ChromeOS Flex and my findings for the security

What is ChromeOS Flex?

It’s always nice to discover new things in this multi-cloud and multi-OS world of yours.

Google bough Neverware back in 2020 and now there has been some working versions of ChromeOS Flex which is based on CloudReady software.

Requirements and media

For those that haven’t heard about Google’s ChromeOS Flex or maybe you have but haven’t tried it. Either way here’s some tips for you.

When you download the installer and start the install, you need:

  • USB with 8GB free space
  • Chrome extension that will create the USB media
  • Device that has the 4GB of ram, 16GB of HDD, x86 processor

If you don’t have a certified model, you can choose the options seen in this picture.

And if you have a device that is one of the following.

ChromeOS and Flex

Chromebooks have been here for a long time and mostly used in education for the price range they are in. So what is the difference between the old ChromeOS and Flex?

You can install Linux to it

Just like on Windows you can install WSL and your own distros to it, you can install Linux to ChromeOS Flex

And you can share files between OS and Linux, just like in Windows.

Limitations and my own experience

Here’s some of the limitations:

  • Google Play and Android apps: ChromeOS Flex does not support Android apps or Google Play.
  • Parallels Desktop: ChromeOS Flex does not support running Windows virtual machines (VMs) using Parallels Desktop.
  • Firmware updates: Unlike ChromeOS devices, ChromeOS Flex devices do not manage and automatically update their BIOS or UEFI firmware.

My own experiences:

  • In the installation phase, you can choose a default language and keyboard layout that it has, the no way to change it inside the installer. Once install is done, you can have different display language and your own localized keyboard layout.
  • There isn’t any OVA or ISO files anymore available for download as Flex went out of Beta phase. So no install to Virtual machines.


But there is also stuff to consider security wise, read here about a recent CVE from Microsoft 365 Defender Research Team.

And more on ZDNet

Google states that

“ChromeOS Flex provides much needed protection from growing threats, including ransomware, malware, and employee errors.”

But I haven’t found any real articles on what this means, so keep this in mind once doing a refresh to your old hardware with Flex.

Digging a little deeper

Google has a Chronium based security article in their Docs. And for one it states they have security boundaries from built-in Chrome and that it cannot interact with system services directly.

And here the picture of the layered security model as described by Google.

How about Endpoint management?


As the limitation in Flex is that it doesn’t support Android apps or Google Play. there an the first issue.

You cannot install Company portal or Defender for Android from Google Play because of it.

How about adding it with Conditional Access policies?

A fellow MVP Thjis Lecomte wrote a blog about MEM and ChromeOS not Flex but it gives some action points.

Let’s see if it works. First from Learn documentation.

Once you create the Conditional access policy, we will select Require app protection.

And we should assign it to to Any device as ChromeOS Flex isn’t an Android.

But we can’t because it can be enabled for Android or iOS only.

Once we select Anroid and iOS and sign-in from ChromeOS Flex we will see it as follows in the Azure logs.

And it’s not working as ChromeOS Flex isn’t seen as an supported Android version.

How enable MFA for ChromeOS?

And exclude mobile devices

And once enforced, we will be asked for MFA on all the unsupported devices. And you will see it inside Azure sign-in logs as follows.

And from details we can see the whole process.


It think Flex is an excellent release to refresh your old laptop and use it for using Google based apps. The current state of security doesn’t really convince me.

And I also cannot onboard any Defender for the OS nor install any external software from Google Play store. Maybe this will change in the future, I don’t know when.

Maybe you just should go with Windows 11 for now as you can attach more security measures to it. There is more requirements from the hardware and that’s really the only thing that could switch you to see Flex when releases.

Just to summarize, here is the minimum requirements:

  • RAM: 4 GB
  • Storage: 64 GB or larger storage device
  • System Firmware: UEFI (for Unified Extensible Firmware Interface, a modern version of the PC BIOS) and Secure Boot capable
  • TPM: Trusted Platform Module (TPM) version 2.0
Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *