How to manage Windows Store apps in an Enterprise environment with SCCM

Why do I write this story?

Microsoft tends to reapply the store apps after a Feature Update (the semi-annual update, the spring and autumn release). There are more solutions to remove the apps than this one (this is actually pretty neat).

Besides that I want a single solution for newly deployed machines as well as currently deployed or upgraded machine. And that solution needs to be very light in maintenance.

But the problem I ran into is that it is fixing the issue at specific moments that needs management.

How is this solution different?

The solution I use is based on DCM (Desired Configuration Management). The beauty about DCM is you don’t need to look after it, just check the compliancy once and a while.

You can set the DCM to check the status every hour/day/week or any suitable schedule. According to your liking you can set it to remediate to current status.

What does it look like?

The components in DCM that you need are Configuration Items which are put into a Baseline that you deploy to a Device collection.

The Configuration Item

The configuration item consists of 3 major items (as shown in the images above). A Discovery Script, a compliancy rule and a remediation script. The scripts I use are compatible with Provisioned Packages or just Appx Packages.

The discovery script is performing a check to see if the condition is true or not. In this case the script will return “Compliant” when the app is not there and it will return some information about which appx on which machine is detected.

$appname = "Microsoft.3DBuilder"

# Only edit $appName above
# script below, do not edit
$apps = Get-AppxProvisionedPackage -Online
If ($($apps.Displayname) -notcontains $appname) {
    $Compliance = "Compliant"
} Else { 
    $Compliance = "$($env:computername) - AppxProvisionedPackage - $appname;"

$apps = Get-AppxPackage -AllUsers -Name $appname
If ($($apps.Name) -notcontains $appname) {
    $Compliance = "Compliant"
} Else { 
    $Compliance += "; $($env:computername) - AppxPackage -  $appname"
Return $Compliance

The remediation script looks similar and will only be initiated when the discovery script doesn’t return the string “compliant”.

$appname = "Microsoft.3DBuilder"

# Only edit $appName above
# script below, do not edit

#Provisioned App
$app = Get-AppxProvisionedPackage -Online | Where {$_.Displayname -eq $appname}
If ($app -is [system.object]) {
    $app | Remove-AppxProvisionedPackage -Online 

#Non Provisioned App
If ($(Get-AppxPackage -AllUsers -Name $appname) -is [system.object]) {
    Get-AppxPackage -AllUsers -Name $appname | Remove-AppxPackage -AllUsers

If the machine is complaint or not is determined by the rule as shown here below.

The tickbox “Run the specified …” determines if the remediation script is initiated. If not enabled this configuration item a so called monitoring item. This can be useful in test mode.

Now it has to come together in a Baseline

One or more Configuration Items needs to be bound together in a Baseline. Only a baseline can be deployed to a collection. This is an example of a list of applications that I set to be removed.

Deployment considerations

Be aware that when you deploy the baseline you also need to enable remediation when needed. At first this is confusing but when you think about it, it is very powerfull.

You can use the same baseline to inventory/monitor one collection and remediate another collection at the same time. For example you deploy in remediation-mode to a test collection but you deploy in monitor-mode to the whole production environment.

Hope this article helped you
find your fitting solution for your environment.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.