Deploy CleanBrowsing via Microsoft Intune

Push the CleanBrowsing Windows app to any number of managed devices silently — no user interaction required. Pre-configure the DNS filter, PIN lock, browser hardening, and more from your Intune deployment policy.

Download v1.7.6 View MSP Pricing

How Silent Install Works

The CleanBrowsing Windows installer is built with Inno Setup and supports fully silent deployment via command-line parameters. When you push the installer through Intune (or any RMM tool), you pass parameters alongside the standard /VERYSILENT flag.

On the first launch after installation, the app reads a provisioning file written by the installer and automatically applies your configuration — the correct DNS filter, PIN lock, browser hardening, and any management restrictions. The provisioning file is deleted immediately after it is applied, leaving no sensitive data on disk.

What Gets Applied

  • DNS Filter — Activates the custom filter tied to your CleanBrowsing account. The correct DNS stamp is retrieved automatically using your profile code.
  • PIN Lock — Prevents end users from changing filter settings or accessing the Settings page without the PIN you specify.
  • Uninstall Protection — Removes the app from Programs & Features and hides the Control Panel uninstall shortcut so users cannot remove it.
  • Network Settings Block — Hides Network & Sharing Center, Internet Options, and the Windows 11 network settings pages so users cannot change DNS manually.
  • Browser Hardening — Forces Chrome, Edge, Brave, and Firefox to use system DNS, disabling built-in DoH overrides that would bypass filtering.
  • Update Suppression — Disables the in-app updater so you control when new versions are pushed via Intune.
Requirements: Windows 10 (64-bit) or Windows 11. A paid CleanBrowsing account with a profile code. Microsoft Intune or any MDM/RMM that supports Win32 app deployment.

Minimum version required: v1.7.5. All silent install parameters documented on this page require v1.7.5 or later. Do not use an older installer — earlier versions do not support these parameters and will ignore them silently. Always download the latest installer from the link above.

Installation Parameters

All parameters are passed after the standard Inno Setup silent flags. Parameters are optional — only include what you want applied. Omitting a parameter leaves that setting at its default (unchanged).

Standard Flags (always include)

FlagDescription
/VERYSILENTSuppresses all installer dialogs and progress windows. Required for unattended deployment.
/SUPPRESSMSGBOXESSuppresses any message boxes that would otherwise require user interaction.
/NORESTARTPrevents the installer from rebooting the machine after install.

Provisioning Parameters

ParameterValuesDescription
/account= Your profile code Activates the custom DNS filter for your CleanBrowsing account. The installer calls the CleanBrowsing API to retrieve the correct DNS stamp for the device using this profile code.
/pin= Numeric PIN Sets the PIN code that end users must enter to change settings. Use this to prevent users from disabling filtering or modifying the filter level.
/protect=1 0 or 1 Enables uninstall protection. Removes the app from Programs & Features so users cannot uninstall it through standard Windows interfaces.
/blocknet=1 0 or 1 Hides network settings pages (Network & Sharing Center, Internet Options, Windows 11 network settings) so users cannot change DNS manually.
/harden=1 0 or 1 Enables browser hardening for Chrome, Edge, Brave, and Firefox. Forces browsers to use system DNS instead of built-in DoH, which would otherwise bypass CleanBrowsing.
/noupdate=1 0 or 1 Suppresses the in-app update checker. Use this when you manage updates through Intune so users are not prompted to install new versions independently.
/reset=1 0 or 1 Emergency undo. Reverses all provisioning flags (restores uninstall access, re-enables network settings, clears browser policy). Cannot be used together with provisioning parameters — see Emergency Reset below.

Deploying via Microsoft Intune

The CleanBrowsing installer is a standard .exe file. Intune deploys it as a Win32 app using the Intune Win32 Content Prep Tool to wrap it into a .intunewin package.

Step 1 — Prepare the Package

  1. Download the latest installer: CleanBrowsingClient_1.7.6_x64.exe
  2. Download the Microsoft Win32 Content Prep Tool (IntuneWinAppUtil.exe).
  3. Run the prep tool to wrap the installer: 
    IntuneWinAppUtil.exe -c C:\deploy\ -s CleanBrowsingClient_1.7.6_x64.exe -o C:\deploy\output\
  4. This produces CleanBrowsingClient_1.7.6_x64.intunewin in your output folder.

Step 2 — Create the Win32 App in Intune

  1. In the Microsoft Intune admin center, go to Apps → All apps → Add.
  2. Select App type: Windows app (Win32) and click Select.
  3. Upload the .intunewin file you created in Step 1.
  4. Fill in app information:
    • Name: CleanBrowsing DNS Filter
    • Publisher: CleanBrowsing
    • Version: 1.7.6

Step 3 — Set the Install Command

Enter your install command with the parameters you need. Example for a full MSP deployment:

CleanBrowsingClient_1.7.6_x64.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /account=YOUR_PROFILE_CODE /pin=1234 /protect=1 /blocknet=1 /harden=1 /noupdate=1

Replace YOUR_PROFILE_CODE with your CleanBrowsing profile code (found in your account dashboard) and 1234 with your chosen PIN.

Step 4 — Set the Uninstall Command

If you did not use /protect=1, Intune can uninstall using the standard Inno Setup uninstall string. Use the Emergency Reset procedure instead for protected deployments. 

CleanBrowsingClient_1.7.6_x64.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /reset=1

Step 5 — Detection Rules

Set a detection rule so Intune knows when the app is installed:

  • Rule type: File
  • Path: %ProgramFiles%\CleanBrowsingClient
  • File or folder: CleanBrowsingClient.exe
  • Detection method: File or folder exists

Step 6 — Assign to Groups

Assign the app to your target device groups under Assignments. Set the assignment type to Required to force installation without user interaction.

Common Deployment Examples

Minimal — Filter Only

Sets the custom DNS filter for your account. No lockdown, no PIN. Suitable for trusted staff devices where you want filtering without restrictions.

CleanBrowsingClient_1.7.6_x64.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /account=YOUR_PROFILE_CODE

Standard MSP — Filter + PIN

Activates filtering and sets a PIN so users cannot change settings. No uninstall protection — users can still remove the app if they want.

CleanBrowsingClient_1.7.6_x64.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /account=YOUR_PROFILE_CODE /pin=5678

Full Lockdown — All Restrictions

Maximum enforcement. Activates filtering, locks settings with a PIN, prevents uninstall, blocks DNS bypass via browser or network settings, and disables independent updates.

CleanBrowsingClient_1.7.6_x64.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /account=YOUR_PROFILE_CODE /pin=5678 /protect=1 /blocknet=1 /harden=1 /noupdate=1

School or Library — CIPA Compliant

Designed for school environments where students should have no ability to disable filtering. Combine with the Family filter (set via account) for full CIPA coverage.

CleanBrowsingClient_1.7.6_x64.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /account=YOUR_PROFILE_CODE /pin=ADMIN_PIN /protect=1 /blocknet=1 /harden=1 /noupdate=1

Emergency Reset

If you need to undo all provisioning — for example, if you need to reconfigure a fleet, transfer devices, or respond to a misconfiguration — you can push a reset through Intune using the /reset=1 parameter.

Important: If /protect=1 was applied, the standard Windows uninstall path no longer works for those devices. Use the reset procedure below first, then uninstall if needed.

Reset Command

Re-push the installer to the affected devices with /reset=1. The /reset=1 parameter is mutually exclusive with all provisioning parameters — do not combine them.

CleanBrowsingClient_1.7.6_x64.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /reset=1

What Reset Does

  • Restores uninstall access (removes NoRemove / NoModify registry flags)
  • Re-enables network settings pages (removes SettingsPageVisibility policy)
  • Re-enables Programs & Features / Control Panel uninstall links
  • Restores DNS to system defaults
  • Removes browser hardening (Chrome, Edge, Brave, Firefox policies cleared)

DNS restore and browser hardening removal are handled automatically by the installer's cleanup step before the reset file is processed — no additional action is needed on your end.

After Reset

After a reset, the app remains installed but in an unlocked state with no active filter. You can then re-provision with new parameters or uninstall through the standard Intune uninstall flow.

Uninstalling the App

Devices without Protection (/protect=1 not used)

Intune can uninstall using the standard Inno Setup uninstall string. The uninstall command is automatically registered in the Windows registry when the app is installed. You can also push an uninstall via Intune using the Uninstall assignment type in your Win32 app configuration.

Protected Devices (/protect=1 was used)

  1. Push an Emergency Reset to restore uninstall access.
  2. Wait for the device to check in and process the reset (the app must be launched once after the reset installer runs).
  3. Push the uninstall from Intune using the standard Inno Setup uninstall command, or re-assign the Win32 app with Uninstall intent.
Tip: When planning a fleet rollout with /protect=1, document your emergency reset procedure before deploying. Test the full install → reset → uninstall cycle on a test device before rolling out to production.

Ready to deploy CleanBrowsing across your fleet?

MSP and enterprise pricing available. Manage all client accounts from a single dashboard.

View MSP Pricing