Disable browser default password managers - Windows GPO
This topic detail the steps to disable the default password manager in the Edge, Firefox and Chrome browsers, as well as steps to confirm the password manager is disabled.
Disabling the browser default password manager
Edge
- Open Group Policy Management Editor on your managing Windows server.
- Download the most suitable Edge Policy Template from Microsoft.
- In the Group Policy Editor, create a new GPO for Edge and provide an appropriate name.
- Select the required scope.
- Right-click your new Group Policy Object and select Edit.
- in the Group Policy Management Editor, navigate to User Configuration > Policies > Administrative Templates > Microsoft Edge.
- Configure the following:
- Open Password manager and protection, disable Enable saving passwords to the password manager.
- Disable Enable AutoFill for addresses.
- Disable Enable AutoFill for payment instruments.
- (Optional) Enable Disable synchronization of data using Microsoft sync services.
- Ensure the GPO link is enabled.
Chrome
- Open Group Policy Management Editor on your managing Windows server.
- Download the Chrome Administrative Templates from Google.
- From the policy_templates\windows\admx\ directory, copy the following files to
C:\Windows\PolicyDefinitions\
. - chrome.admx
- google.admx
- From the policy_templates\windows\admx\<your language> directory, copy the following files to
C:\Windows \PolicyDefinitions\<your-language>\
. - chrome.adml
- google.adml
- In the Group Policy Editor, create a new GPO for Chrome and provide an appropriate name.
- Choose your desired scope.
- Right-click the Group Policy Object and select Edit.
- Go to User Configuration > Policies > Administrative Templates > Google > Google Chrome.
- Edit the following settings:
- Under Password Manager, disable the policy Enable saving passwords to the password manager.
- Disable the policy Enable AutoFill for Addresses.
- Disable the policy Enable AutoFill for credit cards.
- Ensure the GPO link is enabled.
Once complete, the GPO settings should show the following:
Firefox
- Open the Group Policy Editor on your managing Windows server.
- Download the latest Firefox Policy Templates .zip file from Mozilla.
- From
policy_templates_v1.##\windows\
copy the ADMX filesfirefox.admx
andmozilla.admx
toC:\Windows\PolicyDefinitions\
- From
policy_templates\windows\en-us\
copy the ADML files fromfirefox.adml
&mozilla.adml
toC:\Windows \PolicyDefinitions\en-us
. - In Group Policy Editor, create a new GPO for Firefox and provide an appropriate name.
- Choose your desired scope.
- Right-click your new group policy > Edit.
- Open User Configuration > Policies > Administrative Templates > Mozilla > Firefox.
- Locate and edit the following policies:
- Disable the policy Disable Firefox Accounts.
- Disable the policy Offer to save logins.
- Disable the policy Offer to save logins (default).
- Disable the policy Password Manager.
- Ensure the GPO link is enabled.
Once complete, the GPO settings should show the following:
To confirm the default password manager is disabled
Edge
Any logins previously saved in Edge will not be removed and will continue to be displayed to the user, despite autofill being disabled. Users should import or otherwise record any saved logins into Passportal before deleting them from Edge.
- On a user's computer, open the command line, and run:
- Open Edge, navigate to Settings > Passwords.
- Ensure Offer to save passwords is turned off and shows as managed by the organization.
gpupdate /force
Sign-in automatically is still checked because there is no policy setting to turn this off.
Chrome
- On a user's computer, Open the command line, and run:
- Open Chrome and click the profile icon on the top right. Confirm that the user is not signed in.
- Open the Chrome menu (the three dots button) > Settings > Passwords. Confirm that Offer to save passwords is unchecked and managed by the organization.
gpupdate /force
Firefox
- On a user's computer, Open the command line, and run:
- Open Firefox and select Logins and Passwords from the menu bar.
- Ensure that the Blocked Page advisory is displayed.
gpupdate /force