Intune script failed - Outlook add-in loadbehavior

Question

Intune script failed - Outlook add-in loadbehavior

Josh Klomp 20

Hi,

I want to disable some Outlook add-ins for all users and figured an Intune script was the best option.

The script works (below) when run manually in a non-admin powershell on a non-admin user account.

However, it fails when pushed out via Intune. Not sure what I'm looking for in the logs.

What am I doing wrong?

Screenshot 2023-08-02 115051


# Define the paths and values for the two Outlook add-ins

$TeamViewerAddInPath = "HKCU:\SOFTWARE\Microsoft\Office\Outlook\Addins\TeamViewerMeetingAddIn.AddIn"

$LoadBehaviorValue = 2

# Function to set registry values

function Set-RegistryValue {

param (

[string]$Path,

[string]$Name,

[string]$Value,

[string]$Type

)

$registryKey = Get-Item -LiteralPath $Path

if (!$registryKey) {

Write-Host "Registry path not found: $Path" -ForegroundColor Red

return

}

Set-ItemProperty -Path $Path -Name $Name -Value $Value -Type $Type -Force

Write-Host "Registry value set: $Path\$Name = $Value" -ForegroundColor Green

}

# Set the LoadBehavior for the TeamViewer add-in

Set-RegistryValue -Path $TeamViewerAddInPath -Name "LoadBehavior" -Value $LoadBehaviorValue -Type DWord

MotoX80 36,291 Reputation points

2023-08-03T02:23:30.1633333+00:00

Have Powershell generate a transcript.

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.host/start-transcript?view=powershell-5.1

See what user name Powershell sees and if any errors are generated.
Josh Klomp 20 Reputation points

2023-08-03T09:29:23.61+00:00

@MotoX80 thank you I have added that to the script

Accepted answer

2 additional answers

Your answer

MotoX80 36,291 Reputation points

2023-08-03T02:23:30.1633333+00:00

Have Powershell generate a transcript.

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.host/start-transcript?view=powershell-5.1

See what user name Powershell sees and if any errors are generated.
Josh Klomp 20 Reputation points

2023-08-03T09:29:23.61+00:00

@MotoX80 thank you I have added that to the script

Answer 1

@Josh Klomp, Thanks for the update. I am glad to hear that it is working. Congratulation! To help others to quickly find the solution, please let me write a summary:

Issue:

Deploy PowerShell script to disable some Outlook add-ins.

Resolution:

User's image

The PowerShell script configuration in Intune. Set the "Run the script using the logged on credentials" as yes.

User's image

Thanks for your time and have a nice day!

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Crystal-MSFT 53,981 Microsoft External Staff

@Josh Klomp, Thanks for posting in Q&A. From your description, I know we use PowerShell script to disable some Outlook add-in. When we manually run the script, it works. But when we deploy the script via Intune. It is failed.

After checking the script, I find the script is used to change the LoadBehavior registry key under current user.

From the PowerShell Script setting in Intune, I notice the "Run the script using the logged on credentials" is set as NO which means the script is run in the system context. So the registry key is set for system account.

https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension

But from your description, I know the PowerShell script needs to run under logged on user. Given the situation, please change the setting "Run the script using the logged on credentials" to Yes to see if it can work.

Please try the above suggestion and if there's any update, feel free to let us know.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Josh Klomp 20 Reputation points

2023-08-03T09:27:55.6066667+00:00

Thank you, I have enabled "Run the script using the logged on credentials".

Will report back on the outcome.
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2023-08-04T02:55:32.4333333+00:00

@Josh Klomp, Thanks for the reply. We will wait for your update. If there's anything we can help during this time, feel free to let us know.

Josh Klomp 20

@Crystal-MSFT unfortunately the script failed. Puzzled as to why a log file wasn't created either. Any ideas?

# Get the current user's Downloads folder path 
$downloadsFolder = Join-Path $env:USERPROFILE "Downloads"  

# Create the full path for the log file 
$logFilePath = Join-Path $downloadsFolder "Transcript.log"  

# Start logging the PowerShell session to the log file in the user's Downloads folder 
Start-Transcript -Path $logFilePath -Append  

# Define the paths and values for the two Outlook add-ins 
$TeamViewerAddInPath = "HKCU:\SOFTWARE\Microsoft\Office\Outlook\Addins\TeamViewerMeetingAddIn.AddIn" $LoadBehaviorValue = 2  

# Function to set registry values 
function Set-RegistryValue {
param (         
[string]$Path,         
[string]$Name,         
$Value,         
$Type     
)     
$CurrentUser = 	[System.Security.Principal.WindowsIdentity]::GetCurrent().Name     
$registryKey = Get-Item -LiteralPath $Path -ErrorAction SilentlyContinue     
if (!$registryKey) {         
Write-Host "Registry path not found for user $CurrentUser: $Path" -ForegroundColor Red         
return     
}      
Set-ItemProperty -Path $Path -Name $Name -Value $Value -Type $Type -Force     
Write-Host "Registry value set for user $CurrentUser: $Path\$Name = $Value" -ForegroundColor Green 
}  

# Set the LoadBehavior for the TeamViewer add-in 
Set-RegistryValue -Path $TeamViewerAddInPath -Name "LoadBehavior" -Value $LoadBehaviorValue -Type DWord  

# Stop logging the PowerShell session 
Stop-Transcript

MotoX80 36,291

If your script is running as the system account, then $env:USERPROFILE will not contain a downloads folder.

Use a known folder if downloads does not exist.

# Get the current user's Downloads folder path 
$downloadsFolder = Join-Path $env:USERPROFILE "Downloads"  

if (Test-Path $downloadsFolder) {
    "Logging to $downloadsFolder"
} else {
    "Defaulting to Temp"
    $downloadsFolder = "c:\windows\temp"
}

Josh Klomp 20 Reputation points

2023-08-04T11:49:30.3533333+00:00
@MotoX80 I tried saving to C: previously, but it didn't work.

I'll try your suggestion and see how I go.

# Start logging the PowerShell session to a transcript file Start-Transcript -Path "C:\Transcript.log"
MotoX80 36,291 Reputation points

2023-08-04T11:54:21.1833333+00:00

Don't put the file in the root of C. That would require elevation. You need to use a folder that any account can write to. Try c:\Windows\Temp first.
MotoX80 36,291 Reputation points

2023-08-04T11:57:51.0466667+00:00

Or create a C:\Temp folder for initial testing and grant everyone full control.
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2023-08-07T08:19:59.29+00:00

@Josh Klomp, Thanks for the reply. For the previous script, based on my testing on a non-admin login device, I find it can run manually successfully on the device and it can also work when I deploy it via Intune.

For the affected device, you can check the AgentExecutor.log and IntunemanagementExtension.log under C:ProgramDataMicrosoftIntuneManagementExtensionLogs to see if any error related with the commands exists.

For the transcript part, you can follow MotoX80's suggestion to use a folder everyone has full access permission on it.

Hope the above information can help.
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2023-08-09T01:49:45.1166667+00:00

@Josh Klomp, Hope things are going well. If there's any update, feel free to let us know.

Josh Klomp 20

@Crystal-MSFT unfortunately the script has failed.

@MotoX80 it didn't generate a log either.

# Get the current user's Downloads folder path  
$downloadsFolder = Join-Path $env:USERPROFILE "Downloads"   
 
if (Test-Path $downloadsFolder) {     
"Logging to $downloadsFolder" 
} else {     
"Defaulting to Temp"     
$downloadsFolder = "c:\windows\temp" 
}  

# Create the full path for the log file 
$logFilePath = Join-Path $downloadsFolder "Transcript.log"  

# Start logging the PowerShell session to the log file in the user's Downloads folder 
Start-Transcript -Path $logFilePath -Append  

# Define the path and value for the Outlook add-in 
$TeamViewerAddInPath = "HKCU:\SOFTWARE\Microsoft\Office\Outlook\Addins\TeamViewerMeetingAddIn.AddIn" 
$LoadBehaviorValue = 2  

# Function to set registry values 
function Set-RegistryValue {     
param (         
[string]$Path,         
[string]$Name,         
$Value,         
$Type     
)     
$CurrentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name     
$registryKey = Get-Item -LiteralPath $Path -ErrorAction SilentlyContinue     
if (!$registryKey) {         
Write-Host "Registry path not found for user $CurrentUser: $Path" -ForegroundColor Red         return     
}      

Set-ItemProperty -Path $Path -Name $Name -Value $Value -Type $Type -Force     
Write-Host "Registry value set for user $CurrentUser: $Path\$Name = $Value" -ForegroundColor Green }  

# Set the LoadBehavior for the TeamViewer add-in 
Set-RegistryValue -Path $TeamViewerAddInPath -Name "LoadBehavior" -Value $LoadBehaviorValue -Type DWord  

# Stop logging the PowerShell session 
Stop-Transcript

MotoX80 36,291 Reputation points

2023-08-09T11:42:28.77+00:00

Maybe create a c:\temp folder. Grant everyone full control. Use Out-File to verify that Intune can write to a file in it. Put the transcript there.
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2023-08-10T01:59:15.2833333+00:00

@Josh Klomp, Thanks for the reply. Please check if the Microsoft Intune Management Extension service is running on the device.

Answer 3

The below script worked!

Turns out the previous script was working, but the LoadBehavior value of 2 wasn't disabling the add-in. Odd since manually changing the value to 2 in regedit did disable the add-in.

I simplified the script and changed the LoadBehavior value to 0.

Thank you for your help @Crystal-MSFT and @MotoX80

# Set Outlook Addin Load behavior to 0  

if((Test-Path -LiteralPath "HKCU:\SOFTWARE\Microsoft\Office\Outlook\Addins\TeamViewerMeetingAddIn.AddIn") -ne $true) {  New-Item "HKCU:\SOFTWARE\Microsoft\Office\Outlook\Addins\TeamViewerMeetingAddIn.AddIn" -force -ea SilentlyContinue };          

New-ItemProperty -LiteralPath 'HKCU:\SOFTWARE\Microsoft\Office\Outlook\Addins\TeamViewerMeetingAddIn.AddIn' -Name 'LoadBehavior' -Value 0 -PropertyType DWord -Force -ea SilentlyContinue;

Share via

Intune script failed - Outlook add-in loadbehavior

2 additional answers

Your answer