Registry
This detection rule verify the application existense based on windows registry key, value existance, string, Integer or version comparison.
- Key path: The full path of the registry key that contains the value to detect.
- Value name: The name of the registry value to detect. If this value is empty, the detection will happen on the key. The (default) value of a key will be used as detection value if the detection method is other than file or folder existence.
- Detection method: Select the type of detection method that’s used to validate the presence of the app. The following detection methods are available in registry based detection rules.
- Key exists
- Key does not exist
- String comparision
- Version comparision
- Integer comparision
Example of Registry based detection:
Check for registry value existance:
Let’s take app installation for example:
Key path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Notepad++
Value name: DisplayName
Detection method: Value Exists
Check for string comparison:
Key path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Notepad++
Value name: DisplayName
Detection method: String comparison
Operator: Equals
Value: Notepad++ (64-bit x64)
Check for version
Key path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Notepad++
Value name: DisplayVersion
Detection method: String comparison
Operator: Equals
Value: 8.5.4
Version comparison can be used with file check to confirm the app installation.
Client side activities:
Similar to MSI & File based detection rule, you will the details of registry based detection rule in the policy downladed at client. The DetectionType 0 represent registry based detection rule
Get policies = [{"Id":"c9b949c9-6e56-4e3a-a9d5-7f174fd5681c","Name":"visioviewer_4339-1001_x64_en-us.exe","Version":1,"Intent":3,"TargetType":2,"AppApplicabilityStateDueToAssginmentFilters":0,"AssignmentFilterIds":["40a00a67-5909-47bd-8948-54dc237881e6"],"DetectionRule":"[{\"DetectionType\":0,\"DetectionText\":\"{\\\"Check32BitOn64System\\\":0,\\\"Path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Uninstall\\\\\\\\{95160000-0052-0409-1000-0000000FF1CE}\\\",\\\"KeyName\\\":\\\"DisplayName\\\",\\\"DetectionType\\\":3,\\\"Operator\\\":1,\\\"DetectionValue\\\":\\\"Microsoft Visio Viewer 2016\\\"}\"}]","InstallCommandLine":"visioviewer_4339-1001_x64_en-us.exe /quiet","UninstallCommandLine":"visioviewer_4339-1001_x64_en-us /uninstall /quiet","RequirementRules":"
Client start processing the deployment once it’s receive the policy. You can see all activities related with app detection in below log snippest from Intune extension manager log.
<![LOG[[Win32App] Start detectionManager SideCarRegistryDetectionManager]LOG]!><time="19:36:29.8759872" date="2-22-2022" component="IntuneManagementExtension" context="" type="1" thread="21" file=""> <![LOG[RegistryKeyOrValueExistsFullPath NOT Check32BitOn64, baseReg HKEY_LOCAL_MACHINE]LOG]!><time="19:36:30.0071701" date="2-22-2022" component="IntuneManagementExtension" context="" type="1" thread="21" file=""> <![LOG[RegistryKeyExistsFullPath opening full path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{95160000-0052-0409-1000-0000000FF1CE}...]LOG]!><time="19:36:30.0121586" date="2-22-2022" component="IntuneManagementExtension" context="" type="1" thread="21" file=""> <![LOG[RegistryKeyExistsFullPath NOT Check32BitOn64, baseReg HKEY_LOCAL_MACHINE]LOG]!><time="19:36:30.0121586" date="2-22-2022" component="IntuneManagementExtension" context="" type="1" thread="21" file=""> <![LOG[RegistryKeyExistsFullPath opening subPath SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{95160000-0052-0409-1000-0000000FF1CE}]LOG]!><time="19:36:30.0121586" date="2-22-2022" component="IntuneManagementExtension" context="" type="1" thread="21" file=""> <![LOG[[Win32App] Got reg value path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{95160000-0052-0409-1000-0000000FF1CE}, name: DisplayName, value: Microsoft Visio Viewer 2016]LOG]!><time="19:36:30.0121586" date="2-22-2022" component="IntuneManagementExtension" context="" type="1" thread="21" file=""> <![LOG[[Win32App] Equal: actualValue: Microsoft Visio Viewer 2016, DetectionValue: Microsoft Visio Viewer 2016, applicationDetected: True]LOG]!><time="19:36:30.0121586" date="2-22-2022" component="IntuneManagementExtension" context="" type="1" thread="21" file=""> <![LOG[[Win32App] Checked reg path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{95160000-0052-0409-1000-0000000FF1CE}, name: DisplayName, operator: 1, type: 3, value: Microsoft Visio Viewer 2016 , result of applicationDetected: True]LOG]!><time="19:36:30.0131559" date="2-22-2022" component="IntuneManagementExtension" context="" type="1" thread="21" file=""> <![LOG[[Win32App] detectionManager SideCarRegistryDetectionManager got applicationDetectedByCurrentRule: True as system]LOG]!><time="19:36:30.0131559" date="2-22-2022" component="IntuneManagementExtension" context="" type="1" thread="21" file=""> <![LOG[[Win32App] Completed detectionManager SideCarRegistryDetectionManager, applicationDetectedByCurrentRule: True]LOG]!><time="19:36:30.0131559" date="2-22-2022" component="IntuneManagementExtension" context="" type="1" thread="21" file="">
Use custom detection script
The custom detection script method use PowerShell script to detect the app presence. The following details are required for this detection method.
- Script file: Select a PowerShell script that will detect the presence of the app on the client. The app will be detected when the script both returns a 0 value exit code and writes a string value to STDOUT.
- Run script as 32-bit process on 64-bit clients: Select Yes to run the script in a 32-bit process on 64-bit clients. Select No (default) to run the script in a 64-bit process on 64-bit clients. 32-bit clients run the script in a 32-bit process.
- Enforce script signature check: Select Yes to verify that a trusted publisher has signed the script, which will allow the script to run with no warnings or prompts displayed. The script will run unblocked. Select No (default) to run the script with user confirmation without signature verification.
The Intune agent checks the results from the script. It reads the values written by the script to the STDOUT stream, the standard error (STDERR) stream, and the exit code. If the script exits with a nonzero value, the script fails and the application detection status is not installed. If the exit code is zero and STDOUT has data, the application detection status is installed.
Exit Code and STDOUT stream
Exit Code | STDOUT Stream | Detection State |
0 | Not Empty | Detected, Application installed |
0 | Empty | Not detected, Application not installed |
Non zero | Empty | Not detected, Application not installed |
Non zero | Not Empty | Not detected, Application not installed |
Source: https://www.petervanderwoude.nl/post/working-with-custom-detection-rules-for-win32-apps/
Sample detection script:
Here is a sample script to use with Custom detection script rule with Win32 App. The script will check for file existance and it’s version. It will return Exit code 0 and write string value in STDOUT if condition mathced. Else, it will return Exit code 0. The intune extension manager will capture the output written to STDOUT ( using Write-host ) and show that in the log file.
$AppName = "Winzip ver 26.0"
$File = "D:\Program Files\WinZip26\winzip64.exe"
$FileVersion = "50.260.14610 (64-bit)"
Write-Host "Custom script based detection : $AppName"
if (Test-path $File) {
$ActualVersion = (Get-ItemProperty -Path $File).VersionInfo.FileVersion
If ($ActualVersion -eq $FileVersion) {
Write-host "Actual version: $Actualversion, Compared version: $FileVersion"
Write-host "Same version of application installed"
Exit 0}
else {
Write-host "Actual version: $Actualversion, Compared version: $FileVersion"
Write-host "Different Version of application installed"
Exit 0}
}
else {
Write-Host "File $file not found. Application not installed"
Exit 1
}