SCCM can uninstall per user software!

I couldn’t find any one who had ever done a per user software uninstall quite right. When I started researching it, I found articles that had me delete files and folders and not actually touch the MSI database or run any actual uninstaller. I needed something better.

This post assumes you have a reasonably good understanding of SCCM. It also assumes that your SCCM environment has Software Inventory enabled and that it’s inventorying *.exe on all client hard disks on a frequent schedule (daily in my environment).  Hardware Inventory should be running on a frequent schedule (again daily in my environment). This allows for better and faster detection of what you’re trying to uninstall.

Once you get a feel for how everything works, you should be able to adapt the queries and scripts to find any per user installs like Spotify, Firefox, or whatever else might be forbidden in your enterprise. Let’s start and use Google Chrome as the example:

First, two collections must be created:

Collection one (I called mine “Find Chrome [Per PC]”) contains all PCs with the software installed and listed in “Programs and Features.” This will be used as the “exclusion collection” later. Full WQL below:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_INSTALLED_SOFTWARE on SMS_G_System_INSTALLED_SOFTWARE.ResourceId = SMS_R_System.ResourceId where SMS_G_System_INSTALLED_SOFTWARE.ARPDisplayName = "Google Chrome"

Collection two contains all PCs with the executable anywhere on the PC (mine was called “Chrome Uninstall [Per User]”). Also, in the “Membership Rules” add an exclusion and specify collection one created above. Since SCCM can only see software installed per system (software listed in the registry hive HKLM versus HKU), collection two with the exclusion will populate only per user installs!

Full WQL below:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SoftwareFile on SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_CH_ClientSummary on SMS_G_System_CH_ClientSummary.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SoftwareFile.FileName = "chrome.exe"

Continuing the example of Chrome, an application “deployment type” must be created with the uninstall populated with a custom script. (The install portion can be the uninstall script as well since something has to be in there.)

The trick with per-user installations is that the uninstall script must be run as the user and it must be made to search the user’s profile for the path to the uninstaller.

With Chrome, the version number is in the path which complicates it a little. Since all the operations take place in the user’s context and profile (as mentioned above): admin rights are not needed. Relevant CMD script below:

For /f %%a in ( 'dir "%LOCALAPPDATA%\chrome.7z" /b /s 2^>nul' ) do Set ChromePath=%%a 
If "%sChromePath%" EQU "" Exit 
Set sChromePath=%sChromePath:~0,-10%
%windir%\system32\Taskkill /im "Chrome.exe" /f
%sChromePath%\setup.exe --uninstall --user-level --force-uninstall --verbose-logging

Next, a custom VBS detection method must be defined. Since our example, Chrome, isn’t actually being installed, SCCM has to detect that it is installed so the uninstaller can be executed on the correct PCs. When using VBS, applications are detected when VBS echoes anything.  Don’t echo anything for failures or it will count as a success. Full VBS below:

Set oFSO = CreateObject("Scripting.FileSystemObject")
Set oShell = WScript.CreateObject("WScript.Shell")
If oFSO.FileExists(oShell.ExpandEnvironmentStrings("%AppData%\Local\Google\Chrome\Application\chrome.exe")) Then
WScript.echo "."
WScript.Quit(0)
Else
WScript.Quit(0)
End If

Finally, create the deployment and use collection two (however you might have named it) from above. Specify “uninstall” and “required” on the “deployment settings” tab. “Hide in Software Center and all notifications” will make it completely silent to the end user.

PCs with new per user installs will automatically be added to the collection, and as users run the uninstall (and PCs subsequently re-run hardware inventory), PCs will automatically drop out of the collection.

There is at least one caveat: If a user never logs into a PC again after installing Chrome, the PC will stay in the collection until that profile is deleted or that username is logged in on that PC. For possible help with that, see “Deleting Aged and/or Orphaned AD Profiles.”

Disclaimer

Use the information above with caution, at your own risk, and know that though I’ve used it in a production environment, your environment will be different and there’s no telling how that may affect things. I offer neither warranties nor guarantees about the scripts and queries here. They do, however, work great for me.

Peace and Victory,

rsn

Supporting this site

The apps and scripts available here are free-ish. Here at GB/2 Labs, we really like the idea of Pay What You Want. If you find this post useful (or need some support), send what you feel the functionality (or support time) is worth to you or your organization. If your business requires it, contact us for a proper invoice. Otherwise, please consider a donation below.