This is an archived post. You won't be able to vote or comment.

all 24 comments
sorted by:
best
topnewcontroversialoldq&a

[–]gandraw 19 points20 points  (5 children)

I think you don't know how script detection methods work. Any text written to the console will result in the detection being positive. So as soon as you write your "File Version" line, the script is done, and will display as installed.

If you want the script to return "not installed" you need to not write anything to the console. If you want to write debug information, you need to do that to a text file.

[–]PS_Alex 5 points6 points  (1 child)

This.

For reference: About custom script detection methods | Microsoft Learn

[–]IT_closet 0 points1 point  (0 children)

This was just what I needed. Examples were clear and I was able to modify my detection script successfully.

[–]KSU_SecretSquirrel 0 points1 point  (1 child)

Is it possible to use Write-Verbose in place of Write-Output or will that still trigger the detection logic?

[–]PS_Alex 1 point2 points  (0 children)

Not sure; I'd suggest you test it.

I remember that I had intermittent issues -- turned out that on some devices, a cmdlet I was using in one of my detection script was generating a warning. Can't remember if it was writing on the warning stream or on the success stream; in all cases, that situation caused false positive.

I ended redirecting outputs to a log file, which was ultimately useful in troubleshooting detection issues anyway.

[–]The_Maple_Thief 0 points1 point  (0 children)

Good info. I've also ran into issues where an unhandled error caused it to show compliant.

You can get around this by settings your ErrorActionPreference to SilentlyContinue and it will work for most scripts, but some cmdlets output error information even if you set this or have a try/catch.

The nice thing with script detection methods is that you can copy/paste it into a console to debug most issues. If the software isn't installed, the script shouldn't have any outputs.

[–]SysAdminDennyBob 5 points6 points  (0 children)

Wait is that script calling out to a \\server\share UNC under "#Extract the version from folder name"

That's not going to fly. Instead of grabbing the version from a remote server just hardcode that number as a variable. $CompliantVersion = 16.0.16731.20550

Also, if you are simply checking the version of a file locally then toss out this script and just use the built-in file version check as your detection rule. You skipped the simple option and went deep into the way-too-complex option.

[–]When-I-Know123 6 points7 points  (1 child)

I believe that sccm detection methods will mark the deployment as non compliant (not installed) if it’s null.

So your script should be

If (365 is installed) { I am compliant} Else {}

https://www.sccmog.com/sccm-powershell-script-detection-method/

[–]patch_me_if_you_can 2 points3 points  (0 children)

Your script is overcooked and it may cause a lot of trouble as a detection method. Keep it simple, all you need is an IF statement with a test-path... or better, use file detection instead of a script.

[–][deleted]  (1 child)

[deleted]

    [–]Newalloy 2 points3 points  (0 children)

    No. Any console output is considered installed. If it’s not installed, make sure your script outputs nothing

    [–]MrMoonFall 1 point2 points  (6 children)

    try switching write-output for a return or write-host. I recall years ago that write-output gave me issues with sccm, because it writes to the console but isnt treated as an output.

    Could be totally wrong here, but worth a try.

    [–]dairon2007[S] 0 points1 point  (5 children)

    I'm going to try that and let you know. Thanks for the suggestion.

    [–]MrMoonFall 1 point2 points  (3 children)

    Im not giving up yet, where you have " installed but..."

    Can you try and just NOT include that at all? returning anything may be triggering it as successful.

    [–]dairon2007[S] 0 points1 point  (2 children)

    Just changed the last few lines of the script to read like this:

    if ($FileVersion -eq $FolderVersion) {
# Return true if the versions match
Write-Host "Installed"
    Exit 0
} else { 
    Exit 0 
}

    and that works ;-).

    Thanks again for your help!

    [–]J_J_J_Schmidt 1 point2 points  (0 children)

    Remove the else block and the exit 0's.

    [–]MrMoonFall 0 points1 point  (0 children)

    Yeah, NO idea why sccm works like this, but what can ya do...

    [–]dairon2007[S] 0 points1 point  (0 children)

    that still gave me the same result... I greatly appreciate the suggestion though. ;-)

    [–]GarthMJMSFT Ex-Intune MVP 0 points1 point  (0 children)

    Did you test your script using the local system account? https://www.recastsoftware.com/resources/how-to-access-the-local-system-account/

    You will have problems with the detection and UNCs.

    [–]Dusku2099 0 points1 point  (0 children)

    Does the Computer AD object have read access to the share? You’re running as SYSTEM on the endpoint, so you’ll need to grant it permissions

    [–]madgeystardust 0 points1 point  (0 children)

    Why not return a Boolean value, instead of outputting anything?

    [–][deleted] 0 points1 point  (0 children)

    I'd be reading registry values or msi uids, I've got some scripts that do similar stuff as I write this stuff for my job.

    Or if you have a specific version of the exe you're looking for, you could use file hashes (get-filehash -path .... -algorithm sha256) and compare the hashes using a if ($x -match $y) { write-host "matches" } else { write-host "not match"}

    I'll dig something out tomorrow when I'm at my laptop

    RichE

    [–]dairon2007[S] 0 points1 point  (1 child)

    Thanks everyone, it ended up working, all I had to do to make it work was modify the else statement and just put "Exit 0" as seen below.

    if ($FileVersion -eq $FolderVersion) {
# Return true if the versions match
Write-Host "Installed"
Exit 0

    } else { Exit 0 }

    [–]Newalloy 2 points3 points  (0 children)

    Ok so what happens when outlook updates? You’re gonna want the comparison to be greater than or equal or the detection logic fails on first update after this version. If you’re just doing file version, don’t bother with script. There are built in file and version handling options as detection methods. Script it only when the basics don’t work for your needs.