Disable browsers built-in passwords manager using Microsoft Intune

-

🔒 How to Disable Browser Password Managers via Microsoft Intune (Edge, Chrome, Firefox)

For IT Admins & Security Teams Why? Built-in password managers in browsers (Edge, Chrome, Firefox) pose security risks—they store credentials in plaintext, lack enterprise-grade encryption, and are vulnerable to malware like RedLine Stealer. Here’s how to disable them centrally using Microsoft Intune (with GPO/MDM fallback for Firefox).

1️⃣ Microsoft Edge (Chromium)

Method: Intune Administrative Templates

  • Policy Path: Computer Configuration > Administrative Templates > Microsoft Edge > Password Manager
  • Settings:
    • Enable "Disable saving passwords to the password manager"
    • Enable "Disable the display of password reveal button"
  • Intune UI:
    1. Navigate to Devices > Configuration profiles > Create profile.
    2. Select Windows 10 and later > Templates > Administrative Templates.
    3. Search for "Password Manager" and configure the policies above.
    4. Assign to user groups/devices.

Verification:

  • Open Edge → edge://settings/passwords"Offer to save passwords" should be grayed out.

 2️⃣ Google Chrome

Method: Intune OMA-URI (Custom Settings) Chrome doesn’t natively support Intune Administrative Templates, so we use OMA-URI to push registry keys.

  • Policy Path: Software\Policies\Google\Chrome
  • OMA-URI:
    ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx
  • Registry Keys to Deploy:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"PasswordManagerEnabled"=dword:00000000
"PasswordManagerAllowShowPasswords"=dword:00000000
  • Intune UI:
    1. Go to Devices > Configuration profiles > Create profile.
    2. Select Windows 10 and later > Templates > Custom.
    3. Add the OMA-URI above with Data type: String and paste the registry content.
    4. Assign to user groups/devices.

Verification:

  • Open Chrome → chrome://settings/passwords"Offer to save passwords" should be disabled.

 3️⃣ Mozilla Firefox

Method: Intune + GPO (Firefox ADMX) or MDM Firefox lacks native Intune support, so we use Group Policy or MDM (via Firefox ADMX templates).

  • Option A: Group Policy (For Hybrid AD Joined Devices)

    1. Download the Firefox ADMX templates from Mozilla’s GitHub.
    2. Import into Group Policy (gpedit.msc or Central Store).
    3. Navigate to: Computer Configuration > Administrative Templates > Mozilla > Firefox > Password Manager
    4. Enable "Disable saving passwords".

  • Option B: MDM (For Azure AD Joined Devices) Use Intune’s OMA-URI to push Firefox policies:

    • OMA-URI:
      ./Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~PasswordManager/DisablePasswordManager
    • Value:
      <enabled/><data id="DisablePasswordManager" value="true"/>

Verification:

  • Open Firefox → about:config → Search for signon.rememberSignons → Should be false.

 

🔐 Security Bonus: Enforce Enterprise Password Managers

While disabling built-in managers, mandate an enterprise solution like:

  • Keepass or Bitwarden Teams (with Intune app deployment).
  • Windows Hello for Business (for passwordless authentication).

 

Popular posts from this blog

How to reset computer in OOBE mode

-
Image
When you receive a new computer, it may contain various applications that are useless in a business context. To solve this problem and start with a clean PC, it may be interesting to reset it.  Here is two procedures that can be performed in OOBE mode Manual process Click CTRL + Shift + F3 , your computer restart. The Windows session is automatically opened Go to Start Menu \ Parameters \ Update & Security \ Recovery and click on Get Started Select Remove everything Select Local reinstall Click Next Click Reset Your computer restarts and proceeds to a complete reinstallation. With Command Line Click  Shift + F10 , your computer restart. Used this command line : systemreset -factoryreset Select Remove everything Select Remove files and clean the drive Click Reset Your computer restarts and proceeds to a complete reinstallation.
Read more »

How to implement Applocker with Microsoft Intune

-
Image
Applocker is tool included in Windows 10 and 11. It permit to set up policies or rules for allow or deny apps from running on your device.  We can create Applocker rules for below file types:  EXE files : .exe and .com Windows Installer files : .msi, mst, and .msp Scripts : .ps1, .bat, .cmd, .vbs, and .js DLLs : .dll and .ocx Packaged apps and packaged app installers : .appx and .msix. Sources :  https://learn.microsoft.com/fr-fr/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections The Applocker solution purpose a multiple possibilities for secure your device. We have possibilities to block or allow apps. By default, it is recommended to allow all applications and add a custom rules for a scpecific application. Prérequisites for used Applocker Device with Windows 10 or 11 for prepare the Applocker rules Application Identity service enabled Enable Applocker For create an Applocker policy, you need t...
Read more »

Windows Autopilot and Pre-Provisioned deployment

-
Image
Windows Autopilot offers several deployment scenarios, including pre-provisioning. This allows to respond to some use cases such as:  Provide a workstation prepared via Windows Autopilot and then send it to low bandwidth sites for example.   But also to provide the end user, a ready-to-use experience by relieving them of sometimes tedious provisioning tasks. In the following, I will detail all the prerequisites as well as the steps to pre-provision a workstation with Microsoft Intune and Windows Autopilot. 1. Prerequisites Device : Microsoft Intune tenant  with MDM authority  "Set to Intune" Windows Autopilot User Driven AAD or HAAD join devices Windows 10 1903 and above  (Enterprise, Pro and Education) Physical devices with TPM 2.0 with device attestation  (check your hardware compatibility) Virtual machines are not supported Network : Wired ethernet connection   TPM attestation validation process  requires access to the URLs below : *.microsofta...
Read more »