Microsoft Intune and Active Directory GPO deployment

This guide installs SafePrompt automatically on every Windows endpoint in your organisation, with no end-user action required. Two channels are covered: Microsoft Intune (cloud, recommended) and Active Directory GPO (on-premise legacy).

Audience: CISO or Windows administrator running a managed Chrome fleet. The goal is a full pilot deployment in under an hour.

Path A — Microsoft Intune (recommended)

Intune is the modern channel: the configuration is centralised in the endpoint.microsoft.com portal and reaches endpoints in less than 15 minutes after assignment.

Step 1 — Retrieve your tenant_api_key

Sign in to your SafePrompt Dashboard and open the Settings → Tenant credentials page. Copy the tenant_api_key and tenant_id values: you will paste them into the Intune configuration profile in step 3.

Open the SafePrompt Dashboard →

Step 2 — Download the Intune configuration profile

Download the JSON file below. It describes the three registry keys Intune must push on every endpoint: ExtensionInstallForcelist (force-install), ExtensionSettings (permissions) and 3rdparty.extensions.<EXTENSION_ID>.policy (your tenant credentials).

Step 3 — Import the profile into Intune

1. 1

   Open endpoint.microsoft.com

   Sign in to the portal and navigate to Devices → Configuration profiles → Create profile.
2. 2

   Pick the platform and profile type

   Select Windows 10 and later as the platform, then choose the Settings catalog profile type. Click Create.
3. 3

   Name the profile

   Use a descriptive name such as "SafePrompt — Chrome force-install (Pilot)". Click Next.
4. 4

   Add the Chrome settings

   In the Configuration settings tab, click Add settings and look for ExtensionInstallForcelist and ExtensionSettings inside the Google Chrome category. Enable both.
5. 5

   Paste the JSON and substitute placeholders

   Reuse the content of intune-chrome-policy.json in the matching Settings catalog values. Replace the three placeholders: <EXTENSION_ID>, <TENANT_API_KEY>, <TENANT_UUID>.
6. 6

   Assign to the pilot group and save

   In the Assignments tab, start with a small pilot group (10 to 20 users). Click Next, review the summary and then Save.

Step 4 — Verify on a Windows endpoint

Sign in to an endpoint that belongs to the pilot group. Force an Intune sync via Settings → Accounts → Access work or school → Sync. After 5 to 15 minutes, the SafePrompt icon appears automatically in the Chrome toolbar. Then jump to the Common verification section below to confirm the tenant credentials propagated.

Path B — Active Directory GPO

This path targets environments that have not yet migrated to Intune. The deployment relies on the Group Policy Management Console (GPMC) and the official SafePrompt ADMX/ADML files.

Step 1 — Download the GPO files

Download the three files below. The ADMX describes the policy; the ADML carries the en-US labels shown by GPMC; the .reg is a shortcut for quick lab tests.

• ↓safeprompt.admx— ADMX template (SafePrompt policy)
• ↓safeprompt.adml— en-US labels for GPMC
• ↓safeprompt-fallback.reg— Registry fallback file (lab only)

Step 2 — Copy ADMX/ADML into the PolicyDefinitions store

From an administrator workstation, copy safeprompt.admx into the SYSVOL central store of your domain and copy safeprompt.adml into the matching en-US subfolder. Open PowerShell as Administrator and run the following command (adapt the SYSVOL path to your domain).

# Adapt %userdomain%.local to your Active Directory domain FQDN.
$sysvol = "\\${env:userdnsdomain}\SYSVOL\${env:userdnsdomain}\Policies\PolicyDefinitions"
Copy-Item -Path .\safeprompt.admx -Destination "$sysvol\safeprompt.admx" -Force
Copy-Item -Path .\safeprompt.adml -Destination "$sysvol\en-US\safeprompt.adml" -Force
Write-Host "SafePrompt ADMX/ADML deployed to the central store."

Step 3 — Create and link the GPO

Open gpmc.msc, create a new GPO named "SafePrompt — Force-install (Pilot)" and link it to the OU that holds the pilot endpoints. Edit the GPO: Computer Configuration → Policies → Administrative Templates → SafePrompt. Enable both policies "Force-install SafePrompt on Google Chrome" and "Configure SafePrompt tenant credentials", and fill in your tenant_api_key, tenant_id, and the force-install entry in the form EXTENSION_ID;https://clients2.google.com/service/update2/crx.

Step 4 — Quick option: merge the .reg (lab only)

For a very quick test on an isolated endpoint, you can double-click safeprompt-fallback.reg after replacing the placeholders. The keys are written immediately into HKLM, bypassing the GPO mechanism.

Common verification

Whether you picked Intune or GPO, the final check is identical on any Windows endpoint inside the scope.

1. 1

   Open chrome://policy

   Launch Google Chrome on a target endpoint and type chrome://policy in the address bar.
2. 2

   Reload and inspect

   Click Reload policies in the top right corner. Confirm that a SafePrompt entry is listed with the tenant_api_key and tenant_id fields populated.
3. 3

   Confirm the extension is installed

   Open chrome://extensions and confirm that the SafePrompt extension is listed with the "Installed by your administrator" badge.
4. 4

   Test on ChatGPT

   Visit https://chatgpt.com and type a string containing a fake French SIRET number to confirm detection is active.

Need help?

The SafePrompt team supports enterprise rollouts. Tell us about your environment (Intune or GPO, number of seats, Chrome version) and we will reply within one business day.

Email [email protected] →

← Back to Enterprise deployment