Google Chrome is loved by millions of users. There is no doubt that Chrome is a fast and reliable web browser – but is it needed on our corporate devices?
I strongly believe that Microsoft Edge is a good substitute to Chrome as it allows us to manage and secure it in a better way by using MDM policies, GPO:s and app protection policies – and a managed Edge browser allows for a better user experience by utilizing SSO to corporate apps and services… at all works more natively 🙂
…so that being said we can for sure do some of that stuff with Chrome as well, but why should we as we already have Edge built-in to Windows? In my opinion it is always a good practice to not use third-party apps unless necessary for obvious reasons.
In this post we will have a look at how to utilize proactive remediation to detect and uninstall Google Chrome. Proactive remediation is a better solution than pushing the uninstallation as an app or script as it runs on a schedule and will catch any new installations/re-installations. We will create an allow list to make it possible for some users to keep Chrome if needed.
User experience: If Chrome is being used when the uninstallation hits, the user will be asked to save their work and close Chrome. This allows for a better user experience and minimizes the risk of losing something they are working on.
We will use three different scripts:
- Google Chrome Uninstallation – Detection.ps1 – This script is used to detect Chrome
- Google Chrome Uninstallation – Remediation.ps1 – This script is used by proactive remediation to download content from an Azure storage account
- Deploy-Application.ps1 – This script is used to do the actual uninstallation of Chrome. It will take care of both consumer and enterprise editions of Chrome. This script is part of the package which is downloaded from a storage account in Azure.
❓Question: So why bother downloading the package from a storage account?
⭐Answer: PSAppDeploymentToolkit (PSADT) is excellent at detecting installed applications and makes gathering the uninstallation string(s) or productCode(s) a breeze. We save a lot of time by using PSADT. As PSADT contain more than just a detection and remediation script we cannot use it directly – hence the external download.
I tend to use PSADT whenever I can and you can read more about it here: PSAppDeployToolkit/PSAppDeployToolkit: Project Homepage & Forums (github.com)
Let’s rock enroll!
- An Azure Subscription and sufficient permissions
- Intune Administrator role
- You will need a storage account to store the uninstallation package. This post describes how to set that up: https://www.rockenroll.tech/2021/10/24/create-an-azure-storage-account/
Let’s start off by downloading the content needed. You will find both the proactive remediation scripts and the PSADT-package at my GitHub: Releases · NicklasAhlberg/Microsoft-Endpoint-Manager (github.com)
Download both files
Upload package to the storage account
We are now ready to upload the package to our storage account. Remember this is the package which will create the popup screens and do the actual uninstallation.
Optional (edit the uninstallation package to brand it with your corporate info):
- Extract: Uninstall-Google-Chrome-Package.zip
- Edit Deploy-Application.ps1 with a PowerShell editor such as PowerShell ISE
- Edit row 27-37 as per your need
- Re-Zip the contents with same name (Uninstall-Google-Chrome-Package.zip)
- Open Azure: https://portal.azure.com
- Click: All services -> Search: Storage account -> Click: Storage accounts
- Click the storage account you want to use
- Click: Containers
- Click: the Container you want to use
- Click: Upload
- Select: Uninstall-Google-Chrome-Package.zip
- Click: Advanced to view advanced settings
- Authentication type: Account key
- Blob type: Block blob
- Access tier: Cool
- Click: Upload
- Now click the three dots to the right and click Generate SAS
- Copy the SAS URL for future reference
OK, now that we have uploaded the package to our storage account we are ready to create the proactive remediation.
- Optional: Create an Azure AD group and add devices/users which are supposed to keep Google Chrome
- Extract: Uninstall-Google-Chrome-Proactive-Remediation.zip
- Open: Google Chrome Uninstallation – Remediation.ps1 with a PowerShell editor such as PowerShell ISE
- Add your SAS URL to row 37 (replace the existing URL with your own SAS URL 😉)
- Open MEM: https://endpoint.microsoft.com/
- Click: Reports -> Endpoint analytics -> Proactive remediations
- Click: +Create script package
- Name: Uninstall Google Chrome (or by your preference)
- Click: Next
- Detection script file: Select Google Chrome Uninstallation – Detection.ps1
- Remediation script file: Select Google Chrome Uninstallation – Remediation.ps1
- Click: Next twice
- Assign to a pilot group to make sure it works as supposed to and then assign it to all your Windows 10/Windows 11 devices. I usually run this on a daily basis until most devices have been remediated. Then I make it run less frequently… but I leave that up to ya all to decide upon 😃
- Optional: Add a group to exclude
- Click: Create and watch the magic happen 😍
Log files are found here: C:\Windows\Logs\Software
I believe it doesnt work for the user instalation of Chrome, because there is a different registry path (HKCU instead of HKLM), so how to fix it?
Hi you are right,
This will not uninstall from the user context as for now. I might look into that in an upcoming version.
This will uninstall google chrome which is installed in user context also ?
Also what exactly AppDeployToolkitConfig.xml file is doing do we need that ?
This will not uninstall from user context as for now. the xml-file is part of the PowerShell App Deployment Toolkit.
You will find more info over at their Github: https://github.com/PSAppDeployToolkit/PSAppDeployToolkit