Managing Chrome and Chromium Edge GPOs on Non-Domain Joined PCs using ZCM 2020 MDM


Microsoft has recently re-written Edge so that it is built upon Chromium, which Chrome is also built upon.  (Cool Fact:  ZENworks ZAPP is also based upon Chromium!)  This re-write of Edge has introduced Group Policy limitation upon Edge that has existed in Chrome for a few years.  If a device is not part of a Windows Domain, many of the local GPO settings for Chrome/Edge will simply be ignored.


As a result, regardless of the Local GPO settings pushed by ZENworks, those settings would not be effective unless the device was part of a domain, which is not the case for many ZCM managed devices.  

ZENworks 2020, however, is able to come to the rescue of non-domain joined devices.  ZCM 2020 has introduced support for MDM Management of Windows 10 devices.  This allows for management of devices without installing any additional software beyond the Windows 10 Pro or Enterprise operating system.  The support in ZCM 2020, however, is only experimental and the management capabilities are limited to MDM registering the device to your ZENworks Zone.  Expanded management capabilities are expected in ZCM 2020 Update 2.  While the current feature set is quite limited, it is sufficient to meet the secondary requirements for the Edge GPO of being "Enrolled for Device Management".  

Simply MDM enroll your Windows 10 Enterprise or Professional device to your ZENworks Zone, and the non-working GPO above will now be honored!

When I say "Simply MDM enroll your Windows" devices, I truly mean "Simply", even if you have never done MDM management before.  Follow the steps below and review a few of the troubleshooting steps and one should be able to enable MDM management of Windows 10 devices in a few short minutes.  We will be using "Windows Configuration Designer" to create a "PPKG" file and then "installing" that file on the target devices.


  • From the ZCC - Create a Registration Key in your ZENworks Zone that will be used as the "Secret" (password) for registering to the ZENworks Zone





Creating the PPKG file with Windows Configuration Designer:

Following those steps will fill in two different sections:  Workplace and Certificates.




  • After all the details are entered, select "Export" from the main menu to export the package.  I would recommend "Not" Encrypting or  Signing the package for your initial foray into ZCM MDM registration.  They will create some additional hurdles for attempts to silently deploy the PPKG file to devices.  In the future, additional PKKG files can be created that use these features.

Deploying PPKG Files to Devices:

  • Simple Way:  Double-Click on the PPKG file from any device that can hit the DiscoveryServiceURL defined in the file.
  • Use a PowerShell Command such as  "Install-ProvisioningPackage -PackagePath C:\temp\ZCM_MDM_ENROLLMENT.ppkg -QuietInstall -LogsDirectoryPath c:\temp"  (Sample Bundle Attached to article.  Make sure to add action to copy PPKG file)

Troubleshooting PPKG Installs:

  • Ensure Proper Windows Activation or the device will not properly enroll.
  • Windows Pro or Enterprise may be required.  Other editions may not work.
  • Ensure proper DNS Resolution
  • Examine Logs created by the Bundle
  • View the "Access Work or School Page in Windows"


Download Edge Chromium GPO Files:  (Select Get Policy Files)

Add the Chromium Templates to the Group Policy Editor:


Generate Guttural Evil Admin Laugh:

Start creating your Chrome/Edge policies that once again lock down settings that were previously ignored!


  If you find this article useful, please be sure to give it a like at the bottom of the page! 

To find other articles by Craig Wilson simply follow the link below:







Configuration Management
Comment List