Zehadi Alam
Introduction
Occasionally, the built-in features provided by Intune may not fully meet your requirements. For these situations, Intune provides the capability to incorporate custom solutions. In the context of app deployment, Intune allows administrators to provide their own scripts to accomplish specific software installation objectives. This article will explain how to leverage custom scripts in the app requirements and detection rules section. It assumes a foundational understanding of the general app deployment process, as outlined in the following article: Windows Software Deployment with Intune
Custom script as requirement rule
In the application deployment wizard, the app requirements section provides the options to define the necessary conditions for the installation of the app on targeted devices. Suppose you have a specific requirement such as "I prefer not to install this program on shared computers." It is possible that your computer naming scheme does not differentiate between shared and non-shared computers. In order to address this, you can establish a criterion such as "If a computer has 10 or more user profiles, it is likely a shared computer." (a higher number was used in this example to account for user profiles created by members of the help desk). To determine the number of user profiles on a computer, you can create a PowerShell script with the following contents.
$users = Get-ChildItem (Join-Path -Path $env:SystemDrive -ChildPath 'Users')
Write-Output $users.length
To use this script, select +Add under Configure additional requirement rules in the app requirements section.
Select Script from the drop-down options
Provide a name for the script and upload it. Use the following settings, unless you have identified a specific reason not to:
Run script as 32-bit process on 64-bit clients: No
Run this script using the logged on credentials: No
Enforce script signature check: No
Using our script example, we will select the output data type as Integer, the operator as Less than, and the value as 10. The value being checked must be output by your script with a cmdlet such as Write-Output for these options to work.
Once the application is deployed, any computers that do not meet the requirements specified by the script will not have the software installed. Intune's application status chart will mark these computers as Not applicable.
Further investigation into the device status will show the status detail PowerShell script requirement rule is not met for the devices where the installation was skipped due to not meeting the script conditions.
Tip: Custom requirement scripts can also be utilized to perform specific actions prior to program installation. For instance, consider a program that requires the creation of specific firewall rules in order to function properly. Within the requirement script, one can easily include commands to establish the necessary firewall rules. The advantage of this method is that the custom script can be configured to operate in system context and perform administrative tasks, even for applications that must be deployed in user-context and the user is not an administrator.
Custom script as detection rule
In the application deployment wizard, the detection rules section allows you to specify the conditions that indicate whether an app is installed. The native options can be used to create detection rules for most of the programs you intend to deploy. However, there are certain applications for which detecting their installation status is more challenging. For example, the Bomgar jump client installs to the C:\ProgramData directory under a folder named bomgar-scc-*, where the asterisk represents a sequence of numbers that vary for each installation. If the folder name differs across computers, you cannot use a fixed file path in the detection rule. This is where a custom detection script can be useful. The following is an example of such a script. It checks if the C:\ProgramData path contains a folder where the name starts with bomgar-scc. If so, then the program is regarded as installed.
Note: The following script is used for illustrative purposes and does not aim to follow any best practices
$bomgar = Get-ChildItem -Path C:\ProgramData -Directory -Filter "bomgar-scc*"
if ($bomgar) {
Write-Output "Bomgar is detected"
exit 0
}
exit 1
The inclusion of the Write-Output and exit lines are required for the detection script to function correctly. As Microsoft states, "The Intune agent checks the results from the script. It reads the values written by the script to the STDOUT stream, the standard error (STDERR) stream, and the exit code. If the script exits with a nonzero value, the script fails and the application detection status isn't installed. If the exit code is zero and STDOUT has data, the application detection status is installed." https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-add#step-4-detection-rules