Using Proactive Remediations to remove Google Chrome

Proactive remediation is a cool new Intune feature which allow you to script to detect and fix problems on your endpoints.

If you are familiar with configuration items and baselines in SCCM then you will be comfortable already with the approach you need to take when using a proactive remediation. You need a detection script to capture the current state of what you are checking for – does something exist or not, and then remediate the problem with another script.

I’m not going to go through all the pre-requisites you need in place for this to work, I’ll just point you to the official MS docs and you can take a look yourself.

This blog post just shows you how you can use a simple script to do something effectively, in this case I wanted to remove Google Chrome for end users devices when the user had installed the application.

Let’s start off with the scripts. As mentioned two PowerShell scripts are needed, one to detect and one to remediate.

The first script checks for the existence of Google Chrome on the device. Intune will remediate anything that exits with exit code 1, so we need to make sure that if Google Chrome is detected that we exit with that value.


$chromeInstalled = Test-Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe'

if ($chromeInstalled -eq 'True') {
    Write-Host "Google Chrome is installed"
    exit 1
    else {
        #No remediation required    
        Write-Host "Google Chrome is not installed"
        exit 0
catch {
    $errMsg = $_.Exception.Message
    Write-Error $errMsg
    # exit 1

Next we have our remediation script which will perform the remediation process and uninstall Google Chrome for us. The script captures both x86 and x64 installs. I’m sure there’s a much more elegant way to script this, but it works for me.

$chromeInstalled = (Get-Item (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe' -ErrorAction SilentlyContinue).'(Default)').VersionInfo
 $ChromeVersion = $chromeInstalled.ProductVersion
 Check for x64 Chrome
 $Chromex64 = "C:\Program Files\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe"
 $FileExistsx64 = Test-Path $Chromex64
 Check for x86 Chrome
 $Chromex86 = "C:\Program Files (x86)\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe"
 $FileExistsx86 = Test-Path $Chromex86
 Remove x64 Chrome
 If ($FileExistsx64 -eq $True) {
     Invoke-Expression "& "C:\Program Files\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe" --uninstall --chrome --system-level --multi-install --force-uninstall"
 Remove x86 Chrome
 If ($FileExistsx86 -eq $True) {
     Invoke-Expression "& "C:\Program Files (x86)\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe" --uninstall --chrome --system-level --multi-install --force-uninstall"

In the MEM Admin Center

In the MEM admin center,  select Reports\Endpoint analytics\Proactive Remediation. Click the Create script package link.

Enter a Name and optional Description for the proactive remediation. Click Next.

In the next screen of the wizard, you will see fields for uploading your detection and remediation script files. Click the folder icon next to the Detection script file.

Upload the detection script and you’ll notice the Detection script section fill with the PS code.

Now upload the remediation script and the same will occur.

I’m going to leave defaults for the rest of the options. Click Next.

I’m not going to set any scope tags for this proactive remediation, but I am going to assign it to test device via a group.

Note that the Schedule reports as Daily. Click the dots

Select Edit.

Here you can choose how often the rule checks for non-compliance

For my testing only, I’m going to choose this rule Frequency to run hourly and Repeat every 1 hour – just so I can push through the test and ensure all is OK. I can go back to the rule and set to something less aggressive once I know it’s successful. Click Apply.

Click through to complete the wizard.

Once created, click Refresh and you will see the new rule and it will show as Active.

As the script executes on devices, you’ll get feedback on the devices Without issues, With issues and if any Issues are fixed etc.

Here we can see that one device was a problem – With issues – and that the device was remediated with the remediation script.

If you click into the rule, you get an overview of the status. I’ve changed my rule to now run Daily, so I’ll get a nice graph giving me insights into devices being remediated.

If you click on Device Status, you’ll get some more information on the devices with the issue. You can see here that the device was remediated and on the next run there is no issues as Chrome is no longer installed.

Hope this gives you a nice insight on Proactive Remediation. Let me know if the Google Chrome script needs a tweak or two to work with the product. The testing I have done has worked so far.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s