top of page
Search

(210) Microsoft Intune - Disabling Google Chrome Gemini Nano AI

  • Writer: Mr B SOE way
    Mr B SOE way
  • May 13
  • 3 min read

A customer reached out this article that was sent: https://www.techspot.com/news/112309-google-chrome-has-silently-pushing-4gb-ai-model.html, where they have identified that Google Chrome silently downloads 4GB AI model file (weights.bin) to user devices without explicit user consent. The file is stored at: %LOCALAPPDATA%\Google\Chrome\User Data\OptGuideOnDeviceModel


Customer requested to the following to configured: chrome://flags

Enables optimization guide on device

Prompt API for Gemini Nano

Prompt API for Gemini Nano with Multimodal Input

Writer API for Gemini Nano

Rewriter API for Gemini Nano

Proofreader API for Gemini Nano

Summarizer API for Gemini Nano

AI Mode Omnibox entrypoint

AI Entrypoint Disabled on User Input

Omnibox Allow AI Mode Matches

AI Mode Omnibox Entrypoint always navigates


Additionally, disable chrome://policy "GenAILocalFoundationalModelSettings".

And remove the following folder post application of the policy:

C:\Users\username\AppData\Local\Google\Chrome\User Data\OptGuideOnDeviceModel


Configuration:

In terms of setting up chrome://flags - this must be done on a device that has 'Chrome' installed. When any settings are changed in chrome://flags, it will make changes to file: Local State.


Manually edit the changes under the browser, then set Relaunch.


Grab the Local State file from C:\Users\username\AppData\Local\Google\Chrome\User Data, what we are trying to achieve is create a win32 app which is in user context, it will need to delete the existing "file: Local State" and replace it with the modified version.


Win32 app:


cmd /c del /q "%localappdata%\Google\Chrome\User Data\Local State"

timeout /t 5 > nul

cmd /c xcopy "Local State" "%localappdata%\Google\Chrome\User Data" /y

start "" "C:\Program Files\Google\Chrome\Application\chrome.exe"

Exit 0

#region Config
    $AppName = "Set Chrome Flags"
    $client = "MR B SOE Way"
    $logPath = "$env:ProgramData\$client\logs"
    $logFile = "$logPath\$appName.log"
    
    $cmdcommands = ".\Install.cmd"

    #endregion
    #region Logging
    if (!(Test-Path -Path $logPath)) {
        New-Item -Path $logPath -ItemType Directory -Force | Out-Null
    }


    Start-Transcript -Path $logFile -Force

    Stop-Process -Name "chrome" -Force


    Start-Process -FilePath "cmd.exe" -ArgumentList "/c `"$cmdcommands`"" -nonewwindow -Wait


     Write-Host "Script completed successfully.."
     Stop-Transcript
     Exit

if (test-path "C:\ProgramData\MR B SOE Way\logs\Set Chrome Flags.log"){"Installed"}

Make sure to place the 'modified' Local State file over to your folder to be wrapped, it should look like this:


ADMX Ingestion and Policy:


Within Intune's Settings Catalog, it doesn't have the up to date version in policies, you will download Google Chrome Enterprise ADMX Templates then import them into Intune. To create the policy, select Create -> New Policy -> Platform: Windows 10 and later, Profile Type: Templates -> Imported Administrative templates, select the following:


  • Allow Gemini app integrations to directly act on specified sites = Disabled

  • Block Gemini app integrations to directly act on specified sites = Disabled

  • Allows Gemini app integrations to directly act on web pages = Enabled (Disallow the Gemini app to take action on the web pages)

  • Enable content sharing with Google AI Mode and Lens integrations = Enabled (Do not allow content sharing with Google AI Mode integrations).

  • Settings for AI-powered History Search = Enabled (Do not allow AI History Search).

  • Settings for Chrome DevTools Generative AI Features = Enabled (Do not allow Chrome DevTools Generative AI Features)

  • Settings for Create Themes with AI = Enabled (Do not allow Create Themes)

  • Settings for enhanced autofill = Enabled (Do not allow enhanced autofill)

  • Settings for Gemini integration = Enabled (Do not allow Gemini integrations)

  • Settings for GenAI local foundational model = Enabled (Do not download model)

  • Settings for Google's AI Mode integrations in the address bar and New Tab page search box = Enabled (Do not allow AI Mode integrations)

  • Settings for Help Me Write = Enabled (Do not allow Help Me Write)

  • Tab Compare settings = Enabled (Do not allow Tab Compare).



Once the ADMX policy has been deployed, navigate to chrome://policy, and GenAILocalFoundationalModelSettings is set to 1 where is set to Enabled with "Do not download model". More info around the policy is here: https://chromeenterprise.google/policies/?policy=GenAILocalFoundationalModelSettings



 
 
 

Comments

bottom of page