Users with local admin rights are the natural enemy of a clean software inventory. They install unapproved browsers, outdated image editors, and “handy” utilities that quickly become an IT headache. Worse, Microsoft Defender for Endpoint often flags these apps because they are End-of-Life (EOL) or End-of-Support (EOS), creating a massive list of vulnerabilities you didn’t even know you had.

Instead of playing whack-a-mole with individual apps, I developed a “Master Script” approach for Intune Proactive Remediations. This system hunts down “zombie software” based on a centralized target list and removes it silently.

The Problem: Shadow IT and Defender Alarms

Every IT admin has seen it: Defender’s vulnerability management shows 50 devices with an outdated version of GIMP or a random Russian browser like Yandex. These aren’t apps you deployed; they were installed by users who “just needed it for a second.”

These apps create two major issues:

  1. Security Risk: EOL software doesn’t get patches. It’s a “zombie” — it should be dead, but it’s still walking around your network.
  2. Operational Noise: Thousands of Defender alerts for software that shouldn’t even be there in the first place.

Prerequisites

  • Microsoft Intune with Proactive Remediations enabled (requires Windows 10/11 Enterprise E3/E5).
  • PowerShell 5.1 (default on Windows).
  • Local Admin Rights (The script runs in the SYSTEM context to perform uninstalls).

The Strategy: How the Hunt Works

The system uses two scripts: a Detection script that identifies the presence of unauthorized software, and a Remediation script that kills it.

We target software using three methods:

  1. Registry GUIDs: Finding the specific MSI or installer GUID in HKLM.
  2. Wildcard Registry: Finding keys like HKLM:\... \Uninstall\Opera* to catch versioned installs.
  3. File Paths: Checking for specific executables in Program Files or AppData.

Crucially, the scripts handle per-user installs by scanning the HKEY_USERS (HKU) hive, ensuring that apps installed in a user’s local profile don’t hide from the system.

Implementation: The Master Scripts

You can find the full scripts in my GitHub repository.

1. The Detection Script

The detection script iterates through a $zombieTargets array. If any target is found via registry or file path, it exits with Exit 1, triggering the remediation.

# Example target definition
@{
    Name          = "GIMP 2"
    Reason        = "Unauthorized software - Not in approved catalog"
    Category      = "Unauthorized"
    DetectionType = "Both"
    RegistryPaths = @("HKLM:\GIMP-2_is1", "HKU:\GIMP-2_is1")
    FilePaths     = @("C:\Program Files\GIMP 2\bin\gimp-2.10.exe")
    Enabled       = $true
}

2. The Remediation Script

When triggered, the remediation script attempts the following in order:

  1. Silent Uninstall: It reads the UninstallString from the registry and injects silent flags (/S, /qn, /VERYSILENT).
  2. Folder Removal: If the registry uninstall fails or isn’t available, it forcefully stops any running processes and deletes the application folder.

Verification: How to Know it Worked

  1. Intune Console: Check the Proactive Remediations blade. You should see “Issue fixed” for devices where software was removed.
  2. Local Logs: The scripts write detailed logs to C:\ProgramData\Eriteach\Logs\.
  3. Defender for Endpoint: After a few days, watch your “Software Inventory” and “Vulnerabilities” dashboards clean up as the zombie apps disappear.

Troubleshooting

  • Process Blocking: Some apps might fail to uninstall if they are in use. The remediation script tries to stop known processes, but stubborn apps may require a reboot.
  • Installer Prompts: If an app uses a non-standard installer that doesn’t support silent flags, the script will fall back to folder removal.
  • Dependency Risks: Be careful when targeting runtimes like .NET or Visual C++. Some legacy line-of-business (LOB) apps might depend on them. Always test on a pilot group first.

Summary

Don’t let unauthorized and outdated software clutter your environment and bloat your vulnerability reports. By using a centralized “Zombie Software” hunt with Intune, you can automate your cleanup and ensure only approved, secure applications remain on your devices.