{"id":1588,"date":"2022-05-13T07:00:00","date_gmt":"2022-05-13T05:00:00","guid":{"rendered":"https:\/\/scloud.work\/?p=1588"},"modified":"2023-08-17T12:54:45","modified_gmt":"2023-08-17T10:54:45","slug":"custom-detection-script-intune-win32","status":"publish","type":"post","link":"https:\/\/scloud.work\/custom-detection-script-intune-win32\/","title":{"rendered":"Custom Detection Script f\u00fcr Intune (win32 Apps)"},"content":{"rendered":"\n<p>There are still many applications that cannot be installed via MSI or a simple installation routine. This is where the win32 app comes into play in Intune (Microsoft Endpoint Manager). In Intune, this allows us to deal with routines and processes in a script and then check the installation with another script (custom detection script) or predefined detection rules (MSI, EXE, file or registry key).<\/p>\n\n\n\n<p>In the past few years, I have accumulated a few different variations of detection scripts, which I am trying to collect here.<\/p>\n\n\n\n<div class=\"wp-block-buttons is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/github.com\/FlorianSLZ\/scloud\/blob\/main\/win32-template\/check.ps1\" target=\"_blank\" rel=\"noreferrer noopener\">Script Collection @GitHub<\/a><\/div>\n<\/div>\n\n\n\n<p><\/p>\n\n\n\n<p>Use the button above to find my current collection of custom detection scripts for Intune win32 apps. It is important that you only use one of the blocks for your detection rule. If you want to know how a win32 app is structured in general and how I handle it, you can find it here (<a href=\"https:\/\/scloud.work\/en\/my-take-on-win32-apps\/\" target=\"_blank\" rel=\"noreferrer noopener\">my take on win32 apps - Intune<\/a>) one of my past blog posts.<\/p>\n\n\n\n<p>You can currently find the following detection rules in my GitHub repository:<\/p>\n\n\n\n<ul>\n<li>Detection of an EXE or a file<\/li>\n\n\n\n<li>Validation file with specific content (e.g. versioning)<\/li>\n\n\n\n<li>Existing EXE with exact target version\n<ul>\n<li>or higher version<\/li>\n\n\n\n<li>and additional registry key<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Registry key comparison<\/li>\n\n\n\n<li>Detection of a scheduled task<\/li>\n\n\n\n<li>Detection of a scheduled task including version<\/li>\n<\/ul>\n\n\n<h2 class=\"wp-block-heading\" id=\"erklarung-beispiel-exe-mit-exakter-version\">Explanation \/ example EXE with exact version<\/h2>\n\n\n<p>The recognition rules are all structured in such a way that the criteria are defined first:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"PowerShell\" data-shcb-language-slug=\"powershell\"><span><code class=\"hljs language-powershell\"><span class=\"hljs-variable\">$ProgramPath<\/span> = <span class=\"hljs-string\">\"C:\\Program Files\\XXXXX\\XXXXXX.exe\"<\/span>\n<span class=\"hljs-variable\">$ProgramVersion_target<\/span> = <span class=\"hljs-string\">'1.0.2'<\/span> \n<span class=\"hljs-variable\">$ProgramVersion_current<\/span> = &#91;<span class=\"hljs-type\">System.Diagnostics.FileVersionInfo<\/span>]::GetVersionInfo(<span class=\"hljs-variable\">$ProgramPath<\/span>).FileVersion<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PowerShell<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">powershell<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p><br><\/p>\n\n\n\n<p>The definitions are then compared or checked and if they apply, \"Found it!\" issued. This signals Intune that the package is installed successfully. Alternatively, you can end the script with '<strong>exit 0<\/strong>'. <\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-2\" data-shcb-language-name=\"PowerShell\" data-shcb-language-slug=\"powershell\"><span><code class=\"hljs language-powershell\"><span class=\"hljs-keyword\">if<\/span>(<span class=\"hljs-variable\">$ProgramVersion_current<\/span> <span class=\"hljs-operator\">-eq<\/span> <span class=\"hljs-variable\">$ProgramVersion_target<\/span>){\n    <span class=\"hljs-built_in\">Write-Host<\/span> <span class=\"hljs-string\">\"Found it!\"<\/span>\n}<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-2\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PowerShell<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">powershell<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p> <\/p>\n\n\n\n<p><strong>Do you have any other custom detection scripts in Intune that help you in your everyday life or which you are up against?<br><\/strong>Let me know in the comments. I would like to add them to my collection. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>There are still many applications that cannot be installed via MSI or a simple installation routine. This is where the win32 app comes into play in Intune (Microsoft Endpoint Manager). In Intune, this allows us to deal with routines and&#46;&#46;&#46;<\/p>\n","protected":false},"author":1,"featured_media":1598,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"image","meta":{"footnotes":""},"categories":[239,852,5],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Custom Detection Script f\u00fcr Intune (win32 Apps) | scloud<\/title>\n<meta name=\"description\" content=\"Intune Win32 App installations with a Custom Detection Script, enabling more complex\/granular queries and scenarios.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/scloud.work\/custom-detection-script-intune-win32\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Custom Detection Script f\u00fcr Intune (win32 Apps) | scloud\" \/>\n<meta property=\"og:description\" content=\"Intune Win32 App installations with a Custom Detection Script, enabling more complex\/granular queries and scenarios.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/scloud.work\/custom-detection-script-intune-win32\/\" \/>\n<meta property=\"og:site_name\" content=\"scloud\" \/>\n<meta property=\"article:published_time\" content=\"2022-05-13T05:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-08-17T10:54:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/scloud.work\/wp-content\/uploads\/2022\/05\/custom-detection-script-intune.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Florian\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@FlorianSLZ\" \/>\n<meta name=\"twitter:site\" content=\"@FlorianSLZ\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Florian\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/scloud.work\/custom-detection-script-intune-win32\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/scloud.work\/custom-detection-script-intune-win32\/\"},\"author\":{\"name\":\"Florian\",\"@id\":\"https:\/\/scloud.work\/#\/schema\/person\/351129a6ee6924cb8637f395e4b010d5\"},\"headline\":\"Custom Detection Script f\u00fcr Intune (win32 Apps)\",\"datePublished\":\"2022-05-13T05:00:00+00:00\",\"dateModified\":\"2023-08-17T10:54:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/scloud.work\/custom-detection-script-intune-win32\/\"},\"wordCount\":312,\"commentCount\":9,\"publisher\":{\"@id\":\"https:\/\/scloud.work\/#\/schema\/person\/351129a6ee6924cb8637f395e4b010d5\"},\"image\":{\"@id\":\"https:\/\/scloud.work\/custom-detection-script-intune-win32\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/scloud.work\/wp-content\/uploads\/2022\/05\/custom-detection-script-intune.jpg\",\"articleSection\":[\"Microsoft Intune\",\"PowerShell\",\"Win32 Applikationen\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/scloud.work\/custom-detection-script-intune-win32\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/scloud.work\/custom-detection-script-intune-win32\/\",\"url\":\"https:\/\/scloud.work\/custom-detection-script-intune-win32\/\",\"name\":\"Custom Detection Script f\u00fcr Intune (win32 Apps) | scloud\",\"isPartOf\":{\"@id\":\"https:\/\/scloud.work\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/scloud.work\/custom-detection-script-intune-win32\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/scloud.work\/custom-detection-script-intune-win32\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/scloud.work\/wp-content\/uploads\/2022\/05\/custom-detection-script-intune.jpg\",\"datePublished\":\"2022-05-13T05:00:00+00:00\",\"dateModified\":\"2023-08-17T10:54:45+00:00\",\"description\":\"Intune Win32 App installations with a Custom Detection Script, enabling more complex\/granular queries and scenarios.\",\"breadcrumb\":{\"@id\":\"https:\/\/scloud.work\/custom-detection-script-intune-win32\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/scloud.work\/custom-detection-script-intune-win32\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/scloud.work\/custom-detection-script-intune-win32\/#primaryimage\",\"url\":\"https:\/\/scloud.work\/wp-content\/uploads\/2022\/05\/custom-detection-script-intune.jpg\",\"contentUrl\":\"https:\/\/scloud.work\/wp-content\/uploads\/2022\/05\/custom-detection-script-intune.jpg\",\"width\":1200,\"height\":630,\"caption\":\"Custom detection Script Intune\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/scloud.work\/custom-detection-script-intune-win32\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/scloud.work\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Custom Detection Script f\u00fcr Intune (win32 Apps)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/scloud.work\/#website\",\"url\":\"https:\/\/scloud.work\/\",\"name\":\"scloud by Florian Salzmann\",\"description\":\"Mastering the Modern Workplace with Intune\",\"publisher\":{\"@id\":\"https:\/\/scloud.work\/#\/schema\/person\/351129a6ee6924cb8637f395e4b010d5\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/scloud.work\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/scloud.work\/#\/schema\/person\/351129a6ee6924cb8637f395e4b010d5\",\"name\":\"Florian\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/scloud.work\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/scloud.work\/wp-content\/uploads\/2022\/10\/Salzmann_Florian_2022_500x500px.jpg\",\"contentUrl\":\"https:\/\/scloud.work\/wp-content\/uploads\/2022\/10\/Salzmann_Florian_2022_500x500px.jpg\",\"width\":500,\"height\":500,\"caption\":\"Florian\"},\"logo\":{\"@id\":\"https:\/\/scloud.work\/#\/schema\/person\/image\/\"},\"sameAs\":[\"https:\/\/scloud.work\/about\/\",\"https:\/\/www.instagram.com\/florianslz_\/\",\"https:\/\/www.linkedin.com\/in\/fsalzmann\/\",\"https:\/\/x.com\/FlorianSLZ\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Custom Detection Script f\u00fcr Intune (win32 Apps) | scloud","description":"Intune Win32 App installations with a Custom Detection Script, enabling more complex\/granular queries and scenarios.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/scloud.work\/custom-detection-script-intune-win32\/","og_locale":"en_US","og_type":"article","og_title":"Custom Detection Script f\u00fcr Intune (win32 Apps) | scloud","og_description":"Intune Win32 App installations with a Custom Detection Script, enabling more complex\/granular queries and scenarios.","og_url":"https:\/\/scloud.work\/custom-detection-script-intune-win32\/","og_site_name":"scloud","article_published_time":"2022-05-13T05:00:00+00:00","article_modified_time":"2023-08-17T10:54:45+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/scloud.work\/wp-content\/uploads\/2022\/05\/custom-detection-script-intune.jpg","type":"image\/jpeg"}],"author":"Florian","twitter_card":"summary_large_image","twitter_creator":"@FlorianSLZ","twitter_site":"@FlorianSLZ","twitter_misc":{"Written by":"Florian","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/scloud.work\/custom-detection-script-intune-win32\/#article","isPartOf":{"@id":"https:\/\/scloud.work\/custom-detection-script-intune-win32\/"},"author":{"name":"Florian","@id":"https:\/\/scloud.work\/#\/schema\/person\/351129a6ee6924cb8637f395e4b010d5"},"headline":"Custom Detection Script f\u00fcr Intune (win32 Apps)","datePublished":"2022-05-13T05:00:00+00:00","dateModified":"2023-08-17T10:54:45+00:00","mainEntityOfPage":{"@id":"https:\/\/scloud.work\/custom-detection-script-intune-win32\/"},"wordCount":312,"commentCount":9,"publisher":{"@id":"https:\/\/scloud.work\/#\/schema\/person\/351129a6ee6924cb8637f395e4b010d5"},"image":{"@id":"https:\/\/scloud.work\/custom-detection-script-intune-win32\/#primaryimage"},"thumbnailUrl":"https:\/\/scloud.work\/wp-content\/uploads\/2022\/05\/custom-detection-script-intune.jpg","articleSection":["Microsoft Intune","PowerShell","Win32 Applikationen"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/scloud.work\/custom-detection-script-intune-win32\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/scloud.work\/custom-detection-script-intune-win32\/","url":"https:\/\/scloud.work\/custom-detection-script-intune-win32\/","name":"Custom Detection Script f\u00fcr Intune (win32 Apps) | scloud","isPartOf":{"@id":"https:\/\/scloud.work\/#website"},"primaryImageOfPage":{"@id":"https:\/\/scloud.work\/custom-detection-script-intune-win32\/#primaryimage"},"image":{"@id":"https:\/\/scloud.work\/custom-detection-script-intune-win32\/#primaryimage"},"thumbnailUrl":"https:\/\/scloud.work\/wp-content\/uploads\/2022\/05\/custom-detection-script-intune.jpg","datePublished":"2022-05-13T05:00:00+00:00","dateModified":"2023-08-17T10:54:45+00:00","description":"Intune Win32 App installations with a Custom Detection Script, enabling more complex\/granular queries and scenarios.","breadcrumb":{"@id":"https:\/\/scloud.work\/custom-detection-script-intune-win32\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/scloud.work\/custom-detection-script-intune-win32\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/scloud.work\/custom-detection-script-intune-win32\/#primaryimage","url":"https:\/\/scloud.work\/wp-content\/uploads\/2022\/05\/custom-detection-script-intune.jpg","contentUrl":"https:\/\/scloud.work\/wp-content\/uploads\/2022\/05\/custom-detection-script-intune.jpg","width":1200,"height":630,"caption":"Custom detection Script Intune"},{"@type":"BreadcrumbList","@id":"https:\/\/scloud.work\/custom-detection-script-intune-win32\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/scloud.work\/"},{"@type":"ListItem","position":2,"name":"Custom Detection Script f\u00fcr Intune (win32 Apps)"}]},{"@type":"WebSite","@id":"https:\/\/scloud.work\/#website","url":"https:\/\/scloud.work\/","name":"scloud by Florian Salzmann","description":"Mastering the Modern Workplace with Intune","publisher":{"@id":"https:\/\/scloud.work\/#\/schema\/person\/351129a6ee6924cb8637f395e4b010d5"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/scloud.work\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/scloud.work\/#\/schema\/person\/351129a6ee6924cb8637f395e4b010d5","name":"Florian","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/scloud.work\/#\/schema\/person\/image\/","url":"https:\/\/scloud.work\/wp-content\/uploads\/2022\/10\/Salzmann_Florian_2022_500x500px.jpg","contentUrl":"https:\/\/scloud.work\/wp-content\/uploads\/2022\/10\/Salzmann_Florian_2022_500x500px.jpg","width":500,"height":500,"caption":"Florian"},"logo":{"@id":"https:\/\/scloud.work\/#\/schema\/person\/image\/"},"sameAs":["https:\/\/scloud.work\/about\/","https:\/\/www.instagram.com\/florianslz_\/","https:\/\/www.linkedin.com\/in\/fsalzmann\/","https:\/\/x.com\/FlorianSLZ"]}]}},"_links":{"self":[{"href":"https:\/\/scloud.work\/wp-json\/wp\/v2\/posts\/1588"}],"collection":[{"href":"https:\/\/scloud.work\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/scloud.work\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/scloud.work\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/scloud.work\/wp-json\/wp\/v2\/comments?post=1588"}],"version-history":[{"count":21,"href":"https:\/\/scloud.work\/wp-json\/wp\/v2\/posts\/1588\/revisions"}],"predecessor-version":[{"id":4264,"href":"https:\/\/scloud.work\/wp-json\/wp\/v2\/posts\/1588\/revisions\/4264"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/scloud.work\/wp-json\/wp\/v2\/media\/1598"}],"wp:attachment":[{"href":"https:\/\/scloud.work\/wp-json\/wp\/v2\/media?parent=1588"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/scloud.work\/wp-json\/wp\/v2\/categories?post=1588"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/scloud.work\/wp-json\/wp\/v2\/tags?post=1588"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}