When I deploy Win32 packages in Intune, I use PowerShell detection scripts to determine whether the software is installed on a system. In this blog post, I will explain how these scripts work and why they are more flexible than file and registry checks.
What are detection scripts in Intune?
A detection script is a PowerShell script that checks whether an app is present on the client. The app will be detected when the script returns an exit code of 0 and writes a string to STDOUT.
How do detection scripts work?
In the detection script, you check a specific thing on the machine. This could be a Windows service, a printer, multiple files or folders, etc. Because it’s PowerShell, you can check for various system conditions and return the installation status to Intune. (Installed or not installed)
The most important thing is the exit code. The script must exit with an exit code of 0 (Success) or any other exit code (I always use 1 to keep things binary 😉 ). It needs to see an STDOUT message, and I always use Write-Output with a value that tells you what happened during detection. You will see that text in the IntuneManagementExtension.log file, located in the Logs folder at C:\ProgramData\Microsoft\IntuneManagementExtension.
Example detection scripts
Desktop shortcuts
The detection script below will check for shortcuts on the desktops and install them. If a shortcut is not found, it will +1 the badcount. If the badcount is not equal to 0, it will exit with exit code 1 and install the icons (again).
$files = @(
"C:\users\Public\Desktop\Helpdesk.url"
"C:\users\Public\Desktop\SAP.url"
"C:\users\Public\Desktop\YouForce SSO.url"
)
$badcount = 0
foreach ($file in $files) {
if (Test-Path $file) {
Write-Output ("{0} was found" -f $file)
}
else {
Write-Output ("{0} was not found" -f $file)
$badcount++
}
}
If ($badcount -gt 0) {
Write-Output ("Not all Desktop Shortcut files were found...")
exit 1
}
else {
Write-Output ("All Desktop Shortcut files were found...")
exit 0
}
Font installation
The script below checks for 10 Open Sans fonts on the client. If there are fewer than 10 OpenSans font files and fewer than 10 registered, it will install the fonts (again).
if ((Get-ChildItem -Path c:\windows\fonts -File opensans*.ttf).count -ge 10 -and ((Get-Item -path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts' | Select-Object -ExpandProperty property | Select-String 'OpenSans-').count -ge 10)) {
Write-Output 10 OpenSans fonts files and registry items found
exit 0
}
else {
Write-Output Not all OpenSans font files and registry items were found
exit 1
}
Printer installation
The Detection script below checks for the presence of three printers. If not all three printers are found, it will install them (again).
$printers = @(
'Contoso-General'
'Contoso-HP'
'Contoso-MFP'
)
#Check every printer if it's installed
$numberofprintersfound = 0
foreach ($printer in $printers) {
try {
Get-Printer -Name $printer -ErrorAction Stop
$numberofprintersfound++
}
catch {
"Printer $($printer) not found"
}
}
#If all printers are installed, exit 0
if ($numberofprintersfound -eq $printers.count) {
Write-Output "($numberofprintersfound) printers were found"
exit 0
}
else {
Write-Output "Not all $($printers.count) printers were found"
exit 1
}
Wi-Fi Profile
The detection script below will check for the presence of a custom Wi-Fi profile and install it (again) when it is not found. In the example below, I changed the customers’ network name to Corporate:
if ((netsh.exe wlan show profiles) -match 'Corporate') {
Write-Output Managed Wi-Fi Corporate network found
exit 0
}
else {
Write-Output Managed Wi-Fi Corporate network not found
exit 1
}
Where do I specify a detection script?
When you add a Windows app (Win32) to Intune, you can select it on the Detection Rules tab. In the example below, I chose the detection.ps1 from the OpenSans installation I mentioned above.
Wrapping up
That’s how you use Detection scripts in Intune, and it’s more flexible than the regular File and Registry rules. (And better because PowerShell 😉 )
Thanks Harm. One thing I’ve noticed though. You’re using “write-host” in your detection script yet Intune explicitly requires an exit code of 0 AND a string value written to STDOUT. “write-host” does not pass on values to STDOUT as far as I know and you instead should be using write-output.
https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-add
“Script file: Select a PowerShell script that will detect the presence of the app on the client. The app will be detected when the script both returns a 0 value exit code and writes a string value to STDOUT.”
“The Intune agent checks the results from the script. It reads the values written by the script to the STDOUT stream, the standard error (STDERR) stream, and the exit code. If the script exits with a nonzero value, the script fails and the application detection status isn’t installed. If the exit code is zero and STDOUT has data, the application detection status is installed.”
This means for a script with “write-host” to work, it relies on a previous command having added something to STDOUT.
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_output_streams?view=powershell-7.4
That’s something I didn’t know, used Write-Host since I started using detection scripts in Intune. I also use it in Remediation scripts.
It does work, using Write-Host, and I see a lot of people using that (Including Rudy Ooms) . But also a lot that use Write-Output…
And the fact that it relies on having added something to STDOUT from the previous command… I usually have a If something is not that, Write-Host error message and exit with error code 1 or Write-Host ok message and exit with error code 0. Does that fill STDOUT?
Thanks a ton for pointing this out. My detection randomly failed in the CompanyPortal despite all logging and tests showed that it was working exactly as intended. I just didn’t realize that Write-Output instead of Write-Host has to be used to make it work reliably.
Just updated this blog post, had no issues with Write-Host in the past, but if Write-Output works more reliable… Then that’s the way to go, thanks for replying in this blog post!
Where is the part of the script that actully installs de shortcuts ? I guess those scripts are just ment to detect the presence of the app or whatever but not the part of the script that actually installs what is missing.
It was an example detection script, the installation part (also for the others examples) were not included in the blog post
thanks, I have bookmarked your blog 😀