Kerberos delegation server allowlist
Setting the policy assigns servers that Google Chrome may delegate to. Separate multiple server names with commas. Wildcards, *, are allowed.
Leaving the policy unset means Google Chrome won't delegate user credentials, even if a server is detected as intranet.
Example value: foobar.example.com
Supported on: At least Microsoft Windows 7 or Windows Server 2008 family
Kerberos delegation server allowlist
| Registry Hive | HKEY_CURRENT_USER |
| Registry Path | Software\Policies\Google\ChromeOS |
| Value Name | AuthNegotiateDelegateAllowlist |
| Value Type | REG_SZ |
| Default Value |
chromeos.admx
- Google
- Google Chrome OS - Default Settings (users can override)
- Accessibility settings
- Enable the autoclick on the login screen
- Enable the caret highlight on the login screen
- Enable the cursor highlight on the login screen
- Enable the dictation on the login screen
- Enable the high contrast on the login screen
- Enable the large cursor on the login screen
- Enable the mono audio on the login screen
- Enable the select to speak on the login screen
- Enable the spoken feedback on the login screen
- Enable the sticky keys on the login screen
- Enable the virtual keyboard on the login screen
- Set the screen magnifier type on the login screen
- Accessibility settings
- Google Chrome OS
- Accessibility settings
- Enable the autoclick on the login screen
- Enable the caret highlight on the login screen
- Enable the cursor highlight on the login screen
- Enable the dictation on the login screen
- Enable the high contrast on the login screen
- Enable the large cursor on the login screen
- Enable the mono audio on the login screen
- Enable the select to speak on the login screen
- Enable the spoken feedback on the login screen
- Enable the sticky keys on the login screen
- Enable the virtual keyboard on the login screen
- Set default state of the large cursor on the login screen
- Set default state of the on-screen keyboard on the login screen
- Set the default screen magnifier type enabled on the login screen
- Set the default state of high contrast mode on the login screen
- Set the default state of spoken feedback on the login screen
- Set the screen magnifier type on the login screen
- Android settings
- Borealis
- Certificate management settings
- Deprecated policies
- Device update settings
- Configure auto update expiration message for DeviceMinimumVersion policy
- Configure minimum allowed Chrome OS version for the device.
- Configure minimum allowed Chrome version for the device.
- Number of milestones rollback is allowed
- Provide users with Quick Fix Build
- Rollback to target version
- The staging schedule for applying a new update
- Update Time Restrictions
- Display
- Linux container
- Microsoft® Active Directory® management settings
- Network settings
- Other
- PluginVm
- Power management
- Battery charge mode
- Enable advanced battery charge mode
- Enable boot on AC (alternating current)
- Enable peak shift power management
- Set advanced battery charge mode day config
- Set battery charge custom start charging in percent
- Set battery charge custom stop charging in percent
- Set power peak shift battery threshold in percent
- Set power peak shift day config
- Printing
- Privacy screen settings
- Remote attestation
- Removed policies
- Sign-in settings
- Allow addition of Family Link accounts to the device
- Automatically select client certificates for these sites on the sign-in screen
- Configure the list of installed apps and extensions on the login screen
- Enable domain name autocomplete during user sign in
- Enable Site Isolation for specified origins
- Login user allow list
- SAML login authentication type
- Show numeric keyboard for password
- Wilco DTC
- Allow autoupdate downloads via HTTP
- Allow bluetooth on device
- Allow collection of system-wide performance trace
- Allow creation of new user accounts
- Allow debug network packet captures
- Allow device to receive LTS updates
- Allow Managed guest session to persist display properties
- Allow the device to request powerwash
- Allow users to redeem offers through Chrome OS Registration
- Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs on the login screen.
- Automatically reboot after update
- Automatic reboot on device shutdown
- Auto update P2P enabled
- Auto update scatter factor
- Block developer mode
- Configures System-proxy service for Google Chrome OS.
- Configure the automatic timezone detection method
- Configure the list of installed apps on the login screen
- Connection types allowed for updates
- Determine the availability of variations on Google Chrome OS
- Device-level network configuration
- Device printers configuration access policy.
- Device sign-in screen keyboard layouts
- Device sign-in screen locale
- Device wallpaper image
- Disable Auto Update
- Disabled enterprise device printers
- Duration of inactivity before the screen saver is shown on the sign-in screen in retail mode
- Duration of the idle log-out warning message
- Enable data roaming
- Enabled enterprise device printers
- Enable guest mode
- Enable metrics reporting
- Enable queries to Quirks Server for hardware profiles
- Enable Thunderbolt/USB4 peripheral data access
- Enterprise printer configuration file for devices
- Force device reboot when user sign out
- List of AppPack extensions
- Load specified urls on demo login
- Login user white list
- Off hours intervals when the specified device policies are released
- Only allow connection to the Bluetooth services in the list
- Power management on the login screen
- Reduce Managed-guest session auto-launch notifications
- Refresh rate for Device Policy
- Release channel
- Screen saver to be used on the sign-in screen in retail mode
- Set default display rotation, reapplied on every reboot
- Show usernames on login screen
- System wide flags to be applied on Google Chrome start-up
- Target Auto Update Version
- Timeout until idle user log-out is executed
- Timezone
- Use 24 hour clock by default
- Users may configure the Chrome OS release channel
- Whitelist of USB detachable devices
- Wipe user data on sign-out
- Accessibility settings
- Google Chrome OS - Default Settings (users can override)
- Google
- Google Chrome OS - Default Settings (users can override)
- Accessibility settings
- Enable accessibility features shortcuts
- Enable accessibility features shortcuts on the login screen
- Enable high contrast mode
- Enable large cursor
- Enable on-screen keyboard
- Enable select to speak
- Enable spoken feedback
- Enable sticky keys
- Enable the autoclick accessibility feature
- Enable the caret highlight accessibility feature
- Enable the cursor highlight accessibility feature
- Enable the dictation accessibility feature
- Enable the keyboard focus highlighting accessibility feature
- Enable the keyboard focus highlighting accessibility feature
- Enable the mono audio accessibility feature
- Media keys default to function keys
- Set screen magnifier type
- Show accessibility options in system tray menu
- Show accessibility options in system tray menu in the login screen
- Content settings
- Default search provider
- Default search provider encodings
- Default search provider icon
- Default search provider keyword
- Default search provider name
- Default search provider new tab page URL
- Default search provider search URL
- Default search provider suggest URL
- Enable the default search provider
- List of alternate URLs for the default search provider
- Parameter providing search-by-image feature for the default search provider
- Parameters for image URL which uses POST
- Parameters for search URL which uses POST
- Parameters for suggest URL which uses POST
- Deprecated policies
- Home page
- New Tab Page
- Other
- Password manager
- Printing
- Quick unlock
- Removed policies
- Safe Browsing settings
- Startup pages
- Allow default search provider context menu search access
- Allow download restrictions
- Block third party cookies
- Control shelf auto-hiding
- Control the shelf position
- Enable alternate error pages
- Enable AutoFill for addresses
- Enable AutoFill for credit cards
- Enable AutoFill
- Enable Bookmark Bar
- Enable lock when the device become idle or suspended
- Enable network prediction
- Enable or disable spell checking web service
- Enable Safe Browsing
- Enable search suggestions
- Enable Translate
- List of pinned apps to show in the launcher
- Printer configuration access policy.
- Select task scheduler configuration
- Set default download directory
- Set download directory
- Set the recommended locales for a managed session
- Show Full URLs
- Show Home button on toolbar
- Switch the primary mouse button to the right button
- Switch the primary mouse button to the right button on the login screen
- Accessibility settings
- Google Chrome OS
- Accessibility settings
- Enable accessibility features shortcuts
- Enable accessibility features shortcuts on the login screen
- Enable high contrast mode
- Enable large cursor
- Enable on-screen keyboard
- Enable or disable various features on the on-screen keyboard
- Enable select to speak
- Enable spoken feedback
- Enables the floating accessibility menu
- Enable sticky keys
- Enable the autoclick accessibility feature
- Enable the caret highlight accessibility feature
- Enable the cursor highlight accessibility feature
- Enable the dictation accessibility feature
- Enable the keyboard focus highlighting accessibility feature
- Enable the keyboard focus highlighting accessibility feature
- Enable the mono audio accessibility feature
- Media keys default to function keys
- Set screen magnifier type
- Show accessibility options in system tray menu
- Show accessibility options in system tray menu in the login screen
- Android settings
- Borealis
- Certificate management settings
- Content settings
- Allow access to sensors on these sites
- Allow cookies on these sites
- Allow images on these sites
- Allow insecure content on these sites
- Allow JavaScript on these sites
- Allow JavaScript to use JIT on these sites
- Allow key generation on these sites
- Allow notifications on these sites
- Allow popups on these sites
- Allow read access via the File System API on these sites
- Allow the File Handling API on these web apps
- Allow the Flash plugin on these sites
- Allow the Serial API on these sites
- Allow WebUSB on these sites
- Allow write access to files and directories on these sites
- Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.
- Automatically select client certificates for these sites
- Block access to sensors on these sites
- Block cookies on these sites
- Block images on these sites
- Block insecure content on these sites
- Block JavaScript from using JIT on these sites
- Block JavaScript on these sites
- Block key generation on these sites
- Block notifications on these sites
- Block popups on these sites
- Block read access via the File System API on these sites
- Block the File Handling API on these web apps
- Block the Flash plugin on these sites
- Block the Serial API on these sites
- Block WebUSB on these sites
- Block write access to files and directories on these sites
- Control use of insecure content exceptions
- Control use of JavaScript JIT
- Control use of the File Handling API
- Control use of the File System API for reading
- Control use of the File System API for writing
- Control use of the Serial API
- Control use of the Web Bluetooth API
- Control use of the WebUSB API
- Default cookies setting
- Default Flash setting
- Default geolocation setting
- Default images setting
- Default JavaScript setting
- Default key generation setting
- Default legacy SameSite cookie behavior setting
- Default notification setting
- Default popups setting
- Default sensors setting
- Limit cookies from matching URLs to the current session
- Revert to legacy SameSite behavior for cookies on these sites
- Default search provider
- Default search provider encodings
- Default search provider icon
- Default search provider instant URL
- Default search provider keyword
- Default search provider name
- Default search provider new tab page URL
- Default search provider search URL
- Default search provider suggest URL
- Enable the default search provider
- List of alternate URLs for the default search provider
- Parameter controlling search term placement for the default search provider
- Parameter providing search-by-image feature for the default search provider
- Parameters for image URL which uses POST
- Parameters for instant URL which uses POST
- Parameters for search URL which uses POST
- Parameters for suggest URL which uses POST
- Deprecated policies
- Action to take when the idle delay is reached
- Action to take when the idle delay is reached while running on AC power
- Action to take when the idle delay is reached while running on battery power
- Allow access to native CUPS printers
- Allow insecure algorithms in integrity checks on extension updates and installs
- Allow sites to simultaneously navigate and open pop-ups
- Allow users to show passwords in Password Manager (deprecated)
- Choose how to specify proxy server settings
- Clear site data on browser shutdown (deprecated)
- Configure the required domain name for remote access clients
- Configure the required domain name for remote access hosts
- Control the User-Agent Client Hints feature.
- Default mediastream setting
- Disable SPDY protocol
- Disable URL protocol schemes
- Enable DHE cipher suites in TLS
- Enable firewall traversal from remote access client
- Enable Incognito mode
- Enable Instant
- Enable JavaScript
- Enable network prediction
- Enable RC4 cipher suites in TLS
- Enterprise web store name (deprecated)
- Enterprise web store URL (deprecated)
- Force SafeSearch
- Force YouTube Safety Mode
- Idle delay when running on AC power
- Idle delay when running on battery power
- Idle warning delay when running on AC power
- Idle warning delay when running on battery power
- Minimum TLS version to fallback to
- Percentage by which to scale the idle delay in presentation mode (deprecated)
- Prevent app promotions from appearing on the new tab page
- Screen dim delay when running on AC power
- Screen dim delay when running on battery power
- Screen lock delay when running on AC power
- Screen lock delay when running on battery power
- Screen off delay when running on AC power
- Screen off delay when running on battery power
- Specify a list of disabled plugins
- Specify a list of enabled plugins
- Specify a list of plugins that the user can enable or disable
- Use a default referrer policy of no-referrer-when-downgrade.
- Extensions
- Configure allowed app/extension types
- Configure extension, app, and user script install sources
- Configure extension installation allow list
- Configure extension installation blacklist
- Configure extension installation blocklist
- Configure extension installation whitelist
- Configure the list of force-installed apps and extensions
- Extension management settings
- Gaia user identity management settings
- Google Assistant
- Google Cast
- Google Drive
- Home page
- HTTP authentication
- Allow Basic authentication for HTTP
- Allow reusing the Google Chrome OS login credentials for network authentication
- Authentication server allowlist
- Authentication server whitelist
- Cross-origin HTTP Authentication prompts
- Disable CNAME lookup when negotiating Kerberos authentication
- Enable NTLMv2 authentication.
- Include non-standard port in Kerberos SPN
- Kerberos delegation server allowlist
- Kerberos delegation server whitelist
- Supported authentication schemes
- Use KDC policy to delegate credentials.
- Linux container
- New Tab Page
- Other
- Parental supervision settings
- Password manager
- PluginVm
- Power management
- Action to take when the user closes the lid
- Allow screen wake locks
- Allow wake locks
- Enable smart dim model to extend the time until the screen is dimmed
- Percentage by which to scale the screen dim delay if the user becomes active after dimming
- Percentage by which to scale the screen dim delay in presentation mode
- Power management settings when the user becomes idle
- Screen brightness percent
- Screen lock delays
- Specify whether audio activity affects power management
- Specify whether video activity affects power management
- Wait for initial user activity
- Printing
- Allow access to CUPS printers
- Allow print job history to be deleted
- Configures a list of printers
- Default background graphics printing mode
- Default PIN printing mode
- Default printing color mode
- Default printing duplex mode
- Default printing page size
- Disabled enterprise printers
- Disable printer types on the deny list
- Enabled enterprise printers
- Enabled external print servers
- Enabled external print servers
- Enterprise printer configuration file
- Extensions allowed to skip confirmation dialog when sending print jobs via chrome.printing API
- Extensions allowed to skip confirmation dialog when sending print jobs via chrome.printing API
- External print servers
- Maximal number of sheets allowed to use for a single print job
- Printer configuration access policy.
- Restrict background graphics printing mode
- Restrict PIN printing mode
- Restrict printing color mode
- Restrict printing duplex mode
- Send username and filename to native printers
- Set the time period in days for storing print jobs metadata
- Privacy screen settings
- Proxy server
- Quick unlock
- Configure allowed quick unlock modes
- Configure allowed quick unlock modes
- Enable PIN auto-submit feature on the lock and login screen.
- Enable users to set weak PINs for the lock screen PIN
- Set how often user has to enter password to use quick unlock
- Set the maximum length of the lock screen PIN
- Set the minimum length of the lock screen PIN
- Remote access
- Allow gnubby authentication for remote access hosts
- Client certificate for connecting to RemoteAccessHostTokenValidationUrl
- Configure the required domain names for remote access clients
- Configure the required domain names for remote access hosts
- Configure the TalkGadget prefix for remote access hosts
- Enable curtaining of remote access hosts
- Enable firewall traversal from remote access host
- Enable or disable PIN-less authentication for remote access hosts
- Enable the use of relay servers by the remote access host
- Policy overrides for Debug builds of the remote access host
- Require that the name of the local user and the remote access host owner match
- Restrict the UDP port range used by the remote access host
- URL for validating remote access client authentication token
- URL where remote access clients should obtain their authentication token
- Remote attestation
- Removed policies
- Safe Browsing settings
- Configure the change password URL.
- Configure the list of domains on which Safe Browsing will not trigger warnings.
- Configure the list of domains on which Safe Browsing will not trigger warnings.
- Configure the list of enterprise login URLs where password protection service should capture salted hashes of passwords.
- Enable Safe Browsing Extended Reporting
- Password protection warning trigger
- Safe Browsing Protection Level
- Startup pages
- Abusive Experience Intervention Enforce
- Action on security token removal (e.g., smart card) for Google Chrome OS.
- Add a logout button to the system tray
- Ads setting for sites with intrusive ads
- Allow access to a list of URLs
- Allow access to a list of URLs
- Allow background tabs freeze
- Allow certificates issued by local trust anchors without subjectAlternativeName extension
- Allow collection of WebRTC event logs from Google services
- Allow default search provider context menu search access
- Allow Dinosaur Easter Egg Game
- Allow DNS queries for additional DNS record types
- Allow download restrictions
- Allow fullscreen mode
- Allow Google Cast to connect to Cast devices on all IP addresses.
- Allow Instant Tethering to be used.
- Allow legacy TLS/DTLS downgrade in WebRTC
- Allow managed session on device
- Allow media autoplay
- Allow media autoplay on a allowlist of URL patterns
- Allow media autoplay on a whitelist of URL patterns
- Allow merging dictionary policies from different sources
- Allow merging list policies from different sources
- Allow or deny audio capture
- Allow or deny screen capture
- Allow or deny video capture
- Allow origins to query for device attributes
- Allow Phone Hub notifications to be enabled.
- Allow Phone Hub task continuation to be enabled.
- Allow Phone Hub to be enabled.
- Allow playing audio
- Allow proceeding from the SSL warning page
- Allow proceeding from the SSL warning page on specific origins
- Allow QUIC protocol
- Allow remote debugging
- Allow running plugins that are outdated
- Allows a page to perform synchronous XHR requests during page dismissal.
- Allows a page to show popups during its unloading
- Allow SHA-1 signed certificates issued by local trust anchors
- Allow Sign-in To Additional Google Accounts
- Allow Smart Lock Signin to be used.
- Allow Smart Lock to be used
- Allow SMS Messages to be synced from phone to Chromebook.
- Allows the AppCache feature to be re-enabled even if it is off by default.
- Allows users to play media when the device is locked
- Allow the listed sites to make requests to more-private network endpoints from insecure contexts.
- Allow the user to manage VPN connections
- Allow usage of Lacros
- Allow user feedback
- Allow users to create and use secondary profiles, and use guest mode in the Lacros browser
- Allow users to customize the background on the New Tab page
- Allow users to manage installed CA certificates.
- Allow users to manage installed client certificates.
- Allow users to opt in to Safe Browsing extended reporting
- Allow websites to query for available payment methods.
- Allow Wi-Fi network configurations to be synced across Google Chrome OS devices and a connected Android phone.
- Always runs plugins that require authorization (deprecated)
- Ask where to save each file before downloading
- Block access to a list of URLs
- Block access to a list of URLs
- Block third party cookies
- Browser experiments icon in toolbar
- Browsing Data Lifetime Settings
- Captive portal authentication ignores proxy
- CECPQ2 post-quantum key-agreement enabled for TLS
- Clear Browsing Data on Exit
- Configure ARC
- Configure list of force-installed Web Apps
- Configure the allowed input methods in a user session
- Configure the allowed languages in a user session
- Configure the camera, browser settings, os settings, scanning, web store, canvas, Google news and explore features to be disabled
- Control SafeSites adult content filtering.
- Control shelf auto-hiding
- Controls the mode of DNS-over-HTTPS
- Control the IntensiveWakeUpThrottling feature.
- Control the shelf position
- Control the user behavior in a multiprofile session
- Control use of the Headless Mode
- Control where Developer Tools can be used
- Default printer selection rules
- Define domains allowed to access Google Workspace
- Determines whether the built-in certificate verifier will be used to verify server certificates
- Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities
- Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes
- Disable Certificate Transparency enforcement for a list of URLs
- Disabled enterprise printers
- Disable Developer Tools
- Disable mounting of external storage
- Disable proceeding from the Safe Browsing warning page
- Disable saving browser history
- Disable support for 3D graphics APIs
- Disable synchronization of data with Google
- Disable taking screenshots
- Disable TLS False Start
- Display the logout confirmation dialog
- DNS interception checks enabled
- Do not set window.opener for links targeting _blank
- Duration of the notification on smart card removal for Google Chrome OS.
- Enable 3DES cipher suites in TLS
- Enable additional protections for users enrolled in the Advanced Protection program
- Enable alternate error pages
- Enable Ambient Authentication for profile types.
- Enable Android Backup Service
- Enable Android Google Location Service
- Enable ARC
- Enable a TLS 1.3 security feature for local trust anchors.
- Enable AutoFill for addresses
- Enable AutoFill for credit cards
- Enable AutoFill
- Enable Bookmark Bar
- Enable chrome://devices
- Enable component updates in Google Chrome
- Enable CORS check mitigations in the new CORS implementation
- Enable data leak prevention reporting
- Enable deleting browser and download history
- Enabled enterprise printers
- Enable deprecated privet printing
- Enable deprecated web platform features for a limited time
- Enable displaying Sync Consent during sign-in
- Enable Emoji Suggestion
- Enable ending processes in Task Manager
- Enable fullscreen alert
- Enable Get Image Descriptions from Google.
- Enable globally scoped HTTP auth cache
- Enable HTTP/0.9 support on non-default ports
- Enable lock icon in the omnibox for secure connections
- Enable lock when the device become idle or suspended
- Enable Media Recommendations
- Enable network prediction
- Enable online OCSP/CRL checks
- Enable or disable bookmark editing
- Enable or disable spell checking web service
- Enable PAC URL stripping (for https://)
- Enable PDF Annotations
- Enable printing
- Enable Safe Browsing
- Enable scrolling to text specified in URL fragments
- Enable search suggestions
- Enables experimental policies
- Enable Signed HTTP Exchange (SXG) support
- Enable Site Isolation for every site
- Enable Site Isolation for specified origins
- Enables managed extensions to use the Enterprise Hardware Platform API
- Enable spellcheck
- Enables the concept of policy atomic groups
- Enable stricter treatment for mixed content
- Enable the Click to Call Feature
- Enable Translate
- Enable URL-keyed anonymized data collection
- Enable virtual keyboard
- Enable warnings for insecure forms
- Enable WPAD optimization
- Enterprise printer configuration file
- Explicitly allowed network ports
- Extend Flash content setting to all content (deprecated)
- Force disable spellcheck languages
- Force disable spellcheck languages
- Force enable spellcheck languages
- Force Google SafeSearch
- Force minimum YouTube Restricted Mode
- Hide the web store from the New Tab Page and app launcher
- Incognito mode availability
- Intranet Redirection Behavior
- Key Permissions
- Limit the length of a user session
- Limit the time for which a user authenticated via GAIA without SAML can log in offline at the lock screen
- Limit the time for which a user authenticated via SAML can log in offline at the lock screen
- Limit the time for which a user authenticated via SAML can log in offline
- List of file types that should be automatically opened on download
- List of names that will bypass the HSTS policy check
- List of pinned apps to show in the launcher
- List of types that should be excluded from synchronization
- Make the Lacros browser available
- Make Unified Desktop available and turn on by default
- Managed Bookmarks
- Maximize the first browser window on first run
- Maximum fetch delay after a policy invalidation
- Maximum SSL version enabled
- Migration strategy for ecryptfs
- Minimum SSL version enabled
- Native Printing
- Notify a user that a browser relaunch or device restart is recommended or required
- Origins or hostname patterns for which restrictions on insecure origins should not apply
- Permit locking the screen
- Printer configuration access policy.
- Proxy settings
- Re-enable Web Components v0 API until M84.
- Refresh rate for user policy
- Require online OCSP/CRL checks for local trust anchors
- Restrict the range of local UDP ports used by WebRTC
- Select task scheduler configuration
- Set certificate availability for ARC-apps
- Set download directory
- Set minimal size limit for data leak prevention clipboard restriction
- Sets a list of data leak prevention rules.
- Sets managed configuration values to websites to specific origins
- Set the display name for device-local accounts
- Set the recommended locales for a managed session
- Set the Terms of Service for a device-local account
- Set the time interval for relaunch
- Set the time of the first user relaunch notification
- Set the time period for update notifications
- Set the user experience of disabled features
- Show cards on the New Tab Page
- Show Full URLs
- Show Home button on toolbar
- Show the display password button on the login and lock screen
- Specifies whether to allow insecure websites to make requests to more-private network endpoints
- Specify URI template of desired DNS-over-HTTPS resolver
- Specify VM CLI permission
- Specify whether the plugin finder should be disabled (deprecated)
- Suppress JavaScript Dialogs triggered from different origin subframes
- Suppress launching of browser window
- Suppress lookalike domain warnings on domains
- Suppress the unsupported OS warning
- Switch the primary mouse button to the right button
- Switch the primary mouse button to the right button on the login screen
- The IP handling policy of WebRTC
- The list of note-taking apps allowed on the Google Chrome OS lock screen
- Treat external storage devices as read-only
- URLs/domains automatically permitted direct Security Key attestation
- URLs for which local IPs are exposed in WebRTC ICE candidates
- URLs that will be granted access to audio capture devices without prompt
- URLs that will be granted access to video capture devices without prompt
- URLs where AutoOpenFileTypes can apply
- Use built-in DNS client
- User-level network configuration
- User avatar image
- Use the legacy CORS implementation rather than new CORS
- Wallpaper image
- Whitelist note-taking apps allowed on the Google Chrome OS lock screen
- Accessibility settings
- Google Chrome OS - Default Settings (users can override)