Proactive Remediation – Uninstall Google Chrome

Google Chrome is loved by millions of users. There is no doubt that Chrome is a fast and reliable web browser – but is it needed on our corporate devices?

I strongly believe that Microsoft Edge is a good substitute to Chrome as it allows us to manage and secure it in a better way by using MDM policies, GPO:s and app protection policies – and a managed Edge browser allows for a better user experience by utilizing SSO to corporate apps and services… at all works more natively ๐Ÿ™‚

…so that being said we can for sure do some of that stuff with Chrome as well, but why should we as we already have Edge built-in to Windows? In my opinion it is always a good practice to not use third-party apps unless necessary for obvious reasons.

In this post we will have a look at how to utilize proactive remediation to detect and uninstall Google Chrome. Proactive remediation is a better solution than pushing the uninstallation as an app or script as it runs on a schedule and will catch any new installations/re-installations. We will create an allow list to make it possible for some users to keep Chrome if needed.

User experience: If Chrome is being used when the uninstallation hits, the user will be asked to save their work and close Chrome. This allows for a better user experience and minimizes the risk of losing something they are working on.

We will use three different scripts:

  1. Google Chrome Uninstallation – Detection.ps1 – This script is used to detect Chrome
  2. Google Chrome Uninstallation – Remediation.ps1 – This script is used by proactive remediation to download content from an Azure storage account
  3. Deploy-Application.ps1 – This script is used to do the actual uninstallation of Chrome. It will take care of both consumer and enterprise editions of Chrome. This script is part of the package which is downloaded from a storage account in Azure.

โ“Question: So why bother downloading the package from a storage account?
โญAnswer: PSAppDeploymentToolkit (PSADT) is excellent at detecting installed applications and makes gathering the uninstallation string(s) or productCode(s) a breeze. We save a lot of time by using PSADT. As PSADT contain more than just a detection and remediation script we cannot use it directly – hence the external download.

I tend to use PSADT whenever I can and you can read more about it here: PSAppDeployToolkit/PSAppDeployToolkit: Project Homepage & Forums (github.com)

Let’s rock enroll!

Pre-requisites

  1. An Azure Subscription and sufficient permissions
  2. Intune Administrator role
  3. You will need a storage account to store the uninstallation package. This post describes how to set that up: https://www.rockenroll.tech/2021/10/24/create-an-azure-storage-account/

Download

Let’s start off by downloading the content needed. You will find both the proactive remediation scripts and the PSADT-package at my GitHub: Releases ยท NicklasAhlberg/Microsoft-Endpoint-Manager (github.com)

Download both files

Upload package to the storage account

We are now ready to upload the package to our storage account. Remember this is the package which will create the popup screens and do the actual uninstallation.

Optional (edit the uninstallation package to brand it with your corporate info):

  1. Extract: Uninstall-Google-Chrome-Package.zip
  2. Edit Deploy-Application.ps1 with a PowerShell editor such as PowerShell ISE
  3. Edit row 27-37 as per your need
  4. Re-Zip the contents with same name (Uninstall-Google-Chrome-Package.zip)
  1. Open Azure: https://portal.azure.com
  2. Click: All services -> Search: Storage account -> Click: Storage accounts
  3. Click the storage account you want to use
  4. Click: Containers
  5. Click: the Container you want to use
  6. Click: Upload
  7. Select: Uninstall-Google-Chrome-Package.zip
  8. Click: Advanced to view advanced settings
  9. Authentication typeAccount key
  10. Blob type: Block blob
  11. Access tierCool
  12. ClickUpload
  13. Now click the three dots to the right and click Generate SAS
  14. Copy the SAS URL for future reference

Proactive Remediation

OK, now that we have uploaded the package to our storage account we are ready to create the proactive remediation.

  1. Optional: Create an Azure AD group and add devices/users which are supposed to keep Google Chrome
  2. Extract: Uninstall-Google-Chrome-Proactive-Remediation.zip
  3. Open: Google Chrome Uninstallation – Remediation.ps1 with a PowerShell editor such as PowerShell ISE
  4. Add your SAS URL to row 37 (replace the existing URL with your own SAS URL ๐Ÿ˜‰)
  5. Open MEM: https://endpoint.microsoft.com/
  6. Click: Reports -> Endpoint analytics -> Proactive remediations
  7. Click: +Create script package
  8. Name: Uninstall Google Chrome (or by your preference)
  9. Click: Next
  10. Detection script file: Select Google Chrome Uninstallation – Detection.ps1
  11. Remediation script file: Select Google Chrome Uninstallation – Remediation.ps1
  12. Click: Next twice
  13. Assign to a pilot group to make sure it works as supposed to and then assign it to all your Windows 10/Windows 11 devices. I usually run this on a daily basis until most devices have been remediated. Then I make it run less frequently… but I leave that up to ya all to decide upon ๐Ÿ˜ƒ
  14. Optional: Add a group to exclude
  15. Click: Create and watch the magic happen ๐Ÿ˜

Logs

Log files are found here: C:\Windows\Logs\Software

6 thoughts on “Proactive Remediation – Uninstall Google Chrome

  1. I believe it doesnt work for the user instalation of Chrome, because there is a different registry path (HKCU instead of HKLM), so how to fix it?

    1. Hi you are right,

      This will not uninstall from the user context as for now. I might look into that in an upcoming version.

      //Nicklas

  2. HI ,

    This will uninstall google chrome which is installed in user context also ?

    Also what exactly AppDeployToolkitConfig.xml file is doing do we need that ?

  3. How would you go about just blocking the use of Chrome? For instance witin a non-enteprise environment with Microsoft365 Business Premium as a base?

    1. Hi Michael,

      M365 Business Premium will give you access to Windows 10/11 Pro which is eligible for Windows Defender Application Control. I recommend that you implement WDAC as it will help you get control of all apps, not only Chrome. Chrome is hard to block as it allows the end user to install it in its user profile without the need of admin privs.

      More info on WDAC and licensing is found here: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/wdac#windows-edition-and-licensing-requirements

      //Nicklas

Leave a Reply to Petr Ott Cancel reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.