Demystifying Intune Custom App Detection Scripts

I’m sure everyone reading this has deployed many applications within Intune using the win32 format and most likely used an MSI code or a file/registry detection method to monitor for a completed install (and why wouldn’t you, they work perfectly)

Sometimes however, you might come across an application which is more tricky to detect, or you want to look for two things before you’re confident it’s installed ok. This is where a custom detection script comes into play.

As with my previous post on Proactive Remediations, Intune is looking for specific outputs for the script to return a success code.

In this case, it is looking for BOTH an exit with a 0 code and output on STDOUT. For those of you rapidly opening a new tab to google STDOUT, basically, it needs output of some sort, a simple:

write-output "hello world"
exit 0

Will work fine, so that is what we need the script to return at the end in order for it to be marked as successful.

Passing an exit code 1 or even an exit 0 without any output will flag as an install failure.

Important Note: Detection scripts ONLY work in the System context so if detecting at the user level, you need to enumerate the logged in user. Check the final example to see how.

Now for some examples:

A basic file check (in case you’re feeling scripty)

$File = "C:\windows\system32\notepad.exe"
if (Test-Path $File) {
    write-output "Notepad detected, exiting"
    exit 0
else {
    exit 1

A registry key (checking both it exists and the value is correct, good for versioning)

$Path = "HKLM:\SOFTWARE\7-Zip"
$Name = "Path"
$Type = "STRING"
$Value = "C:\Program Files\7-Zip\"

Try {
    $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
    If ($Registry -eq $Value){
        Write-Output "Detected"
       Exit 0
    Exit 1
Catch {
    Exit 1

Now for the ones it can’t do out of the box!

Check if a service exists

$service = get-service -name "MozillaMaintenance"
if ($service) {
    write-output "MozillaMaintenance detected, exiting"
    exit 0
else {
    exit 1

Service exists and is running:

$service = get-service -name "MozillaMaintenance"
if ($service.Status -eq "Running") {
    write-output "MozillaMaintenance detected and running, exiting"
    exit 0
else {
   exit 1

Both file and service exist

$File = "C:\windows\system32\notepad.exe"
$service = get-service -name "MozillaMaintenance"
if (($service) -and (Test-Path $File)) {
    write-output "MozillaMaintenance and Notepad detected, exiting"
    exit 0
else {
    exit 1

File is of a certain version

$fileversion = (Get-Command C:\Windows\System32\notepad.exe).Version
$build = 19041
$detectedbuild = $fileversion.Build
if ($detectedbuild -eq $build) {
    write-output "Detected"
    exit 0
else {
    exit 1

Or even the file was last modified today

$filedate = (Get-Item C:\Windows\System32\notepad.exe).LastWriteTime
if ($filedate -gt (Get-Date).AddDays(-1)) {
    write-output "Detected"
    exit 0
else {
    exit 1

When looking at logged in user, we need to find their details so for this I have a new function:

function getloggedindetails() {
    ##Find logged in username
    $user = Get-WmiObject Win32_Process -Filter "Name='explorer.exe'" |
      ForEach-Object { $_.GetOwner() } |
      Select-Object -Unique -Expand User
    ##Find logged in user's SID
    ##Loop through registry profilelist until ProfileImagePath matches and return the path
        $path= "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*"
        $sid = (Get-ItemProperty -Path $path | Where-Object { $_.ProfileImagePath -like "*$user" }).PSChildName

    $return = $sid, $user
    return $return

Running this will give you the username and SID. For our 7-zip registry example:

$loggedinuser = getloggedindetails
##Set key

$sid = $loggedinuser[0]
$Path = "Registry::HKU\$sid\SOFTWARE\7-Zip"
$Name = "Path"
$Type = "STRING"
$Value = "C:\Program Files\7-Zip\"

Try {
    $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
    If ($Registry -eq $Value){
        Write-Output "Detected"
       Exit 0
    Exit 1
Catch {
    Exit 1
        write-host "not detected"
    write-host $path

Or for a file at the user level:

$username = $loggedinuser[1]
$File = "C:\users\$username\AppData\Local\Microsoft\Teams\update.exe"
if (Test-Path $File) {
    write-output "Teams Update detected, exiting"
    exit 0
else {
    exit 1

I hope that makes them easier to understand! Happy scripting…

