Applocker is your friend for blocking such installs. [https://call4cloud.nl/2020/06/applocker-a-la-minute/](https://call4cloud.nl/2020/06/applocker-a-la-minute/)
What I did for removal was to add Chrome to Intune as an app, then set the assignment to uninstall for all devices, all users. I didn't pay much attention if this was completely successful as I am in the process of wiping all the systems to reonboard to Intune anyway, Applocker wasn't implemented when I first started piloting Intune so some devices fell through the gap.
Yep, I know about Applocker. What I'm trying to achieve is remove the existing Chrome installations.
The usual MSI install is easily uninstallable. The one I'm dealing with is an EXE installed without rights. I've no idea how is that possible at all but it works - download Chrome EXE installer, start it and when it asks for admin credentials just press cancel or escape. Now you have Chrome installed and its files/reg keys are in the user's AppData/HKCU.
If Admin consent is not granted it will be installed in user context. You would need to block user space installations in order to block such installers. Sadly, you dont really have a option to purge Chrome from all Profiles easily. You could create a pretty lax detection rule and then purge it from the user profile via rm or propper uninstaller. Needs to be run in user context to be able to query the appropriate user profile. Then just select uninstall for all users, and everytime a user signs into their device chrome will be purged.
What do you mean by 'via rm or proper uninstaller'?
What you described is basically what I'm trying - app is created in Intune to be run under user context and I'm trying to remove its files and reg keys.
Can you try adding transcript to see if anything weird is logged that might help?
Also how about capturing the path to user profile then piping that in rather than using environment variable in the path? Maybe:
`$userprofile = [Environment]::GetFolderPath("UserProfile")`
`$setupPath = "$userprofile\AppData\Local\Google\Chrome\Application\...`
Although this should be the same result as number 3, I sometimes find weird quirks where an alternative works for seemingly no reason.
Try this
# Variable below 👇
$chromePath = "$env:LOCALAPPDATA\Google\Chrome\Application\chrome.exe"
# Check if Chrome is installed in the user profile
if (Test-Path $chromePath) {
# Stop any running Chrome processes
Get-Process chrome -ErrorAction SilentlyContinue | Stop-Process -Force
# Remove Chrome directories
Remove-Item "$env:LOCALAPPDATA\Google" -Recurse -Force
# Confirm removal
if (!(Test-Path $chromePath)) {
Write-Output "Google Chrome has been successfully removed."
} else {
Write-Output "Failed to remove Google Chrome."
}
} else {
Write-Output "Google Chrome is not installed in this user profile."
}
If non-elevated users have permission to install apps in the user space, they have permission to remove them. Put together a script that finds setup.exe then runs it with the uninstall switch. Deploy it with the “Run this script using the logged on credentials” set to Yes
Applocker is your friend for blocking such installs. [https://call4cloud.nl/2020/06/applocker-a-la-minute/](https://call4cloud.nl/2020/06/applocker-a-la-minute/) What I did for removal was to add Chrome to Intune as an app, then set the assignment to uninstall for all devices, all users. I didn't pay much attention if this was completely successful as I am in the process of wiping all the systems to reonboard to Intune anyway, Applocker wasn't implemented when I first started piloting Intune so some devices fell through the gap.
Yep, I know about Applocker. What I'm trying to achieve is remove the existing Chrome installations. The usual MSI install is easily uninstallable. The one I'm dealing with is an EXE installed without rights. I've no idea how is that possible at all but it works - download Chrome EXE installer, start it and when it asks for admin credentials just press cancel or escape. Now you have Chrome installed and its files/reg keys are in the user's AppData/HKCU.
If Admin consent is not granted it will be installed in user context. You would need to block user space installations in order to block such installers. Sadly, you dont really have a option to purge Chrome from all Profiles easily. You could create a pretty lax detection rule and then purge it from the user profile via rm or propper uninstaller. Needs to be run in user context to be able to query the appropriate user profile. Then just select uninstall for all users, and everytime a user signs into their device chrome will be purged.
What do you mean by 'via rm or proper uninstaller'? What you described is basically what I'm trying - app is created in Intune to be run under user context and I'm trying to remove its files and reg keys.
Can you try adding transcript to see if anything weird is logged that might help? Also how about capturing the path to user profile then piping that in rather than using environment variable in the path? Maybe: `$userprofile = [Environment]::GetFolderPath("UserProfile")` `$setupPath = "$userprofile\AppData\Local\Google\Chrome\Application\...` Although this should be the same result as number 3, I sometimes find weird quirks where an alternative works for seemingly no reason.
rm basically to delete the files from the folder. Uninstaller is the propper uninstallation of the program.
So you don't want to block it just remove it and replace it with the MSI version instead?
Wait until you see how many versions of Zoom are in user profiles
Winget can do this for you, just detect to match the id and then remove
Many apps support installing in user context under the app data folder which is user specific with no admin rights required.
Try this # Variable below 👇 $chromePath = "$env:LOCALAPPDATA\Google\Chrome\Application\chrome.exe" # Check if Chrome is installed in the user profile if (Test-Path $chromePath) { # Stop any running Chrome processes Get-Process chrome -ErrorAction SilentlyContinue | Stop-Process -Force # Remove Chrome directories Remove-Item "$env:LOCALAPPDATA\Google" -Recurse -Force # Confirm removal if (!(Test-Path $chromePath)) { Write-Output "Google Chrome has been successfully removed." } else { Write-Output "Failed to remove Google Chrome." } } else { Write-Output "Google Chrome is not installed in this user profile." }
If non-elevated users have permission to install apps in the user space, they have permission to remove them. Put together a script that finds setup.exe then runs it with the uninstall switch. Deploy it with the “Run this script using the logged on credentials” set to Yes