When I deploy Win32 packages in Intune, I use PowerShell detection scripts to detect if the software is installed on a system. In the blog post, I will show you how they work and why they are more flexible than file and registry checks.
What are detection scripts in Intune?
A detection script is a PowerShell script that will detect the app’s presence on the client. The app will be detected when the script returns a 0-value exit code and writes a string value to STDOUT.
How do detection scripts work?
In the detection script, you check a specific thing on the machine. This could be a Windows service, a printer, multiple files or folders, etc. Because it’s PowerShell, you can check for various conditions on a system and return the installation status to Intune. (Installed or not installed)
The most important thing is the exit code. The script must exit with a 0 exit code (Succes) or any other exit code (I always use 1 to keep things binary 😉 ). It needs to see an STDOUT message, and I always use Write-Host with a value that tells you what happened during detection. You will see that text in your IntuneManagementExtension.log file, available in the Logs folder in C:\ProgramData\Microsoft\IntuneManagementExtension.
Example detection scripts
Desktop shortcuts
The detection script below will check for shortcuts on the desktops and install them. If a shortcut is not found, it will +1 the badcount. If the badcount is not equal to 0, it will exit with exit code 1 and install the icons (again).
$files = @(
"C:\users\Public\Desktop\Helpdesk.url"
"C:\users\Public\Desktop\SAP.url"
"C:\users\Public\Desktop\YouForce SSO.url"
)
$badcount = 0
foreach ($file in $files) {
if (Test-Path $file) {
Write-Host ("{0} was found" -f $file)
}
else {
Write-Host ("{0} was not found" -f $file)
$badcount++
}
}
If ($badcount -gt 0) {
Write-Host ("Not all Desktop Shortcut files were found...")
exit 1
}
else {
Write-Host ("All Desktop Shortcut files were found...")
exit 0
}
Font installation
The detection script below will check for 10 OpenSans fonts on the client. If there are fewer than 10 OpenSans font files and less than 10 registered, it will install the fonts (again).
if ((Get-ChildItem -Path c:\windows\fonts -File opensans*.ttf).count -ge 10 -and ((Get-Item -path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts' | Select-Object -ExpandProperty property | Select-String 'OpenSans-').count -ge 10)) {
Write-Host 10 OpenSans fonts files and registry items found
exit 0
}
else {
Write-host Not all OpenSans font files and registry items were found
exit 1
}
Printer installation
The detection script below will check for the presence of three printers. If these are not all found, it will install them (again).
$printers = @(
'Contoso-General'
'Contoso-HP'
'Contoso-MFP'
)
#Check every printer if it's installed
$numberofprintersfound = 0
foreach ($printer in $printers) {
try {
Get-Printer -Name $printer -ErrorAction Stop
$numberofprintersfound++
}
catch {
"Printer $($printer) not found"
}
}
#If all printers are installed, exit 0
if ($numberofprintersfound -eq $printers.count) {
write-host "($numberofprintersfound) printers were found"
exit 0
}
else {
write-host "Not all $($printers.count) printers were found"
exit 1
}
Wifi Profile
The detection script below will check for the presence of a custom Wi-Fi profile and install it (again) when it is not found. In the example below, I changed the customers’ network name to Corporate:
if ((netsh.exe wlan show profiles) -match 'Corporate') {
Write-Host Managed Wi-Fi Corporate network found
exit 0
}
else {
Write-Host Managed Wi-Fi Corporate network not found
exit 1
}
Where do I specify a detection script?
When you add a Windows app (Win32) to Intune, you can select it on the Detection Rules tab. In the example below, I chose the detection.ps1 from the OpenSans installation I mentioned above.
Wrapping up
That’s how you use Detection scripts in Intune, and it’s more flexible than the regular File and Registry rules. (And better because PowerShell 😉 )
Pingback: Intune Newsletter - 1st December 2023 - Andrew Taylor
Thanks Harm. One thing I’ve noticed though. You’re using “write-host” in your detection script yet Intune explicitly requires an exit code of 0 AND a string value written to STDOUT. “write-host” does not pass on values to STDOUT as far as I know and you instead should be using write-output.
https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-add
“Script file: Select a PowerShell script that will detect the presence of the app on the client. The app will be detected when the script both returns a 0 value exit code and writes a string value to STDOUT.”
“The Intune agent checks the results from the script. It reads the values written by the script to the STDOUT stream, the standard error (STDERR) stream, and the exit code. If the script exits with a nonzero value, the script fails and the application detection status isn’t installed. If the exit code is zero and STDOUT has data, the application detection status is installed.”
This means for a script with “write-host” to work, it relies on a previous command having added something to STDOUT.
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_output_streams?view=powershell-7.4
That’s something I didn’t know, used Write-Host since I started using detection scripts in Intune. I also use it in Remediation scripts.
It does work, using Write-Host, and I see a lot of people using that (Including Rudy Ooms) . But also a lot that use Write-Output…
And the fact that it relies on having added something to STDOUT from the previous command… I usually have a If something is not that, Write-Host error message and exit with error code 1 or Write-Host ok message and exit with error code 0. Does that fill STDOUT?