Using Proactive Remediations to remove Google Chrome


Proactive remediation is a cool new Intune feature which allow you to script to detect and fix problems on your endpoints.

If you are familiar with configuration items and baselines in SCCM then you will be comfortable already with the approach you need to take when using a proactive remediation. You need a detection script to capture the current state of what you are checking for – does something exist or not, and then remediate the problem with another script.

I’m not going to go through all the pre-requisites you need in place for this to work, I’ll just point you to the official MS docs and you can take a look yourself.

This blog post just shows you how you can use a simple script to do something effectively, in this case I wanted to remove Google Chrome for end users devices when the user had installed the application.

Let’s start off with the scripts. As mentioned two PowerShell scripts are needed, one to detect and one to remediate.

The first script checks for the existence of Google Chrome on the device. Intune will remediate anything that exits with exit code 1, so we need to make sure that if Google Chrome is detected that we exit with that value.

try
{  

$chromeInstalled = Test-Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe'

if ($chromeInstalled -eq 'True') {
    Write-Host "Google Chrome is installed"
    exit 1
    }
    else {
        #No remediation required    
        Write-Host "Google Chrome is not installed"
        exit 0
    }  
}
catch {
    $errMsg = $_.Exception.Message
    Write-Error $errMsg
    exit 1
}

Next we have our remediation script which will perform the remediation process and uninstall Google Chrome for us. The script captures both x86 and x64 installs. I’m sure there’s a much more elegant way to script this, but it works for me.

# Start-Process Installers and Arguments
$Installer = "$env:ProgramFiles\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe"
$InstallerX86 = "${env:ProgramFiles(x86)}\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe"
$Arguements = "--uninstall --chrome --system-level --multi-install --force-uninstall"

$chromeInstalled = (Get-Item (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe' -ErrorAction SilentlyContinue).'(Default)').VersionInfo
 $ChromeVersion = $chromeInstalled.ProductVersion

 # Check for x64 Chrome
 $Chromex64 = "C:\Program Files\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe"
 $FileExistsx64 = Test-Path $Chromex64

 # Check for x86 Chrome
 $Chromex86 = "C:\Program Files (x86)\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe"
 $FileExistsx86 = Test-Path $Chromex86

 # Remove x64 Chrome
 If ($FileExistsx64 -eq $True) {
    Start-Process $Installer $Arguements -Wait
 }
  
  # Remove x86 Chrome
 If ($FileExistsx86 -eq $True) {
    Start-Process $InstallerX86 $Arguements -Wait
 }

In the MEM Admin Center

In the MEM admin center,  select Reports\Endpoint analytics\Proactive Remediation. Click the Create script package link.

Enter a Name and optional Description for the proactive remediation. Click Next.

In the next screen of the wizard, you will see fields for uploading your detection and remediation script files. Click the folder icon next to the Detection script file.

Upload the detection script and you’ll notice the Detection script section fill with the PS code.

Now upload the remediation script and the same will occur.

I’m going to leave defaults for the rest of the options. Click Next.

I’m not going to set any scope tags for this proactive remediation, but I am going to assign it to test device via a group.

Note that the Schedule reports as Daily. Click the dots

Select Edit.

Here you can choose how often the rule checks for non-compliance

For my testing only, I’m going to choose this rule Frequency to run hourly and Repeat every 1 hour – just so I can push through the test and ensure all is OK. I can go back to the rule and set to something less aggressive once I know it’s successful. Click Apply.

Click through to complete the wizard.

Once created, click Refresh and you will see the new rule and it will show as Active.

As the script executes on devices, you’ll get feedback on the devices Without issues, With issues and if any Issues are fixed etc.

Here we can see that one device was a problem – With issues – and that the device was remediated with the remediation script.

If you click into the rule, you get an overview of the status. I’ve changed my rule to now run Daily, so I’ll get a nice graph giving me insights into devices being remediated.

If you click on Device Status, you’ll get some more information on the devices with the issue. You can see here that the device was remediated and on the next run there is no issues as Chrome is no longer installed.

Hope this gives you a nice insight on Proactive Remediation. Let me know if the Google Chrome script needs a tweak or two to work with the product. The testing I have done has worked so far.

7 comments

  1. Thanks for this! Here’s a version that will remove chrome versions that were installed without administrator privileges:

    # Based on https://sccmentor.com/2021/01/11/using-proactive-remediations-to-remove-google-chrome/
    # Thank you.
    try
    {
    $chromeInstalled = Test-Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe'
    if ($chromeInstalled -eq 'True') {
    Write-Host "Google Chrome is installed locally"
    exit 1
    }
    else {
    #No remediation required
    Write-Host "Google Chrome is not installed locally"
    exit 0
    }
    }
    catch {
    $errMsg = $_.Exception.Message
    Write-Error $errMsg
    # exit 1
    }

    view raw

    Detect.ps1

    hosted with ❤ by GitHub

    # $Chrome = Get-ChildItem -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall | Get-ItemProperty | Where-Object {$_.DisplayName -match $($AppName)}
    # $Chrome.UninstallString
    $chromeInstalled = (Get-Item (Get-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe' ErrorAction SilentlyContinue).'(Default)').VersionInfo
    $ChromeVersion = $chromeInstalled.ProductVersion
    $Installer = "$env:LOCALAPPDATA\Google\Chrome\Application\$ChromeVersion\Installer\setup.exe"
    $Arguements = "–uninstall –force-uninstall"
    Start-Process $Installer $Arguements Wait

    view raw

    Remediation.ps1

    hosted with ❤ by GitHub

  2. I’m new to your site and just reading over some of your posts. I’m more of a video guy and maybe you should posts videos of you actually doing things within MECM. I’m an SCCM/MECM admin myself and always good to find new sites teaching SCCM/MECM because there is always new stuff I learn myself and to see what other admins are doing. I have to say the screenshots help your posts but the wording is all plagiarized. Where are you getting your content? Are you getting it from those other blogrolls on your sidebar?

      1. Thanks Joe. Can you tell me what the checker marks as the source of that content please? I can’t determine from that screenshot.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s