Using Proactive Remediations to remove Google Chrome

Cloud, Intune, PowerShell 16 comments

Proactive remediation is a cool new Intune feature which allow you to script to detect and fix problems on your endpoints.

If you are familiar with configuration items and baselines in SCCM then you will be comfortable already with the approach you need to take when using a proactive remediation. You need a detection script to capture the current state of what you are checking for – does something exist or not, and then remediate the problem with another script.

I’m not going to go through all the pre-requisites you need in place for this to work, I’ll just point you to the official MS docs and you can take a look yourself.

This blog post just shows you how you can use a simple script to do something effectively, in this case I wanted to remove Google Chrome for end users devices when the user had installed the application.

Let’s start off with the scripts. As mentioned two PowerShell scripts are needed, one to detect and one to remediate.

The first script checks for the existence of Google Chrome on the device. Intune will remediate anything that exits with exit code 1, so we need to make sure that if Google Chrome is detected that we exit with that value.

try
{  

$chromeInstalled = Test-Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe'

if ($chromeInstalled -eq 'True') {
    Write-Host "Google Chrome is installed"
    exit 1
    }
    else {
        #No remediation required    
        Write-Host "Google Chrome is not installed"
        exit 0
    }  
}
catch {
    $errMsg = $_.Exception.Message
    Write-Error $errMsg
    exit 1
}

Next we have our remediation script which will perform the remediation process and uninstall Google Chrome for us. The script captures both x86 and x64 installs. I’m sure there’s a much more elegant way to script this, but it works for me.

# Start-Process Installers and Arguments
$Installer = "$env:ProgramFiles\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe"
$InstallerX86 = "${env:ProgramFiles(x86)}\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe"
$Arguements = "--uninstall --chrome --system-level --multi-install --force-uninstall"

$chromeInstalled = (Get-Item (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe' -ErrorAction SilentlyContinue).'(Default)').VersionInfo
 $ChromeVersion = $chromeInstalled.ProductVersion

 # Check for x64 Chrome
 $Chromex64 = "C:\Program Files\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe"
 $FileExistsx64 = Test-Path $Chromex64

 # Check for x86 Chrome
 $Chromex86 = "C:\Program Files (x86)\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe"
 $FileExistsx86 = Test-Path $Chromex86

 # Remove x64 Chrome
 If ($FileExistsx64 -eq $True) {
    Start-Process $Installer $Arguements -Wait
 }
  
  # Remove x86 Chrome
 If ($FileExistsx86 -eq $True) {
    Start-Process $InstallerX86 $Arguements -Wait
 }

In the MEM Admin Center

In the MEM admin center,  select Reports\Endpoint analytics\Proactive Remediation. Click the Create script package link.

Enter a Name and optional Description for the proactive remediation. Click Next.

In the next screen of the wizard, you will see fields for uploading your detection and remediation script files. Click the folder icon next to the Detection script file.

Upload the detection script and you’ll notice the Detection script section fill with the PS code.

Now upload the remediation script and the same will occur.

I’m going to leave defaults for the rest of the options. Click Next.

I’m not going to set any scope tags for this proactive remediation, but I am going to assign it to test device via a group.

Note that the Schedule reports as Daily. Click the dots

Select Edit.

Here you can choose how often the rule checks for non-compliance

For my testing only, I’m going to choose this rule Frequency to run hourly and Repeat every 1 hour – just so I can push through the test and ensure all is OK. I can go back to the rule and set to something less aggressive once I know it’s successful. Click Apply.

Click through to complete the wizard.

Once created, click Refresh and you will see the new rule and it will show as Active.

As the script executes on devices, you’ll get feedback on the devices Without issues, With issues and if any Issues are fixed etc.

Here we can see that one device was a problem – With issues – and that the device was remediated with the remediation script.

If you click into the rule, you get an overview of the status. I’ve changed my rule to now run Daily, so I’ll get a nice graph giving me insights into devices being remediated.

If you click on Device Status, you’ll get some more information on the devices with the issue. You can see here that the device was remediated and on the next run there is no issues as Chrome is no longer installed.

Hope this gives you a nice insight on Proactive Remediation. Let me know if the Google Chrome script needs a tweak or two to work with the product. The testing I have done has worked so far.

16 comments

  1. Thanks for this! Here’s a version that will remove chrome versions that were installed without administrator privileges:


    # Based on https://sccmentor.com/2021/01/11/using-proactive-remediations-to-remove-google-chrome/
    # Thank you.
    try
    {
    $chromeInstalled = Test-Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe'
    if ($chromeInstalled -eq 'True') {
    Write-Host "Google Chrome is installed locally"
    exit 1
    }
    else {
    #No remediation required
    Write-Host "Google Chrome is not installed locally"
    exit 0
    }
    }
    catch {
    $errMsg = $_.Exception.Message
    Write-Error $errMsg
    # exit 1
    }

    view raw

    Detect.ps1

    hosted with ❤ by GitHub


    # $Chrome = Get-ChildItem -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall | Get-ItemProperty | Where-Object {$_.DisplayName -match $($AppName)}
    # $Chrome.UninstallString
    $chromeInstalled = (Get-Item (Get-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe' ErrorAction SilentlyContinue).'(Default)').VersionInfo
    $ChromeVersion = $chromeInstalled.ProductVersion
    $Installer = "$env:LOCALAPPDATA\Google\Chrome\Application\$ChromeVersion\Installer\setup.exe"
    $Arguements = "–uninstall –force-uninstall"
    Start-Process $Installer $Arguements Wait

    view raw

    Remediation.ps1

    hosted with ❤ by GitHub

    Reply

  2. I’m new to your site and just reading over some of your posts. I’m more of a video guy and maybe you should posts videos of you actually doing things within MECM. I’m an SCCM/MECM admin myself and always good to find new sites teaching SCCM/MECM because there is always new stuff I learn myself and to see what other admins are doing. I have to say the screenshots help your posts but the wording is all plagiarized. Where are you getting your content? Are you getting it from those other blogrolls on your sidebar?

    Reply

      2. Thanks Joe. Can you tell me what the checker marks as the source of that content please? I can’t determine from that screenshot.

  3. Pingback: USING PROACTIVE REMEDIATIONS TO downgrade Windows 10 21H2 – SCCMentor – Paul Winstanley

  4. I am trying to get your script to run. However, I keep getting an error once its runs

    Error: Start-Process : This command cannot be run due to the error: The system cannot find the file specified. At C:\Windows\IMECache\HealthScripts\913d9077-555c-4cb2-aa68-07204c8fd164_11\remediate.ps1:14 char:5 + Start-Process $Installer $Arguements + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOperationException + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand

    Reply

  5. Hello, congratulations for the post; in my environment it doesn’t work, maybe chrome has changed something with the latest versions?
    Already in the identification phase, the installation of chrome is not detected.

    Reply

  6. Hi, thank you for this awesome blog.
    I have issue with this 😦 I applied this script but it doesn’t work at all. Final result is “Google Chrome is not installed” but he is 😦
    Do you have some recomededation (I tried script in command bellow and same result)
    Thank you

    Reply

  7. Hi!

    I am receiving the same exact error as Robert above. Nothing I do resolves it. It works properly if I run the script locally on my computer.

    Reply

  8. Hi,

    I have the same problem as Robert above. When I run it locally, it runs, but not through Intune. Please advise when you get a chance.

    Reply

  9. I also have the same error as Robert.
    the script gives the following error when it is run the first time:
    Start-Process : This command cannot be run due to the error: The system cannot find the file
    specified.
    At C:\Downloads\remove-chrome.ps1:19 char:5
    + Start-Process $Installer $Arguements -Wait
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProce
    ssCommand

    however the second time I run it it completes successfully

    My installation path is “C:\Program Files\Google\Chrome\Application\version”

    Reply

  10. I had the same issue as others that have posted with the error that the path to the installer could not be found although it worked when run from standard interactive PS rather than through Intune Proactive Remediation.

    There were a couple of changes I made to get it working;
    – One of the variables referenced other variables that hadn’t been defined yet so I changed the order of that.
    – The path not found issue seems to have been something to do with Proactive Remediation not liking the use of variables nested inside variables although this was fine when run interactively in the PS session.

    Script below worked for me and I did just enough work for that so is probably a slight hack TBH;

    ##################

    # Start-Process Installers and Arguments
    $chromeInstalled = (Get-Item (Get-ItemProperty ‘HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe’ -ErrorAction SilentlyContinue).'(Default)’).VersionInfo
    $ChromeVersion = $chromeInstalled.ProductVersion

    $Arguements = “–uninstall –chrome –system-level –multi-install –force-uninstall”

    # Check for x64 Chrome
    $Chromex64 = “C:\Program Files\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe”
    $FileExistsx64 = Test-Path $Chromex64

    # Check for x86 Chrome
    $Chromex86 = “C:\Program Files (x86)\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe”
    $FileExistsx86 = Test-Path $Chromex86

    $Installer = $Chromex64
    $InstallerX86 = $Chromex86

    # Remove x64 Chrome
    If ($FileExistsx64 -eq $True) {
    Start-Process “$Installer” $Arguements -Wait
    }

    # Remove x86 Chrome
    If ($FileExistsx86 -eq $True) {
    Start-Process “$InstallerX86” $Arguements -Wait
    }

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s