I don't know how this works, so please consult your organization's IT administrator.
Intune Compliance Check for Install of o365
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 46%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER4%3C/text%3E%3C/svg%3E)
rr-4098
2,141
Reputation points
I have been asked to setup a Compliance check to see if o365 is installed or not. I have been searching online and have not found any 365 detection scripts or JSON files for this that others have used. I am not great with Powershell and JSON so any help will be welcomed!!!!
Microsoft Security | Intune | Compliance
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 19%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
simo-k 64,735 Reputation points Volunteer Moderator2025-06-28T15:05:03.2033333+00:00 -
rr-4098 2,141 Reputation points
2025-07-01T09:42:56.2566667+00:00 Thank you for the feedback. Unfortunately I am the sole I.T person onsite and searching for any suggestions or solution for this. If I was better at Powershell \ JSON this probably would not be an issue
-
rr-4098 2,141 Reputation points
2025-07-08T20:22:56.13+00:00 I have been doing a lot of search online and putting together scripts that I am finding. I noticed when I update a compliance policy and force a synced the device does not always evaluate the compliance policy again. Do I need to wait 8 hours?
Trying to troubleshoot error 65008(Setting missing in the script result) but not sure how long I should wait between updates to the script, forcing a sync and making another change.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 87%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPI%3C/text%3E%3C/svg%3E)
Prathista Ilango 515 Reputation points Microsoft Employee2025-08-20T09:16:46.31+00:00 Hello rr-4098,
You would like to mark the device non-compliant if M365 (formerly O365) apps are not installed. Is that correct? In that case, you can create the compliance policy as follows.
Disclaimer: Please test this on test devices before deploying for production devices.
Prerequisites:
You need to create the script and JSON file for detection and validation.
- Script to detect M365 app install:
######################################################################################### # ALL THE SCRIPTS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED # # OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR # # FITNESS FOR A PARTICULAR PURPOSE. # # # # This sample is not supported under any Microsoft standard support program or service. # # The script is provided AS IS without warranty of any kind. Microsoft further disclaims all # # implied warranties including, without limitation, any implied warranties of merchantability # # or of fitness for a particular purpose. The entire risk arising out of the use or performance # # of the sample and documentation remains with you. In no event shall Microsoft, its authors, # # or anyone else involved in the creation, production, or delivery of the script be liable for # # any damages whatsoever (including, without limitation, damages for loss of business profits, # # business interruption, loss of business information, or other pecuniary loss) arising out of # # the use of or inability to use the sample or documentation, even if Microsoft has been advised # # of the possibility of such damages. ######################################################################################### # Initialize values $OfficeArch = "Unknown" $OfficeType = "None" $OfficeVersion = "Not Found" $OfficeBuild = "Unknown" $OfficeVersionMap = "Unknown" $OfficeName = "Unknown" $Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss" # Detect Click-to-Run Office via registry $C2RPaths = @( "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration", "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun\Configuration" ) foreach ($path in $C2RPaths) { if (Test-Path $path) { try { $props = Get-ItemProperty -Path $path if ($props.Platform) { $OfficeArch = $props.Platform $OfficeType = "Click-to-Run" } if ($props.VersionToReport) { $OfficeVersion = $props.VersionToReport if ($OfficeVersion -match "^16\.0\.(\d+)\.") { $OfficeBuild = $Matches[1] } } if ($props.ProductReleaseIds) { $OfficeName = $props.ProductReleaseIds -replace ";.*", "" # Grab first product ID } break } catch {} } } # If not Click-to-Run, check for MSI Office using WMI if ($OfficeType -eq "None") { try { $OfficeProducts = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -match "Microsoft Office" -and $_.Name -notmatch "Click" -and $_.Name -notmatch "365" } foreach ($product in $OfficeProducts) { if ($product -ne $null) { $OfficeType = "MSI" $OfficeVersion = $product.Version $OfficeName = $product.Name if ($OfficeVersion -match "^16\.0\.(\d+)\.") { $OfficeBuild = $Matches[1] } break } } $OfficeExePaths = @( "$env:ProgramFiles\Microsoft Office", "$env:ProgramFiles (x86)\Microsoft Office" ) foreach ($base in $OfficeExePaths) { $exe = Get-ChildItem -Path $base -Recurse -Include "winword.exe" -ErrorAction SilentlyContinue | Select-Object -First 1 if ($exe) { $OfficeArch = if ($exe.FullName -like "*Program Files (x86)*") { "32-bit" } else { "64-bit" } break } } } catch { $OfficeType = "MSI Detection Failed" $OfficeArch = "Unknown" $OfficeVersion = "Unknown" $OfficeBuild = "Unknown" $OfficeName = "Unknown" } } # Map build to marketing version if ($OfficeVersion -match "^16\.0\.(\d+)\.") { $build = [int]$Matches[1] $OfficeBuild = $build switch ($build) { { $_ -ge 17000 } { $OfficeVersionMap = "2024"; break } { $_ -ge 14000 } { $OfficeVersionMap = "2021"; break } { $_ -ge 10300 } { $OfficeVersionMap = "2019"; break } { $_ -ge 4266 } { $OfficeVersionMap = "2016"; break } default { $OfficeVersionMap = "16.x (Unknown)" } } } elseif ($OfficeVersion -match "^15\.0") { $OfficeVersionMap = "2013" } elseif ($OfficeVersion -match "^14\.0") { $OfficeVersionMap = "2010" } if(($officetype) -and ($officeversion) -and ($officebuild)) { $appstatus = @{"Installation status" = "M365 apps installed"} } else { $appStatus = @{"Installation status" = "No M365 apps installed"} } return $appStatus | ConvertTo-Json -Compress - On Intune portal, go to Devices -> Compliance -> Scripts. Click Add-> Windows 10 and later. Give a name for the script like "M365 Detection Script" and create.
- JSON file:
Save this file locally.{ "Rules":[ { "SettingName":"Installation status", "Operator":"IsEquals", "DataType":"String", "Operand":"No M365 apps installed", "MoreInfoUrl":"https://www.microsoft.com/en-us/microsoft-365/download-office?msockid=39fe2c4b6cda608038173a6d68da6684", "RemediationStrings":[ { "Language":"en_US", "Title":"Device does not have any O365 apps installed.", "Description": "Please make sure that O365 apps are installed on the device. " } ] } ] }
Compliance Policy Configuration:
- On Intune portal, go to Devices -> Compliance -> Policies -> Create Policy Platform: Windows 10 and later Profile Type: Windows 10/11 compliance policy
- Click Create and give a name for the policy
- Under Compliance settings -> Custom Compliance -> Require
- Select your discovery script and upload the JSON saved locally.
- Click next and Configure actions of non-compliance
- Click next, add assignments and create the policy.
Once the devices are synced with the policy, you should be able to see the status of non-compliant ones (No M365 apps installed). Additionally, on the end device you will see the description from the JSON as the reason for compliance.
Hope this helps!
If you found the information above helpful, please Accept the answer. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.
- Script to detect M365 app install: