How to restart chrome/Edge without user involved

Question

My company has Chrome and Edge installed on some of our development servers for our dev team to use with their processes. In both cases, patches are automatically pushed to the browsers, however they are not fully implemented until they are opened by a user. This leaves them potentially vulnerable until the patches are implemented. So, I need to automate the refreshing of these browsers without user involvement. Is there a way to do this via Group Policy or SCCM? If not, is there another route?

It's also important to know that, while I have the ability to remove these from the servers, I do not have the authority to prevent the dev team from reinstalling them. So, I need to find an alternative route.

Answer 1

There's no such policy. I think it must involve user interaction.

You can only force to remind the user to restart the browser by setting this policy RelaunchNotification to Required. But the reminder popup will only show when Edge is open.

Answer 2

I would argue that, if the patch is finalized on starting the executable, then things are not really exploitable as to exploit the executable has to be running leading to things getting patched even if they were not.

However if you do not deem this enough, it is of course possible to run executables via both ways gpo or sccm. The main thing to keep in mind, if you want this to work without a user interaction it will be run in system context, which means you have to a) ensure that your browser can even run (and update) as system, and b) hide the execution from the user because it is a far more severe risk to have any executable with system where a user can interact with it than any unpatched browser will ever be.

If this works for you you can just have a program in sccm (set to run as admin, set to not allow interaction with user) that instead of going to some exe on a dp directly launches your exe from your c drive. As it would have to be closed as well you would probably want to wrap it in a script that starts and quits this. You can then have a repeated assignment set to everytime you patch this.

The same can be done via gpo where you can use gpp to create a scheduled task that runs the same script in system context. If you do this (I think a task is preferable for a repeated action) it will at least be non interactive by default.