Disable Updates in Google Chrome Enterprise

Written by Alex Marin · September 12th, 2019

One fundamental rule in almost any enterprise regarding applications is to disable the auto-updates feature. However, from an enterprise point of view, it makes sense.

Unlike general users, in an enterprise environment, it is necessary to test each update of an application to make sure it’s still compatible with the current Windows build, if any new features are added/removed, and if you can still use it as before.

However, every application has its type of auto-update setting. Some may keep this setting in the registry, others in different types of files stored on the machine. Let’s have a look at how Google approaches the auto-updates topic.

How to disable the auto-update

As we already covered in our article on how to convert Chrome enterprise to MSIX, when we download the MSI from Google, if we open it, we see that no files, shortcuts, registry, or any data is present in it.

The MSI is actually a wrapper for the EXE installer stored as a binary and executed silently with the Custom Action DoInstall.

In this case, we have two options to customize the MSI:

  • Make a capture with Advanced Repackager and customize the resulted MSI
  • Use additional Custom Actions to disable the updates on the vendor MSI

Let's have a look at both options.

For the first option, after the repackaging process completes, navigate to the Services page.We can see that Chrome places a service called "GoogleChromeElevationService", which is, as stated:

"Currently, the elevation service is only installed for Google Chrome builds. The primary use case at the moment for the service has to do with the Chrome recovery component. The recovery component is registered only for Google Chrome builds. It repairs the Chrome updater (Google Update) when the algorithm detects that Chrome is not being updated. Since Chrome could be installed per-system or per-user, an elevation service is needed to repair the code in the per-system install case."


This means that if Chrome is installed on a user that needs elevated permissions to update the application, the elevation service comes into play.

Since we are disabling the auto-updates, it is safe to remove this service and the control operations related to it. Once it is removed, if we navigate to Help > About Google Chrome, we can see that we receive a warning of the service not being active.

Another page we need to navigate to is Scheduled Tasks. Here we can see that Chrome places two Scheduled Tasks, called GoogleUpdateTaskMachineUA and GoogleUpdateTaskMachineCore.


The purpose of the tasks is to: “Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed, and features may not work. This task uninstalls itself when there is no Google software using it.”

The GoogleUpdateTaskMachineCore runs once per day, while GoogleUpdateTaskMachineUA runs every hour of the day. If we delete the tasks, the automatic check for updates has been disabled for the application.

For the second option, when you don’t want to repackage the vendor MSI, the only way to disable this feature is to use Custom Actions to delete the service and the scheduled tasks.

To delete the service, use the following VBScript in a Custom Action:

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _("Select * from Win32_Service Where Name = 'GoogleChromeElevationService'") For Each objService in colListOfServices
objService.StopService()
objService.Delete()


Next, to delete the scheduled tasks, use the following VBScript in a Custom Action:

CreateObject("Wscript.Shell").Run "schtasks.exe" & " /delete /tn " & "GoogleUpdateTaskMachineUA" & " /f "
CreateObject("Wscript.Shell").Run "schtasks.exe" & " /delete /tn " & "GoogleUpdateTaskMachineCore" & " /f "


Warning: Set the Custom Actions to run as deferred (When the system is being modified) and check “Run under the LocalSystem account with full privileges (no impersonation)

Other Settings

For any other settings, Chrome is highly configurable with GPOs. A list of all configurable settings can be found here.

For example, if you want to disable the sign-in and sync options for the user, you can configure these settings via GPO using SigninAllowed = 0 and SyncDisabled = 1. It is recommended for all other non-packaging settings that you use GPOs, but if you still want to place these settings inside your MSI, you can create the corresponding registries.

HKLM\Software\Policies\Google\Chrome\SigninAllowed as DWORD with value 0 and HKLM\Software\Policies\Google\Chrome\SyncDisabled as DWORD with value 1.

Conclusion

Unlike other applications, Google takes a different approach to auto-updates. Most applications are checking for updates once you start them, and the setting for the auto-update feature is stored in a registry or file on the machine.
However, with Chrome, you can get the updates without opening the application. Chances are you don’t even notice when and if the application is updated. However, because the MSI is a wrapper, this makes it harder to customize it if you don’t repackage it.

Comments: