Intune Blocking Store App and allow them updated

 Below configuration profile will help to block the store app 

Administrative Templates\Windows Components\Store

Turn off the Store application (User) and set Enabled

Administrative Templates\Start Menu and Taskbar

Do not allow pinning Store app to the Taskbar (User) and set Enabled

Regardless of how you are blocking or allowing the Microsoft Store, remembering that the store needs to be available to allow for apps from Microsoft Intune to be deployed, we should at least configure devices to allow for updates

Administrative Templates\Windows Components\Store

Allow apps from Microsoft app store to auto update

You can also use the remediation script to allow store app auto update

Detection Script

$Path = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore"

$Name = "AutoDownloaded"

$Value = 4

Try {

    $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name

    If ($Registry -eq $Value){

        Write-Output "Compliant"

        Exit 0

    } 

    Write-Warning "Not Compliant"

    Exit 1

} 

Catch {

    Write-Warning "Not Compliant"

    Exit 1

}

Remediation Script

Write-Host "Required Auto Update"

$store = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore"

If (!(Test-Path $store)) {

    New-Item $store

}

Set-ItemProperty $store AutoDownloaded -Value 4

SCCM Configuration Item to Start, Stop, Refresh and Restart Services on client devices

In this post, we will be discussing the topic of how to Enable or Disable Services and how to Start, Stop, Refresh and Restart Services on client device

---Monitor Script

# Define the service name

$serviceName = "PFERemediation"

# Confirm the service status

$service = Get-Service -Name $serviceName

 # Check if the service is stopped and disabled

if ($service.Status -eq 'Stopped' -and $service.StartType -eq 'Disabled') {

    Write-Output "compliance"

} else {

    Write-Output "non-compliance"

}

--Remediation Script

# Define the service name

$serviceName = "PFERemediation"

 # Stop the service

Stop-Service -Name $serviceName -Force

# Disable the service

Set-Service -Name $serviceName -StartupType Disabled

 # Confirm the service status

$service = Get-Service -Name $serviceName

# Check if the service is stopped and disabled

if ($service.Status -eq 'Stopped' -and $service.StartType -eq 'Disabled') {

    Write-Output "compliance"

} else {

    Write-Output "non-compliance"

}

More command line 

Automatic (Delayed Start))​

Set-Service -Name "ServiceName" -StartupType AutomaticDelayedStart​

OR​

(Automatic)​

Set-Service -Name "ServiceName" -StartupType Automatic​

OR​

(Manual)​

Set-Service -Name "ServiceName" -StartupType Manual​

(Automatic (Delayed Start))​

Set-Service -Name "ServiceName" -StartupType AutomaticDelayedStart -Status Running​

OR​

(Automatic)​

Set-Service -Name "ServiceName" -StartupType Automatic -Status Running​

OR​

(Manual)​

Set-Service -Name "ServiceName" -StartupType Manual -Status Running

Set-Service -Name "ServiceName" -StartupType Disabled -Status Stopped

SCCM WMI Repair using powershell script

 Script 1:

cls

Cd C:\temp\PSTools

$computers = Get-Content "C:\Temp\repairWMI\Input.txt"

Foreach ($computer in $computers)

{

 $filecopy = "\\"+$computer+"\C$"

 $comp = "\\"+$computer

 if (Test-Path $filecopy)

  {

  Copy-Item "C:\Temp\repairWMI\TorepairWMI.ps1" -Destination $filecopy -Force

  Start-sleep 5 

  .\PsExec.exe -i -s $comp PowerShell.exe -noninteractive -File "C:\TorepairWMI.ps1"

   

  }

}

 Script 2:

Function Repair-WMI {

        

        CD C:\Windows\System32\WBEM

        cmd /C "dir /b *.mof *.mfl | findstr /v /i uninstall > moflist.txt & for /F %s in (moflist.txt) do mofcomp %s"

       

        CD "C:\Program Files\Microsoft Policy Platform"

        cmd /C "mofcomp ExtendedStatus.mof"

        # Check PATH

                # Stop WMI

        Stop-Service -Force ccmexec -ErrorAction SilentlyContinue

        Stop-Service -Force winmgmt

        # WMI Binaries

        [String[]]$aWMIBinaries=@("unsecapp.exe","wmiadap.exe","wmiapsrv.exe","wmiprvse.exe","scrcons.exe")

        foreach ($sWMIPath in @(($ENV:SystemRoot+"\System32\wbem"),($ENV:SystemRoot+"\SysWOW64\wbem"))) {

            if(Test-Path -Path $sWMIPath){

                push-Location $sWMIPath

                foreach($sBin in $aWMIBinaries){

                    if(Test-Path -Path $sBin){

                        $oCurrentBin=Get-Item -Path  $sBin

                        & $oCurrentBin.FullName /RegServer

                    }

                    else{

                        # Warning only for System32

                        if($sWMIPath -eq $ENV:SystemRoot+"\System32\wbem"){

                            Write-Warning "File $sBin not found!"

                        }

                    }

                }

               

            }

        }

}

Repair-WMI

Start-sleep 10

Remove-Item C:\TorepairWMI.PS1 -Force

PowerShell Script - SCCM Remove In progress packages from all Distribution Points

 function ExecuteSqlQuery ($Server, $Database, $SQLQuery) { 

     $Datatable = New-Object System.Data.DataTable 

      

     $Connection = New-Object System.Data.SQLClient.SQLConnection 

     $Connection.ConnectionString = "server='$Server';database='$Database';trusted_connection=true;" 

     $Connection.Open() 

     $Command = New-Object System.Data.SQLClient.SQLCommand 

     $Command.Connection = $Connection 

     $Command.CommandText = $SQLQuery 

     $Reader = $Command.ExecuteReader() 

     $Datatable.Load($Reader) 

     $Connection.Close() 

      

     return $Datatable 

 }

Cls

$packagetoremove  = Get-Content -LiteralPath "D:\Script-New\ToremovePackagesFromInProgressDPs\Input.txt"

$count = $report.count

$series = 1

Foreach ($p in $packagetoremove)

{

 [string] $Server= "Servername" 

 [string] $Database = "CM_123" 

 [string] $UserSqlQuery= $("SELECT vSMS_DPStatusDetails.PackageID,v_Package.Name ,vSMS_DPStatusDetails.DPName,CASE

WHEN vSMS_DPStatusDetails.MessageState = 1 THEN 'Success'WHEN vSMS_DPStatusDetails.MessageState = 2 THEN 'InProgress'WHEN vSMS_DPStatusDetails.MessageState = 4 THEN 'Failed'END AS [State]

FROM            vSMS_DPStatusDetails INNER JOIN

                         v_Package ON vSMS_DPStatusDetails.PackageID = v_Package.PackageID

WHERE vSMS_DPStatusDetails.PackageID = 'CM0004DF' and vSMS_DPStatusDetails.MessageState != '1'

GROUP BY vSMS_DPStatusDetails.DPName, vSMS_DPStatusDetails.MessageState,vSMS_DPStatusDetails.PackageID,v_Package.Name

ORDER BY State") 

  # declaration not necessary, but good practice  

  $Report = New-Object System.Data.DataTable 

 $Report = ExecuteSqlQuery $Server $Database $UserSqlQuery

 Foreach ($app in $report)

 {

  $pkgid = $app.PackageID

  $dp = $app.DPName

  $appname = $app.Name

   Write-Host "Removing "  $appname" from "  $dp ------- $series " From total of " $count

 

  Remove-CMContentDistribution -ApplicationName '$appname'  -DistributionPointName $dp -Force

  $app = " "

  

  $series++ 

   

 }

 $p = " "

 $report = " " 

 }

SCCM SQL Query to get Bit-locker Recovery Key

 

SELECT

cm.Name,

ck.RecoveryKeyId,

cv.VolumeGuid,

cvt.TypeName AS 'Volume Type',

RecoveryAndHardwareCore.DecryptString(ck.RecoveryKey, DEFAULT) AS RecoveryKey,

RecoveryAndHardwareCore.DecryptBinary(ck.RecoveryKeyPackage, DEFAULT) AS BitLockerRecoveryKeyPackage,

ck.LastUpdateTime

FROM RecoveryAndHardwareCore_Keys ck

INNER JOIN RecoveryAndHardwareCore_Volumes cv on ck.VolumeID = cv.ID

LEFT JOIN RecoveryAndHardwareCore_VolumeTypes cvt on cv.VolumeTypeId = cvt.Id

LEFT JOIN RecoveryAndHardwareCore_Machines_Volumes cmv on cv.Id = cmv.VolumeId

LEFT JOIN RecoveryAndHardwareCore_Machines cm on cmv.MachineId = cm.Id

SCCM SQL Query for Windows Build Version and Support State

 select 

VRS.name0 as [Computer Name],

OS.Caption0 as [Operating System],

VRS.User_Name0 , 

WSLN.Value as [Windows 10 build Version],

Case WSLN.Value

WHEN 'Windows 10 2015 LTSB' THEN 'Windows 10, version 2015'

WHEN 'Windows 10 2016 LTSB' THEN 'Windows 10, version 2016'

ELSE WSLN.Value

END as Value,

CASE WSS.Branch  

         WHEN '0' THEN 'Current Branch'  

         WHEN '1' THEN 'Current Branch for Business'  

         WHEN '2' THEN 'Long Term Servicing Branch'  

END as 'Branch',  

CASE WSS.State 

WHEN '1' THEN 'Release Ready'  

WHEN '2' THEN 'Supported'  

WHEN '3' THEN 'Expires Soon'  

WHEN '4' THEN 'End of Life'   

END as 'State',

CHS.ClientStateDescription , 

CHS.LastActiveTime

from v_R_System VRS

JOIN vSMS_WindowsServicingStates WSS on VRS.OSBranch01 = WSS.Branch and VRS.Build01 = WSS.Build

JOIN vSMS_WindowsServicingLocalizedNames WSLN on WSS.Name = WSLN.Name

join v_GS_OPERATING_SYSTEM OS on VRS.ResourceID = OS.ResourceID

join v_CH_ClientSummary CHS on VRS.ResourceID = CHS.ResourceID

PowerShell Script to add Operating System Install Date in Registry

 $Date = Get-date 

$Registry = "Registry::HKLM\SOFTWARE\CompanyName"

$Registry1 = "Registry::HKLM\SOFTWARE\CompanyName\OperatingSystem"

$name = "OperatingSystem"

if (!(Test-Path -Path $Registry))

 {

  

  New-Item -Path $Registry -Force | Out-Null

  New-Item -Path $Registry1 -Force | Out-Null

  New-ItemProperty -LiteralPath $Registry1 -Name $name -Value $Date -PropertyType 'String' -Force | Out-Null

 }

Elseif (!(Test-path -Path $Registry1))

 {

   New-Item -Path $Registry1 -Force | Out-Null

  New-ItemProperty -LiteralPath $Registry1 -Name $name -Value $Date -PropertyType 'String' -Force | Out-Null

 }

 Else

 {

 New-ItemProperty -LiteralPath $Registry1 -Name $name -Value $Date -PropertyType 'String' -Force | Out-Null

 }