Debloat Install Issue

[tsitsavvy]

Hello, we are attempting to work this script into our Autopilot for a complete hands off experience for our users. However, sometimes when this script gets deployed through Intune the script will fail due to the fact that Autopilot is trying to install programs while the script is uninstalling programs. Do you know of the best way to circumvent this? Possibly a delay on letting the script to run?

Thanks!

[andrew-s-taylor]

Hi, Are you deploying as a platform script? If you know how long the apps take to install, you could just add a sleep to the Intune script so it thinks it is still running which will stall the next steps

[tsitsavvy]

We are deploying this as an App. I tried setting this up as a Platform script and got an error when I tried.

[andrew-s-taylor]

I find platform script usually runs better.

If running as an app, you could make the detection script look for the completed message in the log file so you know it's done before the next app starts. You might also want to consider using dependancies to ensure it deploys first

[tsitsavvy]

Ok, I will give that a try. If I did want to go the platform script way, do I need to make sure script signature check is turned off? I forked off the repo and commented out some stuff I did not want removed.

[andrew-s-taylor]

Yes, if it has been edited the signature will no longer be valid.

It needs to be in 64-bit and running in system context as well

[tsitsavvy]

I just tried to deploy using platform script, the script will download in ProgramData but there is no log. Intune also shows Error. Settings are as follows: Run this script using the logged on credentials - No Enforce script signature check - No Run script in 64 bit PowerShell Host - Yes

[andrew-s-taylor]

Do you have anything blocking powershell on the devices?

What does the intune registry entry report back as the failure reason?

[tsitsavvy]

Please excuse my last reply. I looked in the script code and I accidentally didn't invoke the raw code. It's currently running, and possibly the only issue I see was McAfee didn't uninstall. I am gonna let the device sit a little longer and see what happens.

[tsitsavvy]

The script ran, most of the items were removed. However, when getting to McAfee I get the following error in the Debloat log.

PermissionDenied: C:\ProgramData\Debloat\mccleanup.exe:FileInfo [Remove-Item], UnauthorizeAccessException RemoveFileSystemItemUnAuthorizedAccess,Microsoft.PowerShell.Commands.RemoveItemCommand

Any idea?

[andrew-s-taylor]

Sometimes McAfee needs a reboot to fully remove

[tsitsavvy]

I rebooted and checked the registry for errors. I also checked Debloat log and stops now at Detecting McAfee and goes straight to completed. I checked and seems like some McAfee residue still remains. Here is the log: ErrorCode "0x00000063" Result "Failed" ResultDetails "{"Version":1,"SigningCode":649,"EncryptionCode":633,"SigningMsg":"(Success) AccountId:20cba20f-2bbc-475c-9128-b3d420c2431b,PolicyId:9d7445fb-dc2e-469b-83b0-a85fb914eea4,Type:1,Enforce: Enforcement2. OSVersion:10.0.22631,AgentVersion:1.80.132.0. ","EncryptMsg":"run in legacy mode","ExecutionMsg":"ERROR: The process \"LenovoWelcome.exe\" not found.\r\nERROR: The process \"LenovoWelcomeTask.exe\" not found.\r\nERROR: The system was unable to find the specified registry key or value.\r\n\r\n"}" RunAsAccount "System" TargetType "Device"

[andrew-s-taylor]

That error is from one of the Lenovo uninstall scripts, I see that one a lot, but there isn't anything I can do as it's an uninstall script already on the device.

Which parts of mcafee are left? It might just need some manual cleanup added

[tsitsavvy]

Gotcha, I do thank you for taking the time to help at least! It looks like the shortcut is still in the start menu and pinned. There are also McAfee and McAfeeDashboard under Program Files. I also found a McAfee folder under Program Files\Common Files Would something like a Remediation script suffice to remove the rest or is there an easier way?

[andrew-s-taylor]

A remediation script would work. If you send me a full list of files, I can try and add them to the script