Skip to content

requirements

napt.requirements

Requirements script generation for Intune Win32 apps.

This module generates PowerShell requirements scripts for Intune Win32 app deployments. Requirements scripts determine if the Update entry should be applicable to a device based on whether an older version is installed.

Requirements Logic
  • Checks HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall (always)
  • Checks HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall (always)
  • Checks HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall (only on 64-bit OS with 64-bit PowerShell process)
  • Checks HKCU:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall (only on 64-bit OS with 64-bit PowerShell process)
  • Matches by DisplayName (using AppName from recipe or MSI ProductName)
  • If installed version < target version: outputs "Required" and exits 0
  • Otherwise: outputs nothing and exits 0
Installer Type Filtering

Scripts filter registry entries based on installer type to prevent false matches when both MSI and EXE versions of software exist:

  • MSI installers (strict): Only matches registry entries with WindowsInstaller=1. Prevents false matches with EXE versions.
  • Non-MSI installers (permissive): Matches ANY registry entry. Handles EXE installers that run embedded MSIs internally.
Logging
  • Primary (System): C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\NAPTRequirements.log
  • Primary (User): C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\NAPTRequirementsUser.log
  • Fallback (System): C:\ProgramData\NAPT\NAPTRequirements.log
  • Fallback (User): %LOCALAPPDATA%\NAPT\NAPTRequirementsUser.log
  • Log rotation: 2-file rotation (.log and .log.old), configurable max size (default: 3MB)
  • Format: CMTrace format for compatibility with Intune diagnostics
Example

Generate requirements script: 

from pathlib import Path
from napt.requirements import RequirementsConfig, generate_requirements_script

config = RequirementsConfig(
    app_name="Google Chrome",
    version="131.0.6778.86",
)
script_path = generate_requirements_script(
    config=config,
    output_path=Path("builds/chrome/131.0.6778.86/Google-Chrome-131.0.6778.86-Requirements.ps1"),
)

Note

Requirements scripts are saved as siblings to the packagefiles directory to prevent them from being included in the .intunewin package. They should be uploaded separately to Intune as a custom requirement rule with output type String, operator Equals, value "Required".

RequirementsConfig dataclass

Configuration for requirements script generation.

Attributes:

Name Type Description
app_name str

Application name to search for in registry DisplayName.
version str

Target version string (requirement met if installed < this).
log_format LogFormat

Log format (currently only "cmtrace" supported).
log_level LogLevel

Minimum log level (INFO, WARNING, ERROR, DEBUG).
log_rotation_mb int

Maximum log file size in MB before rotation.
app_id str

Application ID (used for fallback if app_name sanitization results in empty string).
is_msi_installer bool

If True, only match MSI-based registry entries. If False, only match non-MSI entries. This prevents false matches when both MSI and EXE versions of software exist with the same DisplayName.
expected_architecture ArchitectureMode

Architecture filter for registry view selection. - "x86": Check only 32-bit registry view - "x64": Check only 64-bit registry view - "arm64": Check only 64-bit registry view (ARM64 uses 64-bit registry) - "any": Check both 32-bit and 64-bit views (permissive)
use_wildcard bool

If True, use PowerShell -like operator for DisplayName matching (supports * and ? wildcards). If False, use exact -eq match.
Source code in napt/requirements.py 
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
@dataclass(frozen=True)
class RequirementsConfig:
    """Configuration for requirements script generation.

    Attributes:
        app_name: Application name to search for in registry DisplayName.
        version: Target version string (requirement met if installed < this).
        log_format: Log format (currently only "cmtrace" supported).
        log_level: Minimum log level (INFO, WARNING, ERROR, DEBUG).
        log_rotation_mb: Maximum log file size in MB before rotation.
        app_id: Application ID (used for fallback if app_name sanitization
            results in empty string).
        is_msi_installer: If True, only match MSI-based registry entries.
            If False, only match non-MSI entries. This prevents false matches
            when both MSI and EXE versions of software exist with the same
            DisplayName.
        expected_architecture: Architecture filter for registry view selection.
            - "x86": Check only 32-bit registry view
            - "x64": Check only 64-bit registry view
            - "arm64": Check only 64-bit registry view (ARM64 uses 64-bit registry)
            - "any": Check both 32-bit and 64-bit views (permissive)
        use_wildcard: If True, use PowerShell -like operator for DisplayName
            matching (supports * and ? wildcards). If False, use exact -eq match.

    """

    app_name: str
    version: str
    log_format: LogFormat = "cmtrace"
    log_level: LogLevel = "INFO"
    log_rotation_mb: int = 3
    app_id: str = ""
    is_msi_installer: bool = False
    expected_architecture: ArchitectureMode = "any"
    use_wildcard: bool = False

generate_requirements_script 

generate_requirements_script(config: RequirementsConfig, output_path: Path) -> Path

Generate PowerShell requirements script for Intune Win32 app.

Creates a PowerShell script that checks Windows uninstall registry keys for software installation and determines if an older version is installed. The script outputs "Required" if installed version < target version, nothing otherwise. Always exits with code 0 so Intune can evaluate STDOUT.

Parameters:

Name Type Description Default
config RequirementsConfig

Requirements configuration (app name, version, logging settings).

 required
output_path Path

Path where the requirements script will be saved.

 required

Returns:

Type Description
Path

Path to the generated requirements script.

Raises:

Type Description
OSError

If the script file cannot be written.
Example

Generate script with default settings: 

from pathlib import Path
from napt.requirements import RequirementsConfig, generate_requirements_script

config = RequirementsConfig(
    app_name="Google Chrome",
    version="131.0.6778.86",
)
script_path = generate_requirements_script(
    config,
    Path("requirements.ps1")
)

Source code in napt/requirements.py 
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
def generate_requirements_script(config: RequirementsConfig, output_path: Path) -> Path:
    """Generate PowerShell requirements script for Intune Win32 app.

    Creates a PowerShell script that checks Windows uninstall registry keys
    for software installation and determines if an older version is installed.
    The script outputs "Required" if installed version < target version,
    nothing otherwise. Always exits with code 0 so Intune can evaluate STDOUT.

    Args:
        config: Requirements configuration (app name, version, logging settings).
        output_path: Path where the requirements script will be saved.

    Returns:
        Path to the generated requirements script.

    Raises:
        OSError: If the script file cannot be written.

    Example:
        Generate script with default settings:
            ```python
            from pathlib import Path
            from napt.requirements import RequirementsConfig, generate_requirements_script

            config = RequirementsConfig(
                app_name="Google Chrome",
                version="131.0.6778.86",
            )
            script_path = generate_requirements_script(
                config,
                Path("requirements.ps1")
            )
            ```

    """
    from napt.logging import get_global_logger

    logger = get_global_logger()

    logger.verbose(
        "REQUIREMENTS", f"Generating requirements script: {output_path.name}"
    )

    # Generate script content from template
    # Use safe_substitute() so PowerShell variables ($$Variable) are preserved
    # as $Variable without raising KeyError for missing placeholders
    script_content = string.Template(_REQUIREMENTS_SCRIPT_TEMPLATE).safe_substitute(
        app_name=config.app_name,
        version=config.version,
        log_rotation_mb=config.log_rotation_mb,
        is_msi_installer="$True" if config.is_msi_installer else "$False",
        expected_architecture=config.expected_architecture,
        display_name_operator="-like" if config.use_wildcard else "-eq",
    )

    # Ensure output directory exists
    output_path.parent.mkdir(parents=True, exist_ok=True)

    try:
        script_bytes = script_content.encode("utf-8")
        output_path.write_bytes(script_bytes)
        logger.verbose("REQUIREMENTS", f"Requirements script written to: {output_path}")
    except OSError as err:
        raise OSError(
            f"Failed to write requirements script to {output_path}: {err}"
        ) from err

    return output_path