Make Brave-specific options configurable through Windows Group Policy templates

[mherrmann]

Test plan (added by @bsclifton)

1. Be on Windows
2. Windows + R, type in gpedit.msc, hit enter
3. Under Computer Configuration, right click Administrative Templates
4. In the context menu, pick Add/Remove Templates...
5. Download the templates from https://support.brave.com/hc/en-us/articles/360039248271-Group-Policy (link should be https://brave-browser-downloads.s3.brave.com/latest/policy_templates.zip). We'll want to make sure these are the latest (check with @bsclifton or @mihaiplesa)
6. Unzip this policy_templates.zip and back in gpedit.msc, click Add...
7. Browse to the directory you just unzipped and find the windows\adm\en-US\brave.adm file
8. Select this file and pick Open
9. You should now see Brave under Classic Administrative Templates. In the Brave Software folder, you'll see the actual policies.
   
10. Go ahead and set this policy - change Tor disabled, etc.
11. Launch into Brave and verify that policies changed show in brave://policy/. You should also see Managed by your organization in the hamburger menu.
12. Policy description should have a link to take you to https://support.brave.com/hc/en-us/articles/360039248271-Group-Policy
13. Verify the policy actually works

Original issue description

This is a follow-up to #26501. There, we provide templates for changing general browser settings. The goal of this present issue is to build on that work and make it possible to configure Brave-specific browser options via Group Policy settings. Per the current documentation, the minimal settings that should be supported are:

• TorDisabled
• IPFSEnabled
• BraveRewardsDisabled
• BraveWalletDisabled

Related:

• [Desktop] Group policy - Brave specific settings #9458
• Create group policy options for Shields #25394
• Group policy/settings: configuration for --sync-url= argument #20431
• Add additional options to group policy to configure p3a, usage, and crash report settings #18012
• [Desktop] Guest mode and add profile still available in drop drown menu after add policies into regedit #8907
• [Desktop] Provide option to "always" open files with system default or provide "do not ask again" option #6291

[ghost]

It is nice Brave implemented a policy for Up/Down Shields #25394

@bsclifton @mherrmann @spylogsster

I think it would be good if Brave expanded even more Shields/Adblock policies to make Brave a really good browser for admins to control what they want the organizations to see within Brave and even for Parental Control.

I see many people requesting a block site feature, and people talk about DNS and all that way of 'blocking' websites, but technically Brave can already do that, it only needs ways to stop anyone from bypassing them easily when they are not meant to.

First, one important policy/feature would be to have a way for 'organization' to be able to set custom lists and rules that no user can delete or disable, just like how Windows Firewalls features and rules can be set through GPO.

Second, and somehow a more important feature/flag/policy, it's to stop users from clicking the proceed button if/when a domain is blocked by the adblocker or change the warning screen to reflect it was blocked by a organization or something. You know, the little screen which is done by using ||example^ or $document with the first party domain blocking feature #14134
Example:

Just adding these two policies will add a way for organizations, admins, parents, schools to easily restrict/block websites without having to deal with another feature and/or Brave Team having to implement a feature that is already done with the adblocker, because the feature is already there, it only needs ways to prevent users to proceed or disable the rules.

Something important to note and why I say Brave already can block sites, it's that when Brave shows the warning screen, Brave hasn't connected to the Domain/IP, it shows the warning based on just on what the URL says before anything gets resolved. The website will only resolve and appear in DNS server logs or firewalls or anything when the user clicks the Proceed button, making it a great way (and already built) to block websites completely.
Otherwise if the user clicks proceed, everything gets blocked: scripts, fonts, images, spreadsheets, etc, (when ||example^ is used, not when just $document is used) but the main html document will load, which means Brave will be forced to make 1 connection, and since it will be plain html, then users can still read text which might not be good. That's why not allowing users to proceed is important, to make Brave adblocker a better tool for everything security and privacy.

If adblocker is used for this kind of stuff, not only it will be 'one feature less to build' by Brave Team, but also, no DNS server or VPN or anything else (but using another web browser) can bypass it for the way these document block works which is done only for what it is seen in the URL.

Which means, (another good point about using Adblocker for 'website blocker' feature) is that it can be done in flexible ways.

Example:

You want to block example.com but you want to allow people accessing example.com/category/download/software it can be done by using $document

||example.com^$document
and @@||example.com/category/download/software So it doesn't have the same limitations as DNS based blocking website features/programs/servers

And if we count the fact that the adblocker has scriptlet injections like window-close-if or CSP features like sandbox that can prevent popups and stops downloads in whatever website, using CSP is not perfect since people can middle click and download the file that way, but it can prevent automatic downloads, to truly stop downloads, again, $document for the way it works by searching in the URL, would be able to stop the download, so a rule like /(.zip|.exe|.rar)/$document will stop all downloads from happening anywhere if an organization or parent desires, making it superior to any available tool if done right, out of the box and without doing anything but using what it is already available.

I tried to find other issues with this type of request, so hope it is not duplicate, but hope this helps to understand how good these two policies can be.
Of course, many flags or policies can be done to control every aspect of the Adblocker but I think these two policies can be the most important to make available for any organization or parent to control websites they want their employees or children or students to have access.

Thank you and have a good day!.

[DesertBear]

The below setting also needs to be added, so that the VPN feature can be disabled across managed devices.

• BraveVPNDisabled

[bsclifton]

@DesertBear thanks for requesting that - I logged that one with #29397 and we can look at this soon 😄

[rowansc1]

Hiya,
Is there any further progress with the TorDisabled function being able to be edited via GPO? More specifically the progress of 16351.

Cheers!

[DesertBear]

@DesertBear thanks for requesting that - I logged that one with #29397 and we can look at this soon 😄

While BraveVPNDisabled has been added to Brave Group Policy settings, the documentation at the below link is still missing this information.

Link:
https://support.brave.com/hc/en-us/articles/360039248271-Group-Policy

Example:

DWord	Accepted Values	Effect
BraveVPNDisabled	0 (default) 1	0 = Enabled 1 = Disabled

[mherrmann]

Cc @AlanBreck . Can you update https://support.brave.com/hc/en-us/articles/360039248271-Group-Policy?

[AlanBreck]

The support site is actually managed by @Brave-Matt, so I'm looping him in.

[bsclifton]

BraveVPNDisabled is now added to https://support.brave.com/hc/en-us/articles/360039248271-Group-Policy - thanks @Brave-Matt! 😄👍

[bsclifton]

@mherrmann - I'm not sure how much trouble it is to append to the example/brave.reg in the policy templates (see https://brave-browser-downloads.s3.brave.com/latest/policy_templates.zip)

But we could hardcode (at least for the moment) the following Brave specific values:

Windows Registry Editor Version 5.00
; brave version: 124.1.67.42

[HKEY_LOCAL_MACHINE\Software\Policies\BraveSoftware\Brave]
"TorDisabled"=dword:00000001
"IPFSEnabled"=dword:00000000
"BraveRewardsDisabled"=dword:00000001
"BraveWalletDisabled"=dword:00000001
"BraveVPNDisabled"=dword:00000001
"BraveAIChatEnabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\BraveSoftware\Brave\BraveShieldsEnabledForUrls]
"1"="[*.]twitter.com"
"2"="https://www.example.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\BraveSoftware\Brave\BraveShieldsDisabledForUrls]
"1"="https://www.example.com"
"2"="[*.]brave.com"

This should cover all the ones listed at https://support.brave.com/hc/en-us/articles/360039248271-Group-Policy#h_01HE8CWCDW9FWDWB74VCGZZEMR

Maybe you can point me in the right direction?

[mherrmann]

@bsclifton sure. My previous work on the topic was brave/brave-core#16351, but it became obsolete before it was merged due to upstream changes. The policy templates are a GN target, brave/components/policy:pack_policy_templates. Maybe you could extend [pack_policy_templates.py]
(https://github.com/brave/brave-core/blob/3311f572f08cd007bf570e8b21dde09d949548ef/components/policy/pack_policy_templates.py#L31) to append the values you mentioned to brave.reg?

[Marko-98]

@bsclifton I'm using these policies to disable Brave Wallet and Brave Rewards from the browser; I have two questions:

1. Is it possible to keep using these policies, but to hide messages "managed by your organization" throughout the browser?
2. When policies are enabled, secure DNS option is disabled automatically. Is there a way to keep secure DNS enabled while still managing browser through Group Policy or Registry?

Thank you!

[DesertBear]

@Marko-98

2. When policies are enabled, secure DNS option is disabled automatically. Is there a way to keep secure DNS enabled while still managing browser through Group Policy or Registry?

This is an issue with all Chromium-based browsers. You will need to set the below policies to keep DNS-over-HTTPS enabled.

Controls the mode of DNS-over-HTTPS:
https://chromeenterprise.google/policies/#DnsOverHttpsMode

• Enabled
• Enable DNS-over-HTTPS without insecure fallback

Specify URI template of desired DNS-over-HTTPS resolver:
https://chromeenterprise.google/policies/#DnsOverHttpsTemplates

• Enabled
• https://security.cloudflare-dns.com/dns-query or https://dns.quad9.net/dns-query

[Marko-98]

@DesertBear Thanks! :)

[mihaiplesa]

Related https://www.reddit.com/r/brave_browser/comments/1efzjfh/found_a_native_way_to_debloat_brave/

[bsclifton]

Making some good progress here 😄
Stay tuned!

[bsclifton]

OK great - I have a working solution and we should be able to accept it soon 😄 Working with reviewers on the last few items

For folks interested, you can check out brave/brave-core#25710

[MadhaviSeelam]

Verification PASSED using

Brave | 1.74.4 Chromium: 131.0.6778.39 (Official Build) beta (64-bit)
-- | --
Revision | 15328654b03f358466ab746b5d12a68e7fdb5017
OS | Windows 11 Version 23H2 (Build 22631.4460)

1. Installed .174.4
2. launched Brave
3. press Windows + R
4. type in gpedit.msc hit enter
5. Under Computer Configuration, right click Administrative Templates
6. In the context menu, pick Add/Remove Templates... in the Local Group Policy Editor
7. navigated to https://support.brave.com/hc/en-us/articles/360039248271-Group-Policy in a new tab and clicked policy_templates.zip
   • or directly paste the link in the URL bar https://brave-browser-downloads.s3.brave.com/latest/policy_templates.zip
8. saved the file to Downloads folder
9. unzip this policy_templates.zip in the Downloads
10. opened gpedit.msc again and clicked Add/Remove Templates in the context menu of Local Group Policy Editor
11. clicked Add in the Add/Remove Templates and clicked open
12. browsed to the directory and selected en-US >> brave.adm >> Open >> Close
13. navigate to Classic Administrative Templates >> Brave >> Brave Software settings folder
14. confirmed the actual policies are listed
15. navigated to Disable Tor Connectivity setting and edit the settings via context menu
16. selected Disabled >> Apply
17. opened New Private window with Tor in the hamburger menu
18. confirmed successful Tor connection
19. returned Local Group Policy Editor and enabled Disable Tor Connectivity
20. confirmed New Private window with Tor option is shown in the hamburger menu and Tor connection is successful

step 4	step 5-6	step 7	step 8	step 9	step 11	step 12	step 14	step 15	step 16	step 18	step 19	step 20

[LaurenWags]

Removed QA Pass-Win64 so we can get a Win 10 check on this one as well 👍🏻

[GeetaSarvadnya]

Verification INPROGRESS on

Brave | 1.74.25 Chromium: 132.0.6834.33 (Official Build) beta (64-bit)
-- | --
Revision | 041ffab11e000929213dcdae825dba438ff8a620
OS | Windows 10 Version 22H2 (Build 19045.5247)

[GeetaSarvadnya]

@mherrmann: I am verifying the issue on Windows 10 x64 and Windows 11 x64. I have followed the test plan mentioned via #26502 (comment). On both win10 and win11, the issue is not working as expected. When the Tor/VPN is enabled via gpedit.msc and launch the browser (Brave Beta 1.74.26) is still showing up the VPN via toolbar and NTP etc...and New private window with Tor via hamburger menu. Also. if I open brave://policy, no policies are set.

I have few questions reg the Group Policy template:

1. The policy template support only for the countries provided in the template below or all the countries?
   
2. My OS locale was set to default region India and language was English -US - when it was not working with these combinations, I have changed my system OS region to US and then tried the steps mentioned in the issue description but no luck with this change.

Unable to disable the Brave-specific browser options via Group Policy settings from India region. The same thing is working fine for @MadhaviSeelam on Windows 11 x64

Please see the recorded file below:

https://drive.google.com/file/d/1mA7c-IUN0eBGukDMow8otXNbwC6d6dbO/view?usp=sharing

[mherrmann]

@GeetaSarvadnya the feature was implemented by @bsclifton. I think he will know more about this than me.

[bsclifton]

@GeetaSarvadnya the templates are localized for those countries/locales - but usable in any. Unfortunately, none of the Brave strings are being localized. Only the standard Chromium templates are actually localized. For testing, you can always pick the en-US one.

I watched the video - thanks for capturing @GeetaSarvadnya. The file you opened looks correct and you set it properly.

We could look at the registry perhaps as a next step. Specifically, open regedit and at the top of the regedit tool, you should be able to paste in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\BraveSoftware\Brave.

I'm curious if any values are being shown here. The best way to check policies being set (besides registry) is via brave://policy which you already did check

What version of Windows do you have? I'm curious if this is something like Pro edition lets someone do group policy but Home edition doesn't let you do group policy? 🤔 The actual UI worked fine for gpedit.msc so I don't think this is the problem.

[GeetaSarvadnya]

@bsclifton: When I enable/disable brave specific browser options (e.g VPN/Tor) via gpedit.msc local policy editor, there is no registry entry shown via REGEDIT (Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\BraveSoftware\Brave), also when I open brave://policy via browser, no policies are set.

But, If I set policies via REGEDIT(Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\BraveSoftware\Brave) path, the policies are working as expected. When I open the browser, the browser options are disabled and also the policies are shown as true via brave://policy