ページ概要
本ページでは、Microsoft Intuneを利用してWindowsデバイスに対してJosysブラウザ拡張機能をサイレントインストール/アクティベーションする際に必要となるスクリプトのサンプルを掲示しております。
Intuneを使ってWindowsデバイスに拡張機能をサイレントインストール・アクティベーションする方法(2/2)にて、ケースC(各ユーザーがデバイスの管理者権限を持っておらずUPNがJosys上のメールアドレスと同じ)だった方向けです。
想定読者
Josysブラウザ拡張機能の一括展開を計画・実施されるご担当者様。
ブラウザ拡張機能について
ブラウザ拡張機能に関する情報は、下記のページをお先にご覧ください。
1.ブラウザ拡張機能について
2.ブラウザ拡張機能のご利用方法
スクリプト
- 下記のスクリプトをコピーし、メモ帳などに貼り付けてください。
-
$organizationKeyの YOUR_ORGANIZATION_KEY をJosys上で確認した自社の組織IDに変更してください。 - $fallbackEmailDomain の YOUR_DOMAIN.COM を組織のメールアドレスのドメインに変更してください。
- ファイル名を「josys-extension-config.ps1」などとして保存してください。
- ファイルの種類が「Windows PowerShellスクリプト」となっていることを確認してください。
- Intuneを使ってWindowsデバイスに拡張機能をサイレントインストール・アクティベーションする方法(1/2) - 2.スクリプトを対象デバイスに適用するに戻って作業を進めてください。
<#
.SYNOPSIS
Sets the UserEmail (UPN) and OrganizationKey for Chrome and Edge extensions in the user's registry.
This script is designed to run in the SYSTEM context via Microsoft Intune.
.DESCRIPTION
1. Identifies the currently logged-in user by checking the owner of the 'explorer.exe' process.
2. Retrieves the User Principal Name (UPN) from the IdentityStore registry cache (Plan A).
3. If Plan A fails, generates the email address using the username and a specified domain (Plan B).
4. Writes the 'UserEmail' and 'OrganizationKey' to the HKEY_USERS hive for the active user.
5. If no active user session is found, it exits with an error code (1) to trigger an Intune retry.
.NOTES
- Run Context: System
- Log Path: %TEMP%\SetExtensionPolicy_YYYYMMDD_HHMMSS.log
#>
# ==========================================
# Configuration Settings
# ==========================================
# [MANDATORY] Set the OrganizationKey value here
$organizationKey = "YOUR_ORGANIZATION_KEY"
# [MANDATORY] Set the fallback email domain here (e.g., "example.com")
$fallbackEmailDomain = "YOUR_DOMAIN.COM"
# Relative registry key paths for the specific extensions
$chromeRelativePath = "Software\Policies\Google\Chrome\3rdparty\extensions\moaklgcgokbgplldonjkoochhlefkbjf\policy"
$edgeRelativePath = "SOFTWARE\Policies\Microsoft\Edge\3rdparty\extensions\hjifncajikcdkhlofdjjlhcjoennmdfc\policy"
# ==========================================
# Helper Functions
# ==========================================
# Function to get the active user session (SID and Username) from the explorer.exe process
function Get-ActiveUserSession {
try {
$explorerProc = Get-CimInstance Win32_Process -Filter "Name = 'explorer.exe'" | Select-Object -First 1
# If explorer.exe is not running, the user is not fully logged in or desktop is not ready
if (-not $explorerProc) { return $null }
$owner = Invoke-CimMethod -InputObject $explorerProc -MethodName GetOwner
if ($owner.ReturnValue -ne 0) { return $null }
$domain = $owner.Domain
$user = $owner.User
# Convert User/Domain to SID
$ntAccount = New-Object System.Security.Principal.NTAccount($domain, $user)
$sid = $ntAccount.Translate([System.Security.Principal.SecurityIdentifier]).Value
return @{
UserName = "$domain\$user"
SID = $sid
UserOnly = $user
}
} catch {
Write-Error "Error in Get-ActiveUserSession: $($_.Exception.Message)"
return $null
}
}
# Function to retrieve the UPN (UserEmail)
function Get-UserUPN {
param (
[string]$TargetSid,
[string]$TargetUserName,
[string]$FallbackDomain
)
# [Plan A] Retrieve UPN from IdentityStore cache
try {
Write-Host "Attempting Plan A: Retrieve UPN from IdentityStore cache..."
# Search cached user info based on SID
$regPath = "HKLM:\SOFTWARE\Microsoft\IdentityStore\Cache\*\IdentityCache\*\$TargetSid"
$cacheItem = Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue | Select-Object -First 1
if ($cacheItem -and $cacheItem.UserName) {
$upn = $cacheItem.UserName
Write-Host "Plan A Success: Found UPN '$upn' from registry cache."
return $upn
} else {
Write-Warning "Plan A failed: Could not find UPN in IdentityStore cache."
}
} catch {
Write-Warning "Plan A failed: $($_.Exception.Message)"
}
# [Plan B] Fallback to generated email (Username + Domain)
$fallbackUPN = "$TargetUserName@$FallbackDomain"
Write-Host "Plan B: Fallback to generated email '$fallbackUPN'."
return $fallbackUPN
}
# ==========================================
# Main Execution Logic
# ==========================================
# Set log path with timestamp to avoid overwriting in multi-user environments
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$logPath = "$env:TEMP\SetExtensionPolicy_$timestamp.log"
Start-Transcript -Path $logPath
Write-Host "Script started."
# Validate Organization Key and Fallback Domain
if ([string]::IsNullOrWhiteSpace($organizationKey) -or $organizationKey -eq "YOUR_ORGANIZATION_KEY") {
Write-Error "CRITICAL ERROR: Please set a valid value for `$organizationKey in the script configuration."
Stop-Transcript
exit 1
}
if ([string]::IsNullOrWhiteSpace($fallbackEmailDomain) -or $fallbackEmailDomain -eq "YOUR_DOMAIN.COM") {
Write-Error "CRITICAL ERROR: Please set a valid value for `$fallbackEmailDomain in the script configuration."
Stop-Transcript
exit 1
}
# 1. Identify Target User
$activeUser = Get-ActiveUserSession
if (-not $activeUser) {
# If no active user is found (explorer.exe not running), exit with error code 1.
# This ensures Intune reports a failure and retries the script later.
Write-Error "No active user session found (explorer.exe not running yet). Returning error to trigger retry."
Stop-Transcript
exit 1
}
Write-Host "Target User: $($activeUser.UserName)"
Write-Host "Target SID: $($activeUser.SID)"
# 2. Retrieve UPN
$targetUPN = Get-UserUPN -TargetSid $activeUser.SID -TargetUserName $activeUser.UserOnly -FallbackDomain $fallbackEmailDomain
if (-not $targetUPN) {
Write-Error "Failed to determine UPN. Exiting."
Stop-Transcript
exit 1
}
Write-Host "Final UPN to write: $targetUPN"
# 3. Write to Registry
$policies = @(
@{ Name = "Chrome"; Path = $chromeRelativePath },
@{ Name = "Edge"; Path = $edgeRelativePath }
)
foreach ($app in $policies) {
# Construct the full path to HKEY_USERS\<SID>\...
$fullPath = "Registry::HKEY_USERS\$($activeUser.SID)\$($app.Path)"
Write-Host "--- Processing $($app.Name) ---"
Write-Host "Target Registry Path: $fullPath"
try {
# Create key if it doesn't exist
if (-not (Test-Path $fullPath)) {
New-Item -Path $fullPath -Force | Out-Null
Write-Host "Created registry key."
}
# Write UserEmail
Set-ItemProperty -Path $fullPath -Name "UserEmail" -Value $targetUPN -Type String -Force
if ($?) { Write-Host "Set UserEmail: OK" }
# Write OrganizationKey
Set-ItemProperty -Path $fullPath -Name "OrganizationKey" -Value $organizationKey -Type String -Force
if ($?) { Write-Host "Set OrganizationKey: OK" }
} catch {
Write-Error "Failed to set registry for $($app.Name): $($_.Exception.Message)"
# We continue to the next app even if one fails
}
}
Write-Host "Script execution finished successfully."
Stop-Transcript
exit 0