Instead of playing whack-a-mole with individual apps, I developed a “Master Script” approach for Intune Proactive Remediations. This system hunts down “zombie software” based on a centralized target list and removes it silently.

The Problem: Shadow IT and Defender Alarms

Every IT admin has seen it: Defender’s vulnerability management shows 50 devices with an outdated version of GIMP or a random Russian browser like Yandex. These aren’t apps you deployed; they were installed by users who “just needed it for a second.”

These apps create two major issues:

1. Security Risk: EOL software doesn’t get patches. It’s a “zombie” — it should be dead, but it’s still walking around your network.
2. Operational Noise: Thousands of Defender alerts for software that shouldn’t even be there in the first place.

Prerequisites

• Microsoft Intune with Proactive Remediations enabled (requires Windows 10/11 Enterprise E3/E5).
• PowerShell 5.1 (default on Windows).
• Local Admin Rights (The script runs in the SYSTEM context to perform uninstalls).

The Strategy: How the Hunt Works

The system uses two scripts: a Detection script that identifies the presence of unauthorized software, and a Remediation script that kills it.

We target software using three methods:

1. Registry GUIDs: Finding the specific MSI or installer GUID in HKLM.
2. Wildcard Registry: Finding keys like HKLM:\... \Uninstall\Opera* to catch versioned installs.
3. File Paths: Checking for specific executables in Program Files or AppData.

Crucially, the scripts handle per-user installs by scanning the HKEY_USERS (HKU) hive, ensuring that apps installed in a user’s local profile don’t hide from the system.

Implementation: The Master Scripts

You can find the full scripts in my GitHub repository.

1. The Detection Script

The detection script iterates through a $zombieTargets array. If any target is found via registry or file path, it exits with Exit 1, triggering the remediation.

# Example target definition
@{
    Name          = "GIMP 2"
    Reason        = "Unauthorized software - Not in approved catalog"
    Category      = "Unauthorized"
    DetectionType = "Both"
    RegistryPaths = @("HKLM:\GIMP-2_is1", "HKU:\GIMP-2_is1")
    FilePaths     = @("C:\Program Files\GIMP 2\bin\gimp-2.10.exe")
    Enabled       = $true
}

2. The Remediation Script

When triggered, the remediation script attempts the following in order:

1. Silent Uninstall: It reads the UninstallString from the registry and injects silent flags (/S, /qn, /VERYSILENT).
2. Folder Removal: If the registry uninstall fails or isn’t available, it forcefully stops any running processes and deletes the application folder.

Verification: How to Know it Worked

1. Intune Console: Check the Proactive Remediations blade. You should see “Issue fixed” for devices where software was removed.
2. Local Logs: The scripts write detailed logs to C:\ProgramData\Eriteach\Logs\.
3. Defender for Endpoint: After a few days, watch your “Software Inventory” and “Vulnerabilities” dashboards clean up as the zombie apps disappear.

Troubleshooting

• Process Blocking: Some apps might fail to uninstall if they are in use. The remediation script tries to stop known processes, but stubborn apps may require a reboot.
• Installer Prompts: If an app uses a non-standard installer that doesn’t support silent flags, the script will fall back to folder removal.
• Dependency Risks: Be careful when targeting runtimes like .NET or Visual C++. Some legacy line-of-business (LOB) apps might depend on them. Always test on a pilot group first.

Summary

Don’t let unauthorized and outdated software clutter your environment and bloat your vulnerability reports. By using a centralized “Zombie Software” hunt with Intune, you can automate your cleanup and ensure only approved, secure applications remain on your devices.