, but Google's servers have no updates that match the client's request.
[Send response received][result 0x0][status code 200][<?xml... ...<url codebase="...—The update check was successful and Google's servers recommended an updated version of the app. The response includes the updated version number as well as a number of URLs that the client can use to download the update binary.
After you apply any Google Update policies, users need to restart Chrome browser for the settings to take effect. Check users’ devices to make sure the Google Update policies that you set were applied correctly.
- On a managed device, go to chrome://policy.
- Click Reload policies.
- Check the Show policies with no value set box.
- Scroll to Google Update Policies.
- For the policies that you set, make sure that Status is set to OK.
- For the policies that you set, make sure that the policy values match what you set in the policy.
Questions
Depending on the type of installation(s) by the administrator, Google Update will be in one or both of these locations:
- Per machine: %ProgramFiles(x86)%\Google\Update
- Per user: %LOCALAPPDATA%\Google\Update
Google Update runs each hour to see what tasks need to be performed. It evaluates each individual policy setting to determine if a task should be performed in that hour.
For example, if you set the Auto-update check period override policy to change the minimum time period between update checks to 480 minutes, then each hour Google Update checks to see if the last update check was more than 480 minutes ago. If not, Google Update waits for the next hourly run and checks again.
Similarly, you can set an update suppression period (Time period in each day to suppress auto-update check) and each hour Google Update checks if the current time is within the suppression period, if it is then no update is performed and Google Update waits for the next hourly run and checks again.
Chrome browser sends requests to multiple URLs when it’s checking for and downloading updates. The order of requests is determined dynamically at runtime. Both HTTP and HTTPS protocols might be tried. The following URL list of hostnames and paths might change in the future:
- google.com/dl/*
- dl.google.com/*
- google.com/dl/*
- *.gvt1.com
- tools.google.com/service/update2
- clients2.google.com
- update.googleapis.com/service/update2
- clients4.google.com
- https://m.google.com/devicemanagement/data/api
- mobile.l.google.com
Note: Although caching Chrome browser to download on computers across your organization isn’t officially supported, you can use the first 2 HTTP URLs in the list to cache the update files for your organization.
Due to the changing nature of the extensions platform and Chrome Web Store, this URL list is subject to change in the future:
- clients2.googleusercontent.com/crx/blobs/*
The initial Chrome browser installation is approximately 50 MB. Subsequent updates from one version to the next are approximately 10-15 MB. Patch updates are typically 3–5 MB. Updates from a major version to a later nonconsecutive major version usually require a new complete installation.
Google Update checks for the latest update approximately every 5 hours. In a large organization with many Windows computers, updates are staggered throughout the 5-hour period.
Chrome’s Enterprise installer (MSI) installs Chrome for all users of a computer. This installer will update the Chrome browser for all users, provided that the version you’re installing is the same or newer than the version previously installed on the computer.
If the computer already has the Chrome browser installed for an individual user (in that user’s profile directory), that installation will not be modified by the Chrome Enterprise installer. Instead, the next time the user launches the installation of Chrome in their profile directory, Chrome will detect another installation of Chrome present for all users, uninstall itself, and launch the updated version of the Chrome browser for all users.
Known Issues
Chrome browser could fail to install due to anti-virus rules. During installation, the installer copies files to temporary directories and then moves those files to the appropriate installation folder. In rare cases, the move operation can fail when anti-virus is running.
Related topics
- More about Chrome auto-updates
- Managing Group Policy ADMX Files Step-by-Step Guide
- Recommendations for managing Group Policy administrative template (.adm) files
- Chrome browser release channels
Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.