SCCM 2012 Detection Methods

Be careful with the SCCM 2012 Detection Method.  It uses a similar WMI query to below to determine whether the specified ProductCode GUID is present on a machine.  If something somewhere does not match up it will play havoc with your deployments especially if this is incorrectly specified for prerequisite packages.

powershell command

Get-WmiObject -Namespace root\ccm\CIModels -Class CCM_MSIProduct | Sort-Object ProductName |Format-Table ProductName,ProductCode,ProductVersion


Spoofing Detection

It is possible to fool SCCM into thinking that an MSI in installed when it is not.  Effectively, this spoofs the SCCM MSI detection.

To do this you need to identify the remixed product code GUID that is used in the registry.  e.g.
This product code guid
{BD2F44B4-985B-4CCA-A4E7-A2B0AE45442B}
is remixed (rehashed?) to
4B44F2DBB589ACC44A7E2A0BEA5444B2
The coloring shows the related sections of the GUID and how they are remixed.


Install the MSI that SCCM is trying to detect on to a test machine.
Export the following registry keys to separate reg files.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\<remixed GUID>

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\<remixed GUID>

Importing the above keys to a target machine will fool SCCM into thinking the MSI is installed.

These keys (x64) control the display in Programs and Features but they are not needed for detection spoofing.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD2F44B4-985B-4CCA-A4E7-A2B0AE45442B}


Slightly odd:  If the spoofing keys are in place and you run a manual install from the same source specified in the spoof keys, then Windows Installer performs an UNINSTALL

The same install  command run again then runs an INSTALL.