BIO 12.06.01

Intune: Allow Store Apps To Update (If Store Enabled)

πŸ“… 2025-10-30
β€’
⏱️ 2 minuten lezen
β€’
🟒 Should-Have

πŸ’Ό Management Samenvatting

Allow Store apps to update = enable automatic updates for Microsoft Store apps (IF Store is enabled - security patches).

Aanbeveling
N/A (if Store disabled)
Risico zonder
N/A
Risk Score
10/10
Implementatie
0u
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11

Store app updates = security patches: Store apps: UWP apps from Microsoft Store (if Store enabled), Security updates: App vulnerabilities patched (automatic updates), Blocking updates: Outdated apps = vulnerable (exploits). IF Store disabled (recommended): This policy = N/A (no Store apps installed), IF Store enabled: Allow updates = security patches applied. Recommendation: Disable Store entirely (previous controls) β†’ this policy becomes irrelevant.

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Allow Store updates: Policy: Turn off Automatic Download and Install of updates: Not configured (allow updates), Effect: Store apps auto-update (security patches), Use case: IF Store is enabled (not recommended for enterprise). Best practice: Disable Store β†’ N/A.

Vereisten

  1. Windows 10/11
  2. Microsoft Store ENABLED (not recommended)
  3. Intune subscription

Implementatie

IF Store enabled: Intune Settings Catalog β†’ Store β†’ Turn off Automatic Download and Install of updates: Not configured (allow updates). RECOMMENDATION: Disable Store instead β†’ this policy = N/A.

Compliance

BIO 12.06 (Patch management).

Monitoring

Gebruik PowerShell-script allow-apps-from-the-microsoft-app-store-to-update-is-set-to-allowed.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script allow-apps-from-the-microsoft-app-store-to-update-is-set-to-allowed.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Intune Update Management: Allow Microsoft Store App Updates .DESCRIPTION CIS - Microsoft Store apps moeten updates kunnen ontvangen. .NOTES Filename: allow-store-app-updates.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore\AutoDownload|Expected: 4 (Allow) #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore"; $RegName = "AutoDownload"; $ExpectedValue = 4 function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "store-app-updates.ps1"; PolicyName = "Store App Updates"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Allowed"; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v) { $r.CurrentValue = $v.$RegName; if ($r.CurrentValue -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Store updates allowed" }else { $r.Details += "Store updates: $($v.$RegName)" } }else { $r.IsCompliant = $true; $r.Details += "Default: allowed" } }else { $r.IsCompliant = $true; $r.Details += "Default" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Store app updates allowed" -ForegroundColor Green } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
N/A: N/A - Recommendation: Disable Store (previous controls).

Management Samenvatting

Store app updates = N/A if Store disabled (recommended). IF Store enabled: Allow updates (security patches). BEST: Disable Store. Implementatie: 0 uur (N/A).