Security Incident Response

If you think you have or know you have a Security Incident please fill in the form and our experienced Onevinn CSIRT team will reach out shortly.
The team has long experience in supporting customers in Incident Response and Compromised Recovery.
Keep calm and we will be with you shortly!

Jörgen Nilsson 14 Jan 2020
1 min

Deploy Edge Chromium using MEMCM and PowerShell executionpolicy

Been testing Edge Chromium deployment a lot the last couple of days as the we are getting really close to release when I write this..
Configuration Manager 1910 has a builtin feature to deploy and update Edge Chromium which looks great, hard to test the update part as the Stable release and updates are not released yet.

When creating the deployment of Edge Chromium using the built- feature we select channel and version to deploy. Which is great as we most likely will have developers, testers that needs the Beta/Dev version as well for testing.

It will download the content and create a Application with two deployment types one for x64 and one for x86, both are deployed using a PowerShell script. The PowerShell script also turns off automatic updates so that they can be handled by MEMCM instead of using EdgeUpdater.

Detection Method for the Deployment types are configured automatically to allow for updating of Edge Chromium using MEMCM as the detection method checks registry value and is configured with the operator “Greater than or equal to” as shown below.

To be able to use the script the Powershell Execution policy needs to be set to RemoteSigned or Unrestriced.
Allsigned will timeout after 30 minutes
Restriced will result in immediate failure

Restriced is default in Windows 10 and if you are using that modifying the Install command will solve the problem for you by simply adding -ExecutionPolicy Bypass to the command line. Sample below
Sample original installation string:

powershell -File “.\Install-Edge.ps1” -MSIName “MicrosoftEdgeBetaEnterpriseX64.msi” -ChannelID “{2cd8a007-e189-409d-a2c8-9af4ef3c72aa}”

After adding -ExecutionPolicy Bypass
powershell -Executionpolicy bypass -File “.\Install-Edge.ps1” -MSIName “MicrosoftEdgeBetaEnterpriseX64.msi” -ChannelID “{2cd8a007-e189-409d-a2c8-9af4ef3c72aa}”

Let’s look at the PowerShell script as well to prove that is sets the AutoUpdate policy to “0” , it is set during deployment.

If you choose to deploy Edge Chromium in another way make sure you configure AutoUpdate using GPO/Intune according to your update plan and that your detection method can handle the way you choose to update it!

Stay tuned for more Edge Chromium posts the coming days as it goes live!