URLs/domains automatically permitted direct Security Key attestation
Specifies URLs and domains for which no prompt will be shown when attestation certificates from Security Keys are requested. Additionally, a signal will be sent to the Security Key indicating that individual attestation may be used. Without this, users will be prompted in Chrome 65+ when sites request attestation of Security Keys.
URLs (like https://example.com/some/path) will only match as U2F appIDs. Domains (like example.com) only match as webauthn RP IDs. Thus, to cover both U2F and webauthn APIs for a given site, both the appID URL and domain would need to be listed.
Example value:
https://example.com
Supported on: At least Microsoft Windows 7 or Windows Server 2008 family
URLs/domains automatically permitted direct Security Key attestation
| Registry Hive | HKEY_CURRENT_USER |
| Registry Path | Software\Policies\Google\ChromeOS\SecurityKeyPermitAttestation |
| Value Name | {number} |
| Value Type | REG_SZ |
| Default Value |
chromeos.admx
- Google
- Google Chrome OS - Default Settings (users can override)
- Accessibility settings
- Enable the autoclick on the login screen
- Enable the caret highlight on the login screen
- Enable the cursor highlight on the login screen
- Enable the dictation on the login screen
- Enable the high contrast on the login screen
- Enable the large cursor on the login screen
- Enable the mono audio on the login screen
- Enable the select to speak on the login screen
- Enable the spoken feedback on the login screen
- Enable the sticky keys on the login screen
- Enable the virtual keyboard on the login screen
- Set the screen magnifier type on the login screen
- Accessibility settings
- Google Chrome OS
- Accessibility settings
- Enable the autoclick on the login screen
- Enable the caret highlight on the login screen
- Enable the cursor highlight on the login screen
- Enable the dictation on the login screen
- Enable the high contrast on the login screen
- Enable the large cursor on the login screen
- Enable the mono audio on the login screen
- Enable the select to speak on the login screen
- Enable the spoken feedback on the login screen
- Enable the sticky keys on the login screen
- Enable the virtual keyboard on the login screen
- Set default state of the large cursor on the login screen
- Set default state of the on-screen keyboard on the login screen
- Set the default screen magnifier type enabled on the login screen
- Set the default state of high contrast mode on the login screen
- Set the default state of spoken feedback on the login screen
- Set the screen magnifier type on the login screen
- Android settings
- Deprecated policies
- Device update settings
- Display
- Linux container
- Microsoft® Active Directory® management settings
- Network settings
- Other
- PluginVm
- Power management
- Battery charge mode
- Enable advanced battery charge mode
- Enable boot on AC (alternating current)
- Enable peak shift power management
- Set advanced battery charge mode day config
- Set battery charge custom start charging in percent
- Set battery charge custom stop charging in percent
- Set power peak shift battery threshold in percent
- Set power peak shift day config
- Remote attestation
- Sign-in settings
- Wilco DTC
- Allow autoupdate downloads via HTTP
- Allow bluetooth on device
- Allow creation of new user accounts
- Allow the device to request powerwash
- Allow users to redeem offers through Chrome OS Registration
- Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs on the login screen.
- Automatically reboot after update
- Automatic reboot on device shutdown
- Auto update p2p enabled
- Auto update scatter factor
- Block developer mode
- Configure the automatic timezone detection method
- Configure the list of installed apps on the login screen
- Connection types allowed for updates
- Device-level network configuration
- Device printers configuration access policy.
- Device sign-in screen keyboard layouts
- Device sign-in screen locale
- Device wallpaper image
- Disable Auto Update
- Disabled enterprise device printers
- Duration of inactivity before the screen saver is shown on the sign-in screen in retail mode
- Duration of the idle log-out warning message
- Enable data roaming
- Enabled enterprise device printers
- Enable guest mode
- Enable metrics reporting
- Enable queries to Quirks Server for hardware profiles
- Enterprise printer configuration file for devices
- Force device reboot when user sign out
- List of AppPack extensions
- Load specified urls on demo login
- Login user white list
- Off hours intervals when the specified device policies are released
- Power management on the login screen
- Refresh rate for Device Policy
- Release channel
- Screen saver to be used on the sign-in screen in retail mode
- Set default display rotation, reapplied on every reboot
- Show usernames on login screen
- System wide flags to be applied on Google Chrome start-up
- Target Auto Update Version
- Timeout until idle user log-out is executed
- Timezone
- Use 24 hour clock by default
- Users may configure the Chrome OS release channel
- Whitelist of USB detachable devices
- Wipe user data on sign-out
- Accessibility settings
- Google Chrome OS - Default Settings (users can override)
- Google
- Google Chrome OS - Default Settings (users can override)
- Accessibility settings
- Enable accessibility features shortcuts
- Enable accessibility features shortcuts on the login screen
- Enable high contrast mode
- Enable large cursor
- Enable on-screen keyboard
- Enable select to speak
- Enable spoken feedback
- Enable sticky keys
- Enable the autoclick accessibility feature
- Enable the caret highlight accessibility feature
- Enable the cursor highlight accessibility feature
- Enable the dictation accessibility feature
- Enable the keyboard focus highlighting accessibility feature
- Enable the keyboard focus highlighting accessibility feature
- Enable the mono audio accessibility feature
- Media keys default to function keys
- Set screen magnifier type
- Show accessibility options in system tray menu
- Show accessibility options in system tray menu in the login screen
- Content settings
- Deprecated policies
- Home page
- New Tab Page
- Password manager
- Printing
- Startup pages
- Allow download restrictions
- Block third party cookies
- Control shelf auto-hiding
- Control the shelf position
- Enable alternate error pages
- Enable AutoFill for addresses
- Enable AutoFill for credit cards
- Enable AutoFill
- Enable Bookmark Bar
- Enable lock when the device become idle or suspended
- Enable network prediction
- Enable or disable spell checking web service
- Enable Safe Browsing
- Enable search suggestions
- Enable Translate
- List of pinned apps to show in the launcher
- Printer configuration access policy.
- Select task scheduler configuration
- Set default download directory
- Set download directory
- Set the recommended locales for a managed session
- Show Home button on toolbar
- Switch the primary mouse button to the right button
- Switch the primary mouse button to the right button on the login screen
- Accessibility settings
- Google Chrome OS
- Accessibility settings
- Enable accessibility features shortcuts
- Enable accessibility features shortcuts on the login screen
- Enable high contrast mode
- Enable large cursor
- Enable on-screen keyboard
- Enable select to speak
- Enable spoken feedback
- Enable sticky keys
- Enable the autoclick accessibility feature
- Enable the caret highlight accessibility feature
- Enable the cursor highlight accessibility feature
- Enable the dictation accessibility feature
- Enable the keyboard focus highlighting accessibility feature
- Enable the keyboard focus highlighting accessibility feature
- Enable the mono audio accessibility feature
- Media keys default to function keys
- Set screen magnifier type
- Show accessibility options in system tray menu
- Show accessibility options in system tray menu in the login screen
- Android settings
- Content settings
- Allow cookies on these sites
- Allow images on these sites
- Allow insecure content on these sites
- Allow JavaScript on these sites
- Allow key generation on these sites
- Allow notifications on these sites
- Allow popups on these sites
- Allow the Flash plugin on these sites
- Allow WebUSB on these sites
- Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.
- Automatically select client certificates for these sites
- Block cookies on these sites
- Block images on these sites
- Block insecure content on these sites
- Block JavaScript on these sites
- Block key generation on these sites
- Block notifications on these sites
- Block popups on these sites
- Block the Flash plugin on these sites
- Block WebUSB on these sites
- Control use of insecure content exceptions
- Control use of the Web Bluetooth API
- Control use of the WebUSB API
- Default cookies setting
- Default Flash setting
- Default geolocation setting
- Default images setting
- Default JavaScript setting
- Default key generation setting
- Default legacy SameSite cookie behavior setting
- Default notification setting
- Default popups setting
- Limit cookies from matching URLs to the current session
- Revert to legacy SameSite behavior for cookies on these sites
- Default search provider
- Default search provider encodings
- Default search provider icon
- Default search provider instant URL
- Default search provider keyword
- Default search provider name
- Default search provider new tab page URL
- Default search provider search URL
- Default search provider suggest URL
- Enable the default search provider
- List of alternate URLs for the default search provider
- Parameter controlling search term placement for the default search provider
- Parameter providing search-by-image feature for the default search provider
- Parameters for image URL which uses POST
- Parameters for instant URL which uses POST
- Parameters for search URL which uses POST
- Parameters for suggest URL which uses POST
- Deprecated policies
- Action to take when the idle delay is reached
- Action to take when the idle delay is reached while running on AC power
- Action to take when the idle delay is reached while running on battery power
- Allow insecure algorithms in integrity checks on extension updates and installs
- Allow sites to simultaneously navigate and open pop-ups
- Allow users to show passwords in Password Manager (deprecated)
- Choose how to specify proxy server settings
- Clear site data on browser shutdown (deprecated)
- Configure the required domain name for remote access clients
- Configure the required domain name for remote access hosts
- Default mediastream setting
- Disable SPDY protocol
- Disable URL protocol schemes
- Enable DHE cipher suites in TLS
- Enable firewall traversal from remote access client
- Enable Incognito mode
- Enable Instant
- Enable JavaScript
- Enable network prediction
- Enable RC4 cipher suites in TLS
- Enterprise web store name (deprecated)
- Enterprise web store URL (deprecated)
- Force SafeSearch
- Force YouTube Safety Mode
- Idle delay when running on AC power
- Idle delay when running on battery power
- Idle warning delay when running on AC power
- Idle warning delay when running on battery power
- Minimum TLS version to fallback to
- Percentage by which to scale the idle delay in presentation mode (deprecated)
- Prevent app promotions from appearing on the new tab page
- Screen dim delay when running on AC power
- Screen dim delay when running on battery power
- Screen lock delay when running on AC power
- Screen lock delay when running on battery power
- Screen off delay when running on AC power
- Screen off delay when running on battery power
- Specify a list of disabled plugins
- Specify a list of enabled plugins
- Specify a list of plugins that the user can enable or disable
- Use a default referrer policy of no-referrer-when-downgrade.
- Extensions
- Google Assistant
- Google Cast
- Google Drive
- Home page
- HTTP authentication
- Authentication server whitelist
- Cross-origin HTTP Basic Auth prompts
- Disable CNAME lookup when negotiating Kerberos authentication
- Enable NTLMv2 authentication.
- Include non-standard port in Kerberos SPN
- Kerberos delegation server whitelist
- Supported authentication schemes
- Use KDC policy to delegate credentials.
- Linux container
- New Tab Page
- Parental supervision settings
- Password manager
- PluginVm
- Power management
- Action to take when the user closes the lid
- Allow screen wake locks
- Allow wake locks
- Enable smart dim model to extend the time until the screen is dimmed
- Percentage by which to scale the screen dim delay if the user becomes active after dimming
- Percentage by which to scale the screen dim delay in presentation mode
- Power management settings when the user becomes idle
- Screen brightness percent
- Screen lock delays
- Specify whether audio activity affects power management
- Specify whether video activity affects power management
- Wait for initial user activity
- Printing
- Default background graphics printing mode
- Default printing color mode
- Default printing duplex mode
- Disable printer types on the deny list
- Enabled external print servers
- Extensions allowed to skip confirmation dialog when sending print jobs via chrome.printing API
- External print servers
- Restrict background graphics printing mode
- Restrict printing color mode
- Restrict printing duplex mode
- Send username and filename to native printers
- Set the time period in days for storing print jobs metadata
- Proxy server
- Quick unlock
- Remote access
- Allow gnubby authentication for remote access hosts
- Client certificate for connecting to RemoteAccessHostTokenValidationUrl
- Configure the required domain names for remote access clients
- Configure the required domain names for remote access hosts
- Configure the TalkGadget prefix for remote access hosts
- Enable curtaining of remote access hosts
- Enable firewall traversal from remote access host
- Enable or disable PIN-less authentication for remote access hosts
- Enable the use of relay servers by the remote access host
- Policy overrides for Debug builds of the remote access host
- Require that the name of the local user and the remote access host owner match
- Restrict the UDP port range used by the remote access host
- URL for validating remote access client authentication token
- URL where remote access clients should obtain their authentication token
- Remote attestation
- Safe Browsing settings
- Configure the change password URL.
- Configure the list of domains on which Safe Browsing will not trigger warnings.
- Configure the list of enterprise login URLs where password protection service should capture fingerprint of password.
- Enable Safe Browsing Extended Reporting
- Password protection warning trigger
- Startup pages
- Abusive Experience Intervention Enforce
- Add a logout button to the system tray
- Ads setting for sites with intrusive ads
- Allow access to a list of URLs
- Allow background tabs freeze
- Allow certificates issued by local trust anchors without subjectAlternativeName extension
- Allow collection of WebRTC event logs from Google services
- Allow Dinosaur Easter Egg Game
- Allow download restrictions
- Allow fullscreen mode
- Allow Google Cast to connect to Cast devices on all IP addresses.
- Allow Instant Tethering to be used.
- Allow managed session on device
- Allow media autoplay
- Allow media autoplay on a whitelist of URL patterns
- Allow merging dictionary policies from different sources
- Allow merging list policies from different sources
- Allow or deny audio capture
- Allow or deny screen capture
- Allow or deny video capture
- Allow playing audio
- Allow proceeding from the SSL warning page
- Allow QUIC protocol
- Allow running plugins that are outdated
- Allows a page to perform synchronous XHR requests during page dismissal.
- Allows a page to show popups during its unloading
- Allow Sign-in To Additional Google Accounts
- Allow Smart Lock Signin to be used.
- Allow Smart Lock to be used
- Allow SMS Messages to be synced from phone to Chromebook.
- Allows users to play media when the device is locked
- Allow the user to manage VPN connections
- Allow user feedback
- Allow users to customize the background on the New Tab page
- Allow users to manage installed CA certificates.
- Allow users to manage installed client certificates.
- Allow users to opt in to Safe Browsing extended reporting
- Allow websites to query for available payment methods.
- Always runs plugins that require authorization (deprecated)
- Ask where to save each file before downloading
- Block access to a list of URLs
- Block third party cookies
- Captive portal authentication ignores proxy
- Configure ARC
- Configure list of force-installed Web Apps
- Configure the allowed input methods in a user session
- Configure the allowed languages in a user session
- Control SafeSites adult content filtering.
- Control shelf auto-hiding
- Control the shelf position
- Control the user behavior in a multiprofile session
- Control where Developer Tools can be used
- Default printer selection rules
- Define domains allowed to access G Suite
- Determines whether the built-in certificate verifier will be used to verify server certificates
- Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities
- Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes
- Disable Certificate Transparency enforcement for a list of URLs
- Disabled enterprise printers
- Disable Developer Tools
- Disable mounting of external storage
- Disable proceeding from the Safe Browsing warning page
- Disable saving browser history
- Disable support for 3D graphics APIs
- Disable synchronization of data with Google
- Disable taking screenshots
- Disable TLS False Start
- DNS interception checks enabled
- Enable alternate error pages
- Enable Ambient Authentication for profile types.
- Enable Android Backup Service
- Enable Android Google Location Service
- Enable ARC
- Enable a TLS 1.3 security feature for local trust anchors.
- Enable AutoFill for addresses
- Enable AutoFill for credit cards
- Enable AutoFill
- Enable Bookmark Bar
- Enable chrome://devices
- Enable component updates in Google Chrome
- Enable CORS check mitigations in the new CORS implementation
- Enable deleting browser and download history
- Enabled enterprise printers
- Enable deprecated web platform features for a limited time
- Enable displaying Sync Consent during sign-in
- Enable ending processes in Task Manager
- Enable globally scoped HTTP auth cache
- Enable HTTP/0.9 support on non-default ports
- Enable lock when the device become idle or suspended
- Enable network prediction
- Enable online OCSP/CRL checks
- Enable or disable bookmark editing
- Enable or disable spell checking web service
- Enable PAC URL stripping (for https://)
- Enable printing
- Enable Safe Browsing
- Enable search suggestions
- Enable Signed HTTP Exchange (SXG) support
- Enable Site Isolation for every site
- Enable Site Isolation for specified origins
- Enables managed extensions to use the Enterprise Hardware Platform API
- Enable spellcheck
- Enables the concept of policy atomic groups
- Enable stricter treatment for mixed content
- Enable the Click to Call Feature
- Enable Translate
- Enable URL-keyed anonymized data collection
- Enable virtual keyboard
- Enable WPAD optimization
- Enterprise printer configuration file
- Extend Flash content setting to all content
- Force disable spellcheck languages
- Force enable spellcheck languages
- Force Google SafeSearch
- Force minimum YouTube Restricted Mode
- Hide the web store from the New Tab Page and app launcher
- Incognito mode availability
- Key Permissions
- Limit the length of a user session
- Limit the time for which a user authenticated via SAML can log in offline
- List of names that will bypass the HSTS policy check
- List of pinned apps to show in the launcher
- List of types that should be excluded from synchronization
- Make Unified Desktop available and turn on by default
- Managed Bookmarks
- Maximize the first browser window on first run
- Maximum fetch delay after a policy invalidation
- Maximum SSL version enabled
- Migration strategy for ecryptfs
- Minimum SSL version enabled
- Native Printing
- Notify a user that a browser relaunch or device restart is recommended or required
- Origins or hostname patterns for which restrictions on insecure origins should not apply
- Permit locking the screen
- Printer configuration access policy.
- Proxy settings
- Re-enable Web Components v0 API until M84.
- Refresh rate for user policy
- Require online OCSP/CRL checks for local trust anchors
- Restrict the range of local UDP ports used by WebRTC
- Select task scheduler configuration
- Set certificate availability for ARC-apps
- Set download directory
- Set the display name for device-local accounts
- Set the recommended locales for a managed session
- Set the Terms of Service for a device-local account
- Set the time of the first user relaunch notification
- Set the time period for update notifications
- Show Home button on toolbar
- Specify whether the plugin finder should be disabled (deprecated)
- Suppress launching of browser window
- Suppress the unsupported OS warning
- Switch the primary mouse button to the right button
- Switch the primary mouse button to the right button on the login screen
- Treat external storage devices as read-only
- URLs/domains automatically permitted direct Security Key attestation
- URLs for which local IPs are exposed in WebRTC ICE candidates
- URLs that will be granted access to audio capture devices without prompt
- URLs that will be granted access to video capture devices without prompt
- User-level network configuration
- User avatar image
- Use the legacy CORS implementation rather than new CORS
- Wallpaper image
- Whether SHA-1 signed certificates issued by local trust anchors are allowed
- Whitelist note-taking apps allowed on the Google Chrome OS lock screen
- Accessibility settings
- Google Chrome OS - Default Settings (users can override)