Windows
View all Worklets
WindowsWindows

Install Edge Chromium or Upgrade Old Edge to Chromium

Upgrade legacy EdgeHTML to Chromium-based Microsoft Edge on Windows endpoints using the official enterprise MSI

Worklet Details

What the legacy Edge to Chromium upgrade Worklet does

This Automox Worklet™ replaces the original EdgeHTML-based Microsoft Edge with Chromium-based Microsoft Edge on Windows endpoints. The evaluation script reads HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* and looks for a DisplayName of "Microsoft Edge" that corresponds to the Chromium build. If Chromium Edge is absent and the OS meets the version gate, the Worklet exits 1 and remediation runs.

Remediation pulls the current 64-bit MSI from the Microsoft Edge for Business enterprise feed at https://edgeupdates.microsoft.com/api/products?view=enterprise. The script parses the JSON product index, picks the channel you set (Stable, Beta, Dev, EdgeUpdate, or Policy), and selects either the latest release or a pinned $productVersion such as 91.0.864.71. The MSI lands in %Windir%\Temp and runs through msiexec with /qn /norestart so the install does not interrupt the signed-in user.

After msiexec completes, the Worklet waits 60 seconds, removes the downloaded MSI, and re-queries the uninstall registry to confirm the new Chromium build is registered. The stable channel installer carries the GUID {56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}; once installed, the version it reports lives at HKLM:\SOFTWARE\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\pv. That registry value is the canonical post-install check for the Chromium build.

Why retire legacy EdgeHTML from your fleet

Legacy Microsoft Edge (the EdgeHTML browser shipped with Windows 10 1507 through 1909) reached end of life on March 9, 2021. Microsoft stopped shipping security updates on that date and removed the browser from Windows entirely in the April 2021 Patch Tuesday. Every endpoint still running EdgeHTML has carried more than four years of unpatched browser surface, including known information-disclosure and remote-code-execution issues that Chromium-based Edge has long since fixed. Auditors flag the EOL browser on CIS Windows 10 Benchmark control 2.3.10 (legacy software) and on NIST 800-53 SI-2 (flaw remediation).

Legacy EdgeHTML reached end-of-support in March 2021 and no longer receives security fixes for the same V8, JavaScript, and HTML rendering CVEs Microsoft patches on a regular cadence in Chromium Edge. This Worklet targets the long tail of endpoints that never picked up the Edge for Business MSI through Windows Update, Configuration Manager, or Intune. That tail includes the kiosk that was offline at the rollout window, the Server 2016 box no admin has touched since 2019, and the contractor laptop that came back from a reimage with the old EdgeHTML shortcut still pinned to the taskbar.

How the Chromium Edge upgrade works

  1. Evaluation phase: The script reads [System.Environment]::OSVersion.Version to capture the Windows major version and build, queries Get-CimInstance Win32_OperatingSystem for ProductType (1 = workstation, 2 or 3 = server), and checks $PSVersionTable for PowerShell 3.0 or later. It runs Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* and filters with Where-Object { $_.DisplayName -eq 'Microsoft Edge' } to detect any existing Chromium build. Workstations on Windows 10 build 18363 (1909) or higher with no Chromium Edge installed exit 1; servers on PowerShell 3.0 or higher with no Chromium Edge installed also exit 1. Endpoints that already have Chromium Edge or that fail the OS gate exit 0 and stay compliant.

  2. Remediation phase: The script forces TLS 1.0, 1.1, and 1.2 on the .NET ServicePointManager so Server 2012 and 2016 hosts can reach Microsoft's CDN. It calls Invoke-WebRequest against https://edgeupdates.microsoft.com/api/products?view=enterprise, parses the returned JSON with ConvertFrom-Json, locates the $channel index (Stable by default), and picks the 64-bit Windows release matching $productVersion (or the highest available version when $productVersion is empty). The artifact (typically MicrosoftEdgeEnterpriseX64.msi) is downloaded to %Windir%\Temp, then installed with msiexec /i "$filePath" /qn /norestart. After a 60-second Start-Sleep the MSI is removed, and a second Get-ItemProperty Uninstall lookup confirms registration. The script exits 0 on a confirmed install and exit 1 if the post-install registry check fails.

Chromium Edge deployment requirements

  • Workstations: Windows 10 version 1909 (build 18363) or later, including Windows 11. The script gate is build >= 18363.

  • Servers: Windows Server 2012, 2012 R2, 2016, 2019, or 2022 with PowerShell 3.0 or higher. Server 2008 R2 is out of scope.

  • Outbound HTTPS connectivity to edgeupdates.microsoft.com (the Edge for Business product index) and msedge.b.tlu.dl.delivery.mp.microsoft.com (the artifact CDN). Add both to any allowlist or web filter that blocks unclassified Microsoft hosts.

  • TLS 1.2 available on the endpoint. The script explicitly enables TLS 1.0/1.1/1.2 on the .NET ServicePointManager so older servers do not fail the API call.

  • At least 200 MB free in %Windir%\Temp for the MSI download, plus standard Edge install footprint (about 600 MB) under %ProgramFiles(x86)%\Microsoft\Edge.

  • SYSTEM or local administrator context. The Automox agent runs as SYSTEM by default and meets this requirement without further changes.

  • Optional: edit $channel in remediation.ps1 to Dev, Beta, Stable, EdgeUpdate, or Policy. Stable is the default and the right answer for production fleets.

  • Optional: edit $productVersion in remediation.ps1 (for example 122.0.2365.92) to pin a specific release. Leave it empty to take the latest available build in the selected channel.

Expected endpoint state after the Chromium Edge upgrade

On a successful run, the uninstall registry contains a Chromium-build "Microsoft Edge" entry and HKLM:\SOFTWARE\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\pv reports the installed version (for example 122.0.2365.92). The msedge.exe binary lives at %ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe. Legacy EdgeHTML, if still present on an unpatched Windows 10 1809 box, is left in place by this Worklet. Microsoft's April 2021 cumulative update is the supported removal path, and a separate companion Worklet can run that cleanup if your fleet still needs it.

Validate the install three ways. Run Get-Package -Name 'Microsoft Edge' in an elevated PowerShell session and confirm the version matches your $productVersion pin or the latest stable build. Run Get-AppxPackage -AllUsers *MicrosoftEdge* on Windows 10 and 11 to confirm the legacy EdgeHTML AppX package is no longer registered for current users on patched builds. Read the pv value directly with Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}' to capture audit evidence. In Automox, re-run the evaluation policy and confirm the endpoint reports compliant with exit code 0; the activity log records the channel, the resolved version, and the MSI path that was installed.

View in app
evalutation image
remediation image

Consider Worklets your easy button

What's a Worklet?

A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

do more with worklets