Today I had to create a Win32 app in Intune that sets a registry key in the current user context to toggle a setting in the OS. Somehow I thought I’d have it done in a jiffy, but I stumbled on a couple of unexpected issues along the way….
First, as the app simply runs a PowerShell script that sets the registry key, the install command I was using created the key in the WOW6432node because the IME runs as a 32-bit app. So I had to change the command to use SysNative:
%windir%\SysNative\WindowsPowershell\v1.0\PowerShell.exe -ExecutionPolicy Bypass -File MyInstallScript.ps1
Second, the app is only applicable to Windows 11 yet in the Minimum operating system requirement, Windows 11 is not available, nor even is Windows 10 21H2. I guess that’ll get updated at some point…
So I had to choose a Windows 10 OS and add an additional scripted requirement rule for Windows 11:
[int]$BuildNumber = Get-CimInstance Win32_OperatingSystem -Property BuildNumber | Select -ExpandProperty BuildNumber
If ($BuildNumber -ge 22000)
{
Write-Output "Pass"
}
else
{
Write-Output "Fail"
}
Next came a more tricky problem – the detection rule. This had to done using a custom detection script, but the script runs in SYSTEM context so by default it can’t detect changes in the logged-on user registry hive.
I recalled some code I had used elsewhere to detect the current logged on user in SYSTEM context and simply modified the detection script to check the HKEY_Users hive instead of HKEY_CURRENT_USER hive based on the SID of the logged on user. This works as long as only a single user is logged in:
Function Get-LoggedOnUserSID {
# ref https://www.reddit.com/r/PowerShell/comments/7coamf/query_no_user_exists_for/
$header=@('SESSIONNAME', 'USERNAME', 'ID', 'STATE', 'TYPE', 'DEVICE')
$Sessions = query session
[array]$ActiveSessions = $Sessions | Select -Skip 1 | Where {$_ -match "Active"}
If ($ActiveSessions.Count -ge 1)
{
$LoggedOnUsers = @()
$indexes = $header | ForEach-Object {($Sessions[0]).IndexOf(" $_")}
for($row=0; $row -lt $ActiveSessions.Count; $row++)
{
$obj=New-Object psobject
for($i=0; $i -lt $header.Count; $i++)
{
$begin=$indexes[$i]
$end=if($i -lt $header.Count-1) {$indexes[$i+1]} else {$ActiveSessions[$row].length}
$obj | Add-Member NoteProperty $header[$i] ($ActiveSessions[$row].substring($begin, $end-$begin)).trim()
}
$LoggedOnUsers += $obj
}
$LoggedOnUser = $LoggedOnUsers[0]
$LoggedOnUserSID = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\$($LoggedOnUser.ID)" -Name LoggedOnUserSID -ErrorAction SilentlyContinue |
Select -ExpandProperty LoggedOnUserSID
Return $LoggedOnUserSID
}
}
$LoggedOnUserSID = Get-LoggedOnUserSID
If ($null -ne $LoggedOnUserSID)
{
If ($null -eq (Get-PSDrive -Name HKU -ErrorAction SilentlyContinue))
{
$null = New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
}
$i = Get-Item "HKU:\$LoggedOnUserSID\Software\<regkey>" -ErrorAction SilentlyContinue
if ($null -eq $i)
{
# key doesn't exist, need to set
"nada"
Exit 1
}
else
{
$r = Get-ItemProperty "HKU:\$LoggedOnUserSID\Software\<regkey>" -Name '(Default)' -ErrorAction SilentlyContinue |
Select -ExpandProperty '(default)'
If ($r.Length -gt 0)
{
# default key is not correct value, need to update
"not right value"
Exit 1
}
else
{
# all good
"all good"
Exit 0
}
}
}
Else
{
# no logged on user detected
"no logged on user detected"
Exit 1
}
After that, finally the app installed and detected correctly!
Great stuff
Thanks for sharing
Thank you for this.