Before we standardized our browsers, users were free to install whatever they liked, which left Firefox scattered across hundreds of endpoints. I don’t waste time with manual cleanup; I’ve automated the entire process.

Scoping at Scale with KQL

I start by getting a clear picture of the “infestation.” I use KQL (Kusto Query Language) in Defender Advanced Hunting to see exactly which versions are out there and how many devices are affected:

// My Firefox Discovery Query
DeviceTvmSoftwareInventory
| where SoftwareName contains "Firefox"
| summarize DeviceCount = dcount(DeviceName), Versions = make_set(SoftwareVersion) by SoftwareName
| order by DeviceCount desc

This query gives me an immediate count and version list, which I use to target my Intune remediations effectively.

The Strategy: Automating the Cleanup

I use Intune Proactive Remediation with a two-script system:

• Detection: Finds Firefox in the registry, Program Files, and user profiles.
• Remediation: Wipes everything—processes, files, shortcuts, services, and scheduled tasks.

Detection Logic

My script scans three main areas where Firefox likes to hide:

1. Registry - 64-bit/32-bit uninstall keys and per-user installs.
2. Program Files - Standard install locations.
3. User Profiles - AppData folders.

$findings = @()
$uninstallPaths = @(
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",
    "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall",
    "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
)

foreach ($path in $uninstallPaths) {
    if (Test-Path $path) {
        $apps = Get-ItemProperty "$path\*" -ErrorAction SilentlyContinue |
            Where-Object { $_.DisplayName -like "*Firefox*" }
        foreach ($app in $apps) {
            $findings += "Registry: $($app.DisplayName)"
        }
    }
}

if ($findings.Count -gt 0) { exit 1 } else { exit 0 }

Full script: firefox-removal-detection.ps1

The Kill: Remediation

My remediation script is designed to be thorough. It stops all active processes before attempting the uninstall to ensure nothing is locked.

1. Stop Processes - Firefox, plugin-container, and updaters.
2. Uninstall - Uses the registry uninstall string (handles helper.exe and msiexec).
3. Cleanup - Deletes directories in Program Files, ProgramData, and AppData.
4. Final Polish - Removes shortcuts, the MozillaMaintenance service, and update tasks.

# My Process Kill List
$firefoxProcesses = @("firefox", "firefox-esr", "plugin-container", "crashreporter", "updater")
foreach ($proc in $firefoxProcesses) {
    Get-Process -Name $proc -ErrorAction SilentlyContinue | Stop-Process -Force
}

Full script: firefox-removal-remediation.ps1

Outcome and Verification

I monitor the progress directly in the Intune portal under Devices > Scripts and remediations.

Success looks like a “fixed” status on my devices. I also check my custom logs at C:\ProgramData\Eriteach\Logs\ if I see any stubborn installs that require a manual look.

Lessons Learned

• User Profiles - The script cleans all profiles on the machine. I always warn users that bookmarks and saved passwords will be gone.
• Force Close - Since I force-close the process, I run this remediation during off-hours or maintenance windows to minimize disruption.

Related Links

• Auto-Update Firefox with Intune - My workflow for when I need to keep Firefox but stay updated.
• Intune Remediations overview
• Microsoft Defender software inventory

I don’t manually check every device. Instead, I’ve built a workflow that finds these apps across the fleet and removes them automatically.

The Discovery: Fleet-wide Hunting with KQL

Before I can remove anything, I need to know exactly where the problems are. I use Microsoft Defender for Endpoint (MDE) to find these apps in seconds. Instead of browsing the portal, I run a KQL query in Advanced Hunting to identify high-risk software:

// My Discovery Query (Sample)
DeviceTvmSoftwareInventory
| where SoftwareName has_any ("utorrent", "anydesk", "ccleaner")
| project DeviceName, SoftwareName, SoftwareVersion

This gives me my target list. For a more aggressive approach that handles EOL and EOS software, I use my Zombie Software Hunting workflow.

The Automation: Intune Proactive Remediation

Once I have my targets, I use Intune Proactive Remediation. My setup uses two scripts:

1. Detection - Checks if the app exists (exit 1 = found, triggering the kill)
2. Remediation - Silent removal

My Configuration

I target apps by registry, WMI, or the programs list. I typically configure my detection by setting these variables:

$AppDisplayName = "Zoom"
$AppPublisher = ""
$AppProductCode = "{86B70A45-00A6-4CBD-97A8-464A1254D179}"
$UsePartialMatch = $true

Full script: Detect-UnwantedApp.ps1

The Kill (Remediation)

Once detected, my remediation script pulls the uninstall string from the registry or uses the MSI product code to wipe the app silently.

Full script: Remove-UnwantedApp.ps1

Deployment Details

This is how I set it up in my tenant:

1. Intune → Devices → Remediations
2. Create script package: “Remove [AppName]”
3. Settings:
   • Run script in 64-bit PowerShell: Yes
   • Run with logged-on credentials: No (runs as SYSTEM)
4. Schedule: Daily (I want these gone fast)

Trade-offs and Lessons Learned

• Pilot first - I always run detection on a pilot group before enabling the remediation.
• Product codes change - I’ve learned that different versions often have different codes; KQL helps me find all the variants first.
• Partial match risk - I use $UsePartialMatch = $true carefully to avoid catching plugins I might actually want to keep.

Related Links

• Microsoft: Proactive Remediations
• Intune script requirements