Creating a user logged on or off Global Condition

Does anyone have some ideas on how to go about creating a Global Condition for whether a user is logged in or not?  Not a particular user, but ANY user.  

I'm creating a single Application with two Deployment Types. Deployment Type 1 would be an unattended install and only run if the user is logged off.  Deployment Type 2 would be an attended install and only run if a user is logged on and be set to display a progress bar.  I am going to use the Requirements tab of each deployment type to determine if a user is logged on or off.

In SCCM 2007 this was easy with Packages, I could set it to run no matter if the user was logged on or off and just tick the box to allow user interaction.  Since I always use /passive for MSI, it was effective because it would run fine no matter if the user was logged on or off.  As I'm sure everyone knows, the "allow user interaction" box is now grayed out when choose to run "whether or not a user is logged in"

I wish Microsoft would change it back to the old way.

July 17th, 2013 2:08am

No need for a global condition. Just bring up the properties of a deployment type, User Experience tab: you'll find "Logon Requirement" and "Installation Program Visibility" there.
Free Windows Admin Tool Kit Click here and download it now
July 17th, 2013 7:08am

No, that's my point, these options have changed in SCCM 2012 and won't work for my goals.  Let me try to clear it up.  My goals: 

1. Have the program run regardless if the user is logged on. 

2. If the the user is logged on, display a progress bar. 

  • In SCCM 2007, I could just set to run "wether user is logged on or off" and then tick the box for "allow users to interact"
  • In SCCM 2012, when you choose run "wether user is logged on or off", the box to check "allow users to interact" is grayed out.

So to get around this I created two Deployment Types: 

Type 1: [User experience] run only when user is logged on, with box checked allowing user interaction. 

Type 2: [User experience] run wether user is logged on or off, user interaction box grayed out.

Now, for example, a computer that has no user logged in gets the deployment.  It first evaluates Deployment Type 1, and since it meets the requirements (which it would because I haven't added anything to the requirements tab at this point), it evaluates the Deployment Type 1, sees that it is set to run only if a user is logged in, then waits until a user logs on before running.  This is not desired. If a user is logged off, then I would like it to run Deployment Type 2, since it's set to run regardless of a user logged on or off.  However, it will never evaluate Deployment Tyoe 2 because it met the Requirements of Deployment Type 1.  Therefore, if I add a Global Condition to the requirements tab to check for whether a user is logged on or off, the computer recieving the advertisement can properly evaluate the Deployment Types and move on the next Deployment Type if the first one does not apply to it. 

  • Edited by CCsysad Wednesday, July 17, 2013 1:52 PM made clearer
July 17th, 2013 1:49pm

Bump. Anyone?
Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2013 3:32pm

been working ourselves down the same path here.

DT1 to be used only when no user is logged on eg for OSD context to be installed from a variable or a silent pust scenario

DT2 to be used interactively by the user. DT2 requires user interaction to display warnings and popups to close down programs and the like before installation starts.

if I get it working ill share our setup, and would very much like to hear the outcomes of your DT1 / DT2 config setup.

July 22nd, 2013 9:34pm

Yeah for sure I'll update this page when I find the solution I want to use. 

Our problem is we have 100% mobile tablet/laptop workforce so they could be anywhere when their PC finally gets the deployment.  I want the unattended to run on as many as possible on a patch night (users are usually logged off during this), but if it hits someone in the middle of the day after patching night because they took their laptop home, I usually like them to see the .msi /passive progress bar.  Plus on non-critical apps we have them as optional "available" installs which we want set to display progress, then take that same app and push it out unattended to upgrade folks that have already optionally installed the app who could be logged on or off.

Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2013 9:45pm

I haven't tried it in the lab yet, but have you tried using two deployment types?

Set the User Experience on one to be "Install for user" for the Installation behavior, which will automatically check the "Allow users to view and interact with the program installation" box, and select "Normal" for Installation program visibility.

On the second deployment type, set the User Experience to be "Install for system" with Logon requirement as "Only when no user is logged on." 

July 22nd, 2013 10:02pm

Nick, I know my explanation is a little wordy in my 7/17/2013 1:49PM posting, but the solution you bring up is exactly what chris20091 and I are talking about, which doesn't work in the situation we are talking about.  And I tried my best to explain why it doesn't work the way you and Torsten think it does, but I'll give it another shot.

We are using two deployments, each with the different settings in the User Experience tab that you have mentioned.  The problem is when using two deployments and nothing specified in the Requirements Tab, the computer analyzes the first deployment, and since the computer meets the settings in the Requirements Tab (since we have put nothing in the requirements tab), the computer will stop at that deployment type and will not analyze the second deployment type.  The settings in the User Experience Tab does not regulate whether or not a deployment is applicable to computer, rather it is only a run condition of the package. As I said, in my application, the computer analyzes the first deployment type, sees that it meets the requirements tab, then when trying to run the program it will analyze the User Experience settings, and if the user is logged on (for example), the computer will just wait for the user to log off before running.  It never analyzes the second deployment type which basically says "run wether or not the user is logged in".

I'm sorry if this isn't a clear explanation, but I think it's the best I can do.  Surely if you set it up in a lab you will see exactly what I'm talking about when looking at the AppEnforce.log.  The last line will read that the program is waiting for the user log on (OR log off depending on which setting you put in the first Deployment Type) and then it will never look at the second Deployment Type.

Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2013 10:24pm

I understand now. Yeah, that's tricky. The best I could think of is setting a Custom requirement that runs a Powershell script to see if a user is logged on. Something like "gwmi win32_computersystem | select username."

I'll try to get this going in the lab to see what I can figur

July 22nd, 2013 11:04pm

yeah that's what i was thinking.  I figured it wasn't too hard to run a script or command that would return a username or a null value (if no user is logged on) but where I was getting lost was configuring it so SCCM would get the result and make a decision based on it.
Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2013 11:13pm

tried a few times now to create a global condition to "check for user" or "check for process".

this is a really good example for how to say check for outlook as a process :

in my case for the DT1 I would be checking for tsmanager to indicate to me that a task sequence in progress.

unfortunately when I do this during a TS and it attempts to validate this app for deployment it just skips out and never tries.


so far it seems my DT1 must be the OSD version, and I just need to find the right condition to add to ensure it doesn't fire when user installs from SC, and that OSD does pick it. I still cannot select it directly in a TS, I have to set the variable first with the name and then install as a base variable.

I cannot believe setting requirements is this difficult.


right now im experimenting with global condition like this  : [bool] ( get-wmiobject win32_computersystem | select username)

to generate a true/false value that I can control what DT is being used.

all ideas are very appreciated here, this aint easy!

July 25th, 2013 2:28pm

starting to believe powershell script execution is being restricted for my deployment types requirements during OSD.

even a hardcoded true==true type check to return a true from a ps script ends up failing to be detected as valid a deployment type.

good info here about the execution policy :

Free Windows Admin Tool Kit Click here and download it now
July 25th, 2013 9:16pm

Hey, thanks for finding that article!  Using that as inspiration I was able to finally get something working for me.  Basically I followed the article but substituted this for my code:

$currentUser = Get-WmiObject win32_ComputerSystem | select -expand username
$currentUser -eq $null

This will produce a boolean output automatically because of the operator (-eq).  True of no user is logged on false if there is a user logged. It wouldn't work right until I added the (-expand) because the default output has formatting associated with it and as far as I can tell, the expand command strips that.

August 1st, 2013 12:32am

By checking the win32_ComputerSystem object you will only identify if a user is logged onto the console. In the event of users RDPing, or with VDI machines this would not work.

A very simple approach to use is the following one liner:

[bool] (Get-Process explorer ea 0)
If no users are logged on, then the value will be true, otherwise the value will be false. Use this page as a guide on creating the global condition.


  • Edited by ivandretvic Thursday, January 09, 2014 7:36 AM formatting
  • Proposed as answer by Baatch Friday, August 08, 2014 1:48 PM
  • Marked as answer by CCsysad Thursday, December 04, 2014 10:42 PM
Free Windows Admin Tool Kit Click here and download it now
January 9th, 2014 7:35am

I am also trying to figure out how to create this global condition. Is explorer.exe always running if a user is logged in? Is there some official source for this information?


August 8th, 2014 11:48am

explorer.exe is only running if there's a user logged on.
Why do you want to create that global condition? What business case do you want to solve?

Free Windows Admin Tool Kit Click here and download it now
August 8th, 2014 12:35pm

Is there some official source for this information?

The Official source will be the online docs. Have you looked at them?
August 8th, 2014 12:48pm

I found a blog from the Scripting Guy detailing explorer.exe and logged on user

We want to have 1 application with 2 Deployment types for the applications that requires user interaction to be installed (Java/Adobe Reader etc).

The first DT is the regular unattend version of the msi and should run only when there is no logged on user and OSD. 

The second DT is the interactive one with Powershell App Deployment Toolkit and should only run when there is a user logged on.

With this I can deploy 1 single application for both OSD and Software Upgrades and SCCM will handle the logic of which DT to use instead of creating 2 separate applications for each scenario.

  • Edited by Baatch Friday, August 08, 2014 12:49 PM
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2014 12:48pm

I had same situation created two deployment types One for if user is logged in then give user prompt. Other if user is not logged in then install must run immediately. 

Use PowerShell based global condition and add it as requirement  that condition returns true if some one is using PC otherwise false

Let me know if it works. Script is here

Function Get-LogedOnUser($PC){
$computers = Get-WmiObject -Class Win32_ComputerSystem -ComputerName $PC
	Return $false
    Return $true
Get-LogedOnUser -PC $Env:ComputerName

  • Proposed as answer by Hannan Javid Thursday, December 04, 2014 4:41 PM
December 4th, 2014 4:24pm

Hannan, as Ivan points out in his solution, the username in WMI ComputerSystem only acts upon a user logged into the computer's console and not if the user is logged on via RDP or VDI.

Free Windows Admin Tool Kit Click here and download it now
December 4th, 2014 10:51pm

Hannan, as Ivan points out in his solution, the username in WMI ComputerSystem only acts upon a user logged into the computer's console and not if the user is logged on via RDP or VDI.

And I think I solved it since I needed the same functionality as OP!

First of all, according to this article just checking if explorer.exe is running might give you false positives if service accounts are involved. I haven't checked myself though.

This led to to continue searching and I found this website.

Using "query user" actually does both display local console and RDP logon sessions. 

So for neatness sake I just modified that blogger's code from:

$user = query user
$user -is [system.array]


$user = query user

which also just echoes back "true" if a user is logged on (either locally or via RDP) or "false" if no one is logged on. Then just put that in a global condition.

This works great for me.

(I can't post images or links due to some Technet bug since "my account isn't verified". Annoying.)

  • Edited by Dan Ilebro Tuesday, June 02, 2015 10:52 AM
June 2nd, 2015 10:42am

My global condition checks the registry key HKLM\SOFTWARE\Microsoft\CCM\CcmExec,
Value Name ProvisioningMode.

This string value is "true" during OSD, otherwise "false".

Free Windows Admin Tool Kit Click here and download it now
July 8th, 2015 7:23am

@Dan Ilebro...have you verified this works in SCCM as a global condition.  I am using the authors original code containing "$user -is [system.array]" and it is not working for me.  It just keeps skipping my DT1 (user logged on) and goes on to DT2 (no logged on user).  It works in PowerShell, but my Global Condition/Requirements is not cooperating like they should be.

Is there some way to see what the actual value of the Requirement check is returning?  Not just AppEnforce which shows which DT is ultimately picked.

July 13th, 2015 6:52am

I downloaded System Center 2012 R2 Configuration Manager Toolkit from:  This contained "Deployment Monitoring Tool".  Using this I could see the requirements that were not validated, or "False", thereby I knew which was working.  This coupled with AppEnforce.log and AppDiscovery.log you can correlate which IDs are which DTs and which is being evaluated/enforced. 

So, after a bunch of different iterations of Global Conditions, I concluded:

$user = query user
$user -is [system.array]

Does NOT WORK!  I don't know why, because it all checks out on PowerShell Console...but not when I try and use it for Global Condition.  I can only assume it is not returning something right, even though it's Get-Member is "System.Boolean".


$user = query user

This DOES WORK as a Global Condition, however I prefer to go one step further to make it a one-liner, just for personal preference.  Below is the Global Condition I am using and it is now working as intended that DT1 (user logged on) and DT2 (no user logged on) are running accordingly.

[bool](query user)

Hope it helps someone else!  I have been banging my head on this one since Thursday!

Free Windows Admin Tool Kit Click here and download it now
July 13th, 2015 3:53pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics