Deploy CleanBrowsing via Microsoft Intune

Push the CleanBrowsing Windows app to any number of managed devices silently — no user interaction required. Pre-configure the DNS filter, PIN lock, browser hardening, and more from your Intune deployment policy.

Download v1.7.12 View MSP Pricing

How Silent Install Works

The CleanBrowsing Windows installer is built with Inno Setup and supports fully silent deployment via command-line parameters. When you push the installer through Intune (or any RMM tool), you pass parameters alongside the standard /VERYSILENT flag.

On the first launch after installation, the app reads a provisioning file written by the installer and automatically applies your configuration — the correct DNS filter, PIN lock, browser hardening, and any management restrictions. The provisioning file is deleted immediately after it is applied, leaving no sensitive data on disk.

What Gets Applied

  • DNS Filter — Activates the custom filter tied to your CleanBrowsing account. The correct DNS stamp is retrieved automatically using your profile code.
  • PIN Lock — Prevents end users from changing filter settings or accessing the Settings page without the PIN you specify.
  • Uninstall Protection — Removes the app from Programs & Features and hides the Control Panel uninstall shortcut so users cannot remove it.
  • Network Settings Block — Hides Network & Sharing Center, Internet Options, and the Windows 11 network settings pages so users cannot change DNS manually.
  • Browser Hardening — Forces Chrome, Edge, Brave, and Firefox to use system DNS, disabling built-in DoH overrides that would bypass filtering.
  • Update Suppression — Disables the in-app updater so you control when new versions are pushed via Intune.
  • Corporate Network Detection — Pauses filtering automatically when the device connects to your corporate network, letting internal DNS take over. Resumes CleanBrowsing filtering when the device leaves the corporate network (roaming, home, public Wi-Fi). Requires v1.7.8 or later.
Requirements: Windows 10 (64-bit) or Windows 11. A paid CleanBrowsing account with a profile code. Microsoft Intune or any MDM/RMM that supports Win32 app deployment.

Minimum version required: v1.7.5. All silent install parameters documented on this page require v1.7.5 or later. Do not use an older installer — earlier versions do not support these parameters and will ignore them silently. Always download the latest installer from the link above.

Installation Parameters

All parameters are passed after the standard Inno Setup silent flags. Parameters are optional — only include what you want applied. Omitting a parameter leaves that setting at its default (unchanged).

Standard Flags (always include)

FlagDescription
/VERYSILENTSuppresses all installer dialogs and progress windows. Required for unattended deployment.
/SUPPRESSMSGBOXESSuppresses any message boxes that would otherwise require user interaction.
/NORESTARTPrevents the installer from rebooting the machine after install.

Provisioning Parameters

ParameterValuesDescription
/account= Your profile code Activates the custom DNS filter for your CleanBrowsing account. The installer calls the CleanBrowsing API to retrieve the correct DNS stamp for the device using this profile code.
/pin= Numeric PIN Sets the PIN code that end users must enter to change settings. Use this to prevent users from disabling filtering or modifying the filter level.
/protect=1 0 or 1 Enables uninstall protection. Removes the app from Programs & Features so users cannot uninstall it through standard Windows interfaces.
/blocknet=1 0 or 1 Hides network settings pages (Network & Sharing Center, Internet Options, Windows 11 network settings) so users cannot change DNS manually.
/harden=1 0 or 1 Enables browser hardening for Chrome, Edge, Brave, and Firefox. Forces browsers to use system DNS instead of built-in DoH, which would otherwise bypass CleanBrowsing.
/noupdate=1 0 or 1 Suppresses the in-app update checker. Use this when you manage updates through Intune so users are not prompted to install new versions independently.
/corpnet=1 0 or 1 Enables corporate network detection. When the device is on the corporate network (detected via /corpnetmethod), CleanBrowsing DNS is paused and the network's own DNS takes over. Filtering resumes automatically when the device leaves. Requires v1.7.8+.
/corpnetmethod= dns_suffix
subnet
gateway		 Detection method. Defaults to dns_suffix (recommended for Active Directory environments).

dns_suffix — matches the DHCP connection-specific DNS suffix (e.g. corp.contoso.com). Find it with ipconfig /all → "Connection-specific DNS Suffix".
subnet — checks if the device IP is within a CIDR range (e.g. 10.10.0.0/22). Find your range with ipconfig → "IPv4 Address".
gateway — matches the default gateway IP (e.g. 10.10.0.1). Find it with ipconfig → "Default Gateway".
/corpnetval= Suffix, CIDR, or IP The value to match against the chosen detection method. Examples: corp.contoso.com for dns_suffix, 10.10.0.0/22 for subnet, 10.10.0.1 for gateway.
/reset=1 0 or 1 Emergency undo. Reverses all provisioning flags (restores uninstall access, re-enables network settings, clears browser policy). Cannot be used together with provisioning parameters — see Emergency Reset below.

Deploying via Microsoft Intune

The CleanBrowsing installer is a standard .exe file. Intune deploys it as a Win32 app using the Intune Win32 Content Prep Tool to wrap it into a .intunewin package.

Step 1 — Prepare the Package

  1. Download the latest installer: CleanBrowsingClient_1.7.12_x64.exe
  2. Download the Microsoft Win32 Content Prep Tool (IntuneWinAppUtil.exe).
  3. Run the prep tool to wrap the installer: 
    IntuneWinAppUtil.exe -c C:\deploy\ -s CleanBrowsingClient_1.7.12_x64.exe -o C:\deploy\output\
  4. This produces CleanBrowsingClient_1.7.12_x64.intunewin in your output folder.

Step 2 — Create the Win32 App in Intune

  1. In the Microsoft Intune admin center, go to Apps → All apps → Add.
  2. Select App type: Windows app (Win32) and click Select.
  3. Upload the .intunewin file you created in Step 1.
  4. Fill in app information:
    • Name: CleanBrowsing DNS Filter
    • Publisher: CleanBrowsing
    • Version: 1.7.12

Step 3 — Set the Install Command

Enter your install command with the parameters you need. Example for a full MSP deployment:

CleanBrowsingClient_1.7.12_x64.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /account=YOUR_PROFILE_CODE /pin=1234 /protect=1 /blocknet=1 /harden=1 /noupdate=1

Replace YOUR_PROFILE_CODE with your CleanBrowsing profile code (found in your account dashboard) and 1234 with your chosen PIN.

Step 4 — Set the Uninstall Command

If you did not use /protect=1, Intune can uninstall using the standard Inno Setup uninstall string. Use the Emergency Reset procedure instead for protected deployments. 

CleanBrowsingClient_1.7.12_x64.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /reset=1

Step 5 — Detection Rules

Set a detection rule so Intune knows when the app is installed:

  • Rule type: File
  • Path: %ProgramFiles%\CleanBrowsingClient
  • File or folder: CleanBrowsingClient.exe
  • Detection method: File or folder exists

Step 6 — Assign to Groups

Assign the app to your target device groups under Assignments. Set the assignment type to Required to force installation without user interaction.

Common Deployment Examples

Minimal — Filter Only

Sets the custom DNS filter for your account. No lockdown, no PIN. Suitable for trusted staff devices where you want filtering without restrictions.

CleanBrowsingClient_1.7.12_x64.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /account=YOUR_PROFILE_CODE

Standard MSP — Filter + PIN

Activates filtering and sets a PIN so users cannot change settings. No uninstall protection — users can still remove the app if they want.

CleanBrowsingClient_1.7.12_x64.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /account=YOUR_PROFILE_CODE /pin=5678

Full Lockdown — All Restrictions

Maximum enforcement. Activates filtering, locks settings with a PIN, prevents uninstall, blocks DNS bypass via browser or network settings, and disables independent updates.

CleanBrowsingClient_1.7.12_x64.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /account=YOUR_PROFILE_CODE /pin=5678 /protect=1 /blocknet=1 /harden=1 /noupdate=1

School or Library — CIPA Compliant

Designed for school environments where students should have no ability to disable filtering. Combine with the Family filter (set via account) for full CIPA coverage.

CleanBrowsingClient_1.7.12_x64.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /account=YOUR_PROFILE_CODE /pin=ADMIN_PIN /protect=1 /blocknet=1 /harden=1 /noupdate=1

Corporate Fleet — Filter Off on Internal Network

For managed laptops that travel between the office and remote locations. CleanBrowsing filters when the device is off the corporate network (home, hotel, public Wi-Fi) and pauses automatically when it detects the office. Replace corp.contoso.com with your actual connection-specific DNS suffix (find it with ipconfig /all). Requires v1.7.8+.

CleanBrowsingClient_1.7.12_x64.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /account=YOUR_PROFILE_CODE /pin=5678 /protect=1 /harden=1 /noupdate=1 /corpnet=1 /corpnetmethod=dns_suffix /corpnetval=corp.contoso.com

Corporate Network Detection

Corporate network detection lets the CleanBrowsing app pause DNS filtering automatically when a managed device connects to your internal network — so your corporate DNS (Active Directory, internal resolvers) takes over — and resume filtering as soon as the device leaves (roaming, home, public Wi-Fi). No user action required.

Requires v1.7.8 or later. This feature is not available in earlier versions. Always deploy with the latest installer.

How Detection Works

Detection runs on a 5-second timer alongside the existing network monitor. It reads network adapter metadata — DNS suffix, IP address, or default gateway — directly from the Windows network stack. No DNS queries are made during detection, so there is no conflict with dnscrypt-proxy and no dependency on filtering being active.

When the device enters the corporate network, CleanBrowsing pauses DNS filtering and shows a notification. When it leaves, filtering resumes automatically.

Detection Methods

Choose the method that best fits your network environment:

MethodHow to Find the ValueBest For
dns_suffix
(recommended)		 Run ipconfig /all on a domain-joined machine. Look for Connection-specific DNS Suffix under your active adapter (e.g. corp.contoso.com). Active Directory environments. The DHCP-assigned DNS suffix is unique to your domain and changes when the device leaves the network.
subnet Run ipconfig. Note the IPv4 Address of your corporate adapters. Express the range as CIDR notation (e.g. 10.10.0.0/22 covers 10.10.0.1–10.10.3.254). Networks with a fixed IP range that does not appear on home or public networks. Avoid overly broad ranges like 192.168.0.0/16.
gateway Run ipconfig. Look for Default Gateway under your active adapter (e.g. 10.10.0.1). Networks with a fixed, unique gateway IP that does not match home routers (avoid common defaults like 192.168.1.1).

Finding Your Value (Quick Reference)

Run these commands on a domain-joined device while connected to your corporate network:

# DNS suffix (recommended)
ipconfig /all
# → Look for "Connection-specific DNS Suffix" under the active adapter

# Subnet (CIDR range)
ipconfig
# → Look for "IPv4 Address", determine your network range and prefix length

# Gateway
ipconfig
# → Look for "Default Gateway" under the active adapter

Active Directory Environments

For most AD environments, dns_suffix is the right choice. When a device is joined to the domain and connected to the corporate network (physically or via VPN), DHCP assigns the domain's DNS suffix to the active adapter. When the device disconnects or moves to a public network, the suffix is removed — detection automatically clears and CleanBrowsing resumes.

If your devices use split-tunnel VPN, the DNS suffix will still be assigned on the VPN adapter when connected remotely — corp network detection will also trigger during VPN sessions. This is the expected behavior: when on VPN, your corporate DNS should be resolving, not CleanBrowsing. If you want filtering to apply on VPN but pause only for on-site connections, use subnet or gateway instead.

Enabling via Silent Installer

CleanBrowsingClient_1.7.12_x64.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART ^
  /account=YOUR_PROFILE_CODE /pin=5678 /protect=1 /harden=1 /noupdate=1 ^
  /corpnet=1 /corpnetmethod=dns_suffix /corpnetval=corp.contoso.com

Enabling via the App Settings Page

Admins can also configure corporate network detection directly in the app: open Settings → Corporate Network Detection, check the enable box, choose a detection method, enter the value, and click Test Now to verify detection works before saving.

Emergency Reset

If you need to undo all provisioning — for example, if you need to reconfigure a fleet, transfer devices, or respond to a misconfiguration — you can push a reset through Intune using the /reset=1 parameter.

Important: If /protect=1 was applied, the standard Windows uninstall path no longer works for those devices. Use the reset procedure below first, then uninstall if needed.

Reset Command

Re-push the installer to the affected devices with /reset=1. The /reset=1 parameter is mutually exclusive with all provisioning parameters — do not combine them.

CleanBrowsingClient_1.7.12_x64.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /reset=1

What Reset Does

  • Restores uninstall access (removes NoRemove / NoModify registry flags)
  • Re-enables network settings pages (removes SettingsPageVisibility policy)
  • Re-enables Programs & Features / Control Panel uninstall links
  • Restores DNS to system defaults
  • Removes browser hardening (Chrome, Edge, Brave, Firefox policies cleared)

DNS restore and browser hardening removal are handled automatically by the installer's cleanup step before the reset file is processed — no additional action is needed on your end.

After Reset

After a reset, the app remains installed but in an unlocked state with no active filter. You can then re-provision with new parameters or uninstall through the standard Intune uninstall flow.

Uninstalling the App

Devices without Protection (/protect=1 not used)

Intune can uninstall using the standard Inno Setup uninstall string. The uninstall command is automatically registered in the Windows registry when the app is installed. You can also push an uninstall via Intune using the Uninstall assignment type in your Win32 app configuration.

Protected Devices (/protect=1 was used)

  1. Push an Emergency Reset to restore uninstall access.
  2. Wait for the device to check in and process the reset (the app must be launched once after the reset installer runs).
  3. Push the uninstall from Intune using the standard Inno Setup uninstall command, or re-assign the Win32 app with Uninstall intent.
Tip: When planning a fleet rollout with /protect=1, document your emergency reset procedure before deploying. Test the full install → reset → uninstall cycle on a test device before rolling out to production.

Ready to deploy CleanBrowsing across your fleet?

MSP and enterprise pricing available. Manage all client accounts from a single dashboard.

View MSP Pricing