Microsoft

Microsoft Endpoint Configuration Manager Feedback

Suggestion box powered by UserVoice

How can we improve Configuration Manager?

← Ideas

Option to use SYSTEM context for detection method for a user-based application deployment

The application detection method only runs in the user context if it is deployed to a user collection. This would be reasonable if the Deployment Type user experience were set to "Install for User" (User context), however the detection method runs in the user context when this is set to "Install for system" installation behavior (SYSTEM context).

156 votes
Vote
Sign in
(thinking…)
Sign in with: Facebook Google
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Dan Sonnenburg shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
Noted  · 

12 comments

Sign in
(thinking…)
Sign in with: Facebook Google
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Andrew Petersen commented  ·   ·  Flag as inappropriate

    It's very hard to understand why this is set up to behave this way. One more vote for Get-AppPackage -allusers needing to run elevated causing issues with detection when the .msix it's trying to detect is deployed to a user collection. A coworker of mine ran into it today, and we were all scratching our heads until I found this page via google.

  • Gary Blok commented  ·   ·  Flag as inappropriate

    This has caused a huge barrier to allowing self-service in our organization. This needs to be added sooner than later. Something similar to a CI, where you can check a box to using the user's credentials instead of the system. But default to System.

  • Eddie Bumpus commented  ·   ·  Flag as inappropriate

    I've just discovered this problem with using Get-WindowsCapability for detecting RSAT installs. It doesn't work properly as I would have expected.

  • Andrew Bloom commented  ·   ·  Flag as inappropriate

    I have definitely had some strange results with this. A checkbox to allow the developer to control under which credentials the detection method is run would seem to be an easy fix!

  • Anonymous commented  ·   ·  Flag as inappropriate

    Further to this, if the apps are part of a dependency it gives some very counterintuitive results.

    If App B has a dependency on App A, and App A has a powershell detection criteria that must be run with privilege (e.g. Get-WindowsOptionalFeature which can't be done as a user) then:

    If you deploy app A to a user collection, it will fail with "software not applicable to this device"
    if you deploy app A to a machine collection, it will work
    If you deploy app B with the dependency of app A to a user collection, it will evaluate app A detection as the user and fail with "software not applicable to this device". This is true even if app A is already on the machine and correctly detected via a machine deployment.

    In this situation, you must also deploy app B to a machine collection.

  • Phil Brandvold commented  ·   ·  Flag as inappropriate

    This definitely needs to get fixed. I was extremely exited to use powershell scripting detection method, but I need to run Get-AppxPackage, which requires elevated permissions. The feature was *this close* to solving many problems for me (we use the Software Center to deploy quite a few Windows features and other settings with powershell scripts, and right now I'm having to create registry keys every time to mark that an installation has been made).

  • Matt commented  ·   ·  Flag as inappropriate

    This is still a very confusing limitation, as there's no indication of this behavior other than unexpected detection issues. It makes little sense to tie detection to the deployment target, rather than the "User experience" section in the application. If something installs per user, it should be detected per user regardless of how it's deployed. Same for something that is installed for system.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Agreed on this. Perhaps someone in dev can explain why it's designed this way. Are we missing something or is this an underlying design flaw?

    Our users roam. We have about 100 apps present in Software Centre. Our deployment method is "deploy to system" but we target user collections. Ideally, our users login to a machine they haven't been at before, go into software center and view a list of installed applications to determine if there are any missing. Currently, they have to select "install" for any they want to work with which is a waste of time if it's already installed.

  • Qasim Mashwani commented  ·   ·  Flag as inappropriate

    This was "NOTED" two years ago. Any updates? Is User Voice as popularity contest or is it about improving the product to address fundamental design and usage issues for customers? Is MSFT adopting a new "pet view" development strategy?

  • Chris commented  ·   ·  Flag as inappropriate

    I had this problem too. Was unable to run the power shell cmdlet Get-AppxProvisionedPackage in the detection method because it did not have elevated permission. Really, the detection method should run as system regardless of if the application installs as user or system.

Ideas: Application Management

Categories

Feedback and Knowledge Base

(thinking…)