Introduction
Recently a support technician had some issues with the Google Chrome application. As a support specialist the ability to modify or uninstall an application is useful. In the same way that just restarting a device can resolve many issues, so can uninstalling and reinstalling an application resolve a great many problems. In this case however, and even with administrator permissions, the technician was unable to modify or uninstall the Google Chrome application. If he right clicked on Google Chrome in the Start Menu, and selected Uninstall - this would bring up the Control Panel\Uninstall or change a program window. The Google Chrome application was not there to uninstall and so the Uninstall selection item was useless.
In this company Google Chrome was a managed application. This can clearly be seen by clicking on the ellipses icon to the right of the browser's ribbon. The lower entry reading Managed by your organisation.
And so the reality here is that the technician is very limited in what he or she can do while troubleshooting an issue relating to the Google Chrome application. Any setting that has been configured, such as the homepage, cannot be modified. And neither can the application, at least in this instance, be uninstalled. And worse - although this is by design for this organization - if Google Chrome is showing as managed on your own personal device; you may indeed have a malware or virus.
The Task
The task given to myself was simply to provide a means for the support technician to uninstall Google Chrome by clicking on an application within MECM's Software Center. A bit of research and some testing and I did find a way to uninstall Google Chrome in this scenario.
Manually, the administrator could open a command prompt as administrator and navigate to c:\program files (x86)\Google\Chrome\Application\<version>\Installer and run the following command
setup.exe --uninstall --multi-install -chrome --msi --system-level --force-uninstall
But what if the technician only wanted to change some settings? How could we flip this installation of Google Chrome from Managed to Unmanaged?
Solution: Force Google Chrome into Unmanaged mode
Again a bit of research and some testing and I arrived at a way to remove the Managed by your organization lockdown setting. This did entail running a few lines of PowerShell code. If you were to open a command prompt as administrator and then run:
powershell.exe -executionpolicy unrestricted
Within the PowerShell console, running the following commands will switch your instance of Google Chrome over to unmanaged.
remove-item -path "HKCU:\Software\Google\Chrome\*" -recurse -force
Remove-item -path "HKCU:\Software\Policies\Google\Chrome" -recurse -force
Remove-item -path "HKLM:\Software\Google\Chrome\*" -recurse -force
Remove-item -path "HKLM:\Software\Policies\Google\Chrome\*" -recurse -force
Remove-item -path "HKLM:\Software\Policies\Google\Update\*" -recurse -force
Remove-itemProperty -path "HKLM:\Software\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}" -name "CloudManagementEnrollmentToken"
Remove-File -Path '%ProgramFiles(x86)%\Google\Policies' -recurse
Remove Google Managed Mode, Uninstall and Clean up
Let us say you do suspect your device has been infected and you want to be confident that:
1) Registry settings that place Google Chrome under managed mode are removed
2) Google Chrome is removed
3) Remnants such as Google Chrome taskbar and desktop icons are removed
You could run the following PowerShell code:
remove-item -path "HKCU:\Software\Google\Chrome\*" -recurse -force
Remove-item -path "HKCU:\Software\Policies\Google\Chrome" -recurse -force
Remove-item -path "HKLM:\Software\Google\Chrome\*" -recurse -force
Remove-item -path "HKLM:\Software\Policies\Google\Chrome\*" -recurse -force
Remove-item -path "HKLM:\Software\Policies\Google\Update\*" -recurse -force
Remove-itemProperty -path "HKLM:\Software\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}" -name "CloudManagementEnrollmentToken"
Remove-File -Path '%ProgramFiles(x86)%\Google\Policies' -recurse
execute-process -path 'setup.exe' -parameters '--uninstall --multi-install -chrome --msi --system-level --force-uninstall'
remove-item "C:\users\*\Desktop\Google Chrome.lnk" -force
remove-item "C:\users\*\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk" -force
remove-item "C:\users\*\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\Taskbar\Google Chrome.lnk" -force
Conclusion
I did include the above script in a PSApp deployment toolkit wrapper, and registered it in MECM so that support staff could easily unmanage and remove Google Chrome for troubleshooting purposes. Of course you can use any other package deployment solution, such as Intune, to achieve the same thing. I hope you enjoyed reading this article and I hope my solution works for yourself, if ever you face a similar request.
Colin
No comments:
Post a Comment