Purpose
This document is intended to provide information about support for Google Chrome within Shavlik Patch for Microsoft System Center.
Symptoms
Generally you can tell if there's an issue going on because of this if you see only a small number of machines being patched for Google Chrome, when you know from another method that Chrome is installed on many more machines.
Cause
In short, the issue is because the Shavlik Patch content will not detect installations of Chrome that are on a per-user basis which means Chrome was installed on machines using the EXE installer (per-user), and currently the Shavlik products only support patching of Chrome installed with the MSI installer (system level).
-Shavlik Patch only detects Chrome installed via MSI.
-Shavlik Patch only offers the MSI installer for Chrome.
Additional Information behind this:
Per User vs System-Level:
Google Chrome can be installed in two ways. The first way to install Chrome (and probably the most popular) is to install it on a per-user basis. If Chrome is installed in this manner, the browser will be available only to the user that has installed it on the machine. Other users on the machine will not have Chrome installed. To patch Chrome, it will require the user that installed Chrome to update it. To do this, Google has written an auto-updater that will automatically patch Chrome for the user.
The second way to install Chrome is to install it on a system-level (aka per-machine in Windows terms) basis. This is also known as the enterprise version of Chrome. This means that Chrome will be installed for all users, and can be updated for all users at once. In these system-level installs, there is no auto-update mechanism.
.exe vs .msi:
Google Chrome has multiple installers that will install on a system-level basis. They have a .exe and a .msi. Installing from the .exe will install Chrome on a system-level basis (given the proper switches), unless there is a per-user install already on the machine. In this instance, the .exe will fail to install Chrome. Installing the .msi on a system will install Chrome on a system-level basis, even if a per-user install already exists. The problem with the .msi install, is that if you want to upgrade (patch) Chrome, you need to uninstall the previous version first. You cannot install a newer .msi install on top of an older .msi install.
Registry detection process
Shavlik Patch content only uses registry key detection. When Google Chrome is installed, one of the following registry keys is placed on the system:
- If installed per-user (EXE) - Not Supported
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
- Check under Wow6432Node on x64 systems
- This is NOT SUPPORTED by Shavlik Patch content. Systems with the above registry key will not have Chrome detected by Shavlik Patch.
- If installed as system-level (MSI) - Supported
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{GUID}
- The GUID may differ, but an example value = {C3FF5ACB-174A-3E07-AE2A-62063FBCC9B1}
- Detection of this type of registry entry for Chrome install indicates system-level installation, which is supported by Shavlik Patch.
- Shavlik Patch will detect these installations of Chrome and provide the proper update information to be deployed.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{GUID}
Resolution
If you have not yet installed Chrome in your environment, please consider the above information if you plan to patch using Shavlik Patch for Microsoft System Center. It will be beneficial to deploy the MSI version from the very beginning if you intend to have more control and reporting of Chrome installations via Software Updates in SCCM.
For users addressing symptoms noted above -
The first thing to consider is that just because the Shavlik products are not detecting these does not mean there is necessarily a security vulnerability. The per-user installation will use Google's auto-update feature. However, you will have less control and reporting of the versions existing in your environment.
If you want to switch to the system level install of Chrome so you can patch using Shavlik Patch/SCCM, remove the existing per-user Chrome installation (that was installed with EXE) and re-install using the latest MSI installer for system level installation. From that point on, the Shavlik products will be able to properly detect and update Chrome across all your systems. Unfortunately there is currently no software distribution content offered via Shavlik Patch so you will need to find a method for deploying the MSI version of Chrome to your environment.
Additional Information
Other Considerations when switching to Chrome via MSI (system level install)
The first is what happens to bookmarks and user data when we install the .msi on top of a per-user install. During our testing, all user data is retained, so that the system-level install will use all of the user data that existed in the per-user installation. The second possible problem is that the .msi installation requires that a previous .msi Chrome installation be uninstalled before installing the newer version. During our tests, all user-data is retained on the machine and is used by the new version of Chrome.
Additionally, it is important to note that there will be no auto-updating of Chrome once you switch to a system-level install. You will, however, have an honest assessment of the use of Chrome on your network, as well as an accurate assessment of the patch level of Chrome on your network.
Feature Requests/Changes:
If you would like to see changes to how Shavlik supports Chrome please feel free to submit a feature/change request.
Affected Product(s)
Shavlik Patch for Microsoft System Center, All Versions