Les entreprises intègrent de plus en plus de solutions numériques, la gestion et le déploiement des logiciels deviennent donc primordiaux. C’est pourquoi le Microsoft Store constitue un élément central, offrant un vaste répertoire d’applications et de services. Comprendre comment activer le Microsoft Store pour tous les utilisateurs peut s’avérer essentiel, en particulier pour les opérations informatiques à grande échelle.
Contexte
Le Microsoft Store a été introduit pour simplifier le processus de déploiement des applications. Cependant, il peut arriver que le Microsoft Store soit désactivé par défaut ou par le biais de certaines politiques. Pour les professionnels de l’informatique et les fournisseurs de services gérés (MSP), avoir la capacité de l’activer sur plusieurs profils d’utilisateurs n’est pas seulement une commodité, c’est une nécessité. Entrez dans le script fourni, un outil puissant conçu pour activer le Microsoft Store pour tous les utilisateurs, qu’ils soient existants ou nouvellement créés.
Le script :
#Requires -Version 5.1
<# .SYNOPSIS Enables the Windows Store for all users and newly created users. .DESCRIPTION Enables the Windows Store for all users and newly created users. No parameters needed Enables the Windows Store for all users and newly created users. .EXAMPLE (No Parameters) Enables the Windows Store for all users and newly created users. .OUTPUTS None .NOTES Minimum OS Architecture Supported: Windows 10, Server 2016 Release Notes: Initial Release By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use. Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA). #>
[CmdletBinding()]
param ()
begin {
function Test-IsElevated {
$id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$p = New-Object System.Security.Principal.WindowsPrincipal($id)
$p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
}
function Test-IsSystem {
$id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
return $id.Name -like "NT AUTHORITY*" -or $id.IsSystem
}
if (!(Test-IsElevated) -and !(Test-IsSystem)) {
Write-Error -Message "Access Denied. Please run with Administrator privileges."
exit 1
}
# Setting up some functions to be used later.
function Set-HKProperty {
param (
$Path,
$Name,
$Value,
[ValidateSet('DWord', 'QWord', 'String', 'ExpandedString', 'Binary', 'MultiString', 'Unknown')]
$PropertyType = 'DWord'
)
if (-not $(Test-Path -Path $Path)) {
# Check if path does not exist and create the path
New-Item -Path $Path -Force | Out-Null
}
if ((Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore)) {
# Update property and print out what it was changed from and changed to
$CurrentValue = (Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore).$Name
try {
Set-ItemProperty -Path $Path -Name $Name -Value $Value -Force -Confirm:$false -ErrorAction Stop | Out-Null
}
catch {
Write-Error "[Error] Unable to Set registry key for $Name please see below error!"
Write-Error $_
exit 1
}
Write-Host "$Path$Name changed from $CurrentValue to $($(Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore).$Name)"
}
else {
# Create property with value
try {
New-ItemProperty -Path $Path -Name $Name -Value $Value -PropertyType $PropertyType -Force -Confirm:$false -ErrorAction Stop | Out-Null
}
catch {
Write-Error "[Error] Unable to Set registry key for $Name please see below error!"
Write-Error $_
exit 1
}
Write-Host "Set $Path$Name to $($(Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore).$Name)"
}
}
# This will get all the registry path's for all actual users (not system or network service account but actual users.)
function Get-UserHives {
param (
[Parameter()]
[ValidateSet('AzureAD', 'DomainAndLocal', 'All')]
[String]$Type = "All",
[Parameter()]
[String[]]$ExcludedUsers,
[Parameter()]
[switch]$IncludeDefault
)
# User account SID's follow a particular patter depending on if they're azure AD or a Domain account or a local "workgroup" account.
$Patterns = switch ($Type) {
"AzureAD" { "S-1-12-1-(d+-?){4}$" }
"DomainAndLocal" { "S-1-5-21-(d+-?){4}$" }
"All" { "S-1-12-1-(d+-?){4}$" ; "S-1-5-21-(d+-?){4}$" }
}
# We'll need the NTuser.dat file to load each users registry hive. So we grab it if their account sid matches the above pattern.
$UserProfiles = Foreach ($Pattern in $Patterns) {
Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionProfileList*" |
Where-Object { $_.PSChildName -match $Pattern } |
Select-Object @{Name = "SID"; Expression = { $_.PSChildName } },
@{Name = "UserHive"; Expression = { "$($_.ProfileImagePath)NTuser.dat" } },
@{Name = "UserName"; Expression = { "$($_.ProfileImagePath | Split-Path -Leaf)" } }
}
# There are some situations where grabbing the .Default user's info is needed.
switch ($IncludeDefault) {
$True {
$DefaultProfile = "" | Select-Object UserName, SID, UserHive
$DefaultProfile.UserName = "Default"
$DefaultProfile.SID = "DefaultProfile"
$DefaultProfile.Userhive = "$env:SystemDriveUsersDefaultNTUSER.DAT"
# It was easier to write-output twice than combine the two objects.
$DefaultProfile | Where-Object { $ExcludedUsers -notcontains $_.UserName } | Write-Output
}
}
$UserProfiles | Where-Object { $ExcludedUsers -notcontains $_.UserName } | Write-Output
}
}
process {
$Path = "SoftwarePoliciesMicrosoftWindowsStore"
$Name = "RemoveWindowsStore"
$Value = 0
# Get each user profile SID and Path to the profile. If there are any exclusions we'll have to take them into account.
$UserProfiles = Get-UserHives -IncludeDefault
# If the Disable-WindowsStore script was used we'll need to check applocker
[xml]$AppLockerXML = Get-AppLockerPolicy -Local -Xml
if ($AppLockerXML.AppLockerPolicy.RuleCollection.FilePublisherRule) {
$AppLockerXML.AppLockerPolicy.RuleCollection.FilePublisherRule | ForEach-Object {
if (($_.Action -eq "Deny") -and ($_.Conditions.FilePublisherCondition.ProductName -like "*Microsoft.WindowsStore*")) {
Write-Warning "Removing AppLocker file publishing rules for the Windows Store!"
[Void]$_.ParentNode.RemoveChild($_)
}
}
if($AppLockerXML.AppLockerPolicy.RuleCollection.FilePublisherRule.id.Count -eq "1" -and $AppLockerXML.AppLockerPolicy.RuleCollection.FilePublisherRule.Name -eq "(Default Rule) All signed packaged apps"){
$AppLockerXML.AppLockerPolicy.RuleCollection.FilePublisherRule | ForEach-Object {
if($_.ParentNode){
[Void]$_.ParentNode.RemoveChild($_)
}
}
$AppLockerXML.AppLockerPolicy.RuleCollection | ForEach-Object {
if($_.Type -eq "Appx"){
$_.EnforcementMode = "NotConfigured"
}
}
}
$AppLockerXML.Save("$env:TEMPapplocker.xml")
Set-AppLockerPolicy -XmlPolicy "$env:TEMPapplocker.xml"
Remove-Item "$env:TEMPapplocker.xml"
}
$script:DisabledWinRun = $true
$failedUsers = @()
# Loop through each profile on the machine
Foreach ($UserProfile in $UserProfiles) {
# Load User ntuser.dat if it's not already loaded
If (($ProfileWasLoaded = Test-Path Registry::HKEY_USERS$($UserProfile.SID)) -eq $false) {
Start-Process -FilePath "cmd.exe" -ArgumentList "/C reg.exe LOAD HKU$($UserProfile.SID) `"$($UserProfile.UserHive)`"" -Wait -WindowStyle Hidden
}
# Manipulate the registry
$key = "Registry::HKEY_USERS$($UserProfile.SID)$($Path)"
Set-HKProperty -Path $key -Name $Name -Value $Value -PropertyType DWord
if ($(Get-ItemProperty -Path $key -Name $Name -ErrorAction Ignore).$Name -ne $Value) {
$script:DisabledWinRun = $false
$failedUsers += $UserProfile.UserName
}
# Unload NTuser.dat
If ($ProfileWasLoaded -eq $false) {
[gc]::Collect()
Start-Sleep 1
Start-Process -FilePath "cmd.exe" -ArgumentList "/C reg.exe UNLOAD HKU$($UserProfile.SID)" -Wait -WindowStyle Hidden | Out-Null
}
}
Start-Sleep -Seconds 30
if ($script:DisabledWinRun) {
# All $UserProfiles updated
exit 0
}
else {
$failedUsers | ForEach-Object { Write-Error "Failed to update user `"$_`"" }
Write-Error "One or more user profiles failed to update"
exit 1
}
}
end {}
|
#Requires -Version 5.1
<#
.SYNOPSIS
Enables the Windows Store for all users and newly created users.
.DESCRIPTION
Enables the Windows Store for all users and newly created users.
No parameters needed
Enables the Windows Store for all users and newly created users.
.EXAMPLE
(No Parameters)
Enables the Windows Store for all users and newly created users.
.OUTPUTS
None
.NOTES
Minimum OS Architecture Supported: Windows 10, Server 2016
Release Notes:
Initial Release
By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider.
Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
#>
[CmdletBinding()]
param ()
begin {
function Test-IsElevated {
$id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$p = New-Object System.Security.Principal.WindowsPrincipal($id)
$p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
}
function Test-IsSystem {
$id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
return $id.Name -like "NT AUTHORITY*" -or $id.IsSystem
}
if (!(Test-IsElevated) -and !(Test-IsSystem)) {
Write-Error -Message "Access Denied. Please run with Administrator privileges."
exit 1
}
# Setting up some functions to be used later.
function Set-HKProperty {
param (
$Path,
$Name,
$Value,
[ValidateSet('DWord', 'QWord', 'String', 'ExpandedString', 'Binary', 'MultiString', 'Unknown')]
$PropertyType = 'DWord'
)
if (-not $(Test-Path -Path $Path)) {
# Check if path does not exist and create the path
New-Item -Path $Path -Force | Out-Null
}
if ((Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore)) {
# Update property and print out what it was changed from and changed to
$CurrentValue = (Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore).$Name
try {
Set-ItemProperty -Path $Path -Name $Name -Value $Value -Force -Confirm:$false -ErrorAction Stop | Out-Null
}
catch {
Write-Error "[Error] Unable to Set registry key for $Name please see below error!"
Write-Error $_
exit 1
}
Write-Host "$Path$Name changed from $CurrentValue to $($(Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore).$Name)"
}
else {
# Create property with value
try {
New-ItemProperty -Path $Path -Name $Name -Value $Value -PropertyType $PropertyType -Force -Confirm:$false -ErrorAction Stop | Out-Null
}
catch {
Write-Error "[Error] Unable to Set registry key for $Name please see below error!"
Write-Error $_
exit 1
}
Write-Host "Set $Path$Name to $($(Get-ItemProperty -Path $Path -Name $Name -ErrorAction Ignore).$Name)"
}
}
# This will get all the registry path's for all actual users (not system or network service account but actual users.)
function Get-UserHives {
param (
[Parameter()]
[ValidateSet('AzureAD', 'DomainAndLocal', 'All')]
[String]$Type = "All",
[Parameter()]
[String[]]$ExcludedUsers,
[Parameter()]
[switch]$IncludeDefault
)
# User account SID's follow a particular patter depending on if they're azure AD or a Domain account or a local "workgroup" account.
$Patterns = switch ($Type) {
"AzureAD" { "S-1-12-1-(d+-?){4}$" }
"DomainAndLocal" { "S-1-5-21-(d+-?){4}$" }
"All" { "S-1-12-1-(d+-?){4}$" ; "S-1-5-21-(d+-?){4}$" }
}
# We'll need the NTuser.dat file to load each users registry hive. So we grab it if their account sid matches the above pattern.
$UserProfiles = Foreach ($Pattern in $Patterns) {
Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionProfileList*" |
Where-Object { $_.PSChildName -match $Pattern } |
Select-Object @{Name = "SID"; Expression = { $_.PSChildName } },
@{Name = "UserHive"; Expression = { "$($_.ProfileImagePath)NTuser.dat" } },
@{Name = "UserName"; Expression = { "$($_.ProfileImagePath | Split-Path -Leaf)" } }
}
# There are some situations where grabbing the .Default user's info is needed.
switch ($IncludeDefault) {
$True {
$DefaultProfile = "" | Select-Object UserName, SID, UserHive
$DefaultProfile.UserName = "Default"
$DefaultProfile.SID = "DefaultProfile"
$DefaultProfile.Userhive = "$env:SystemDriveUsersDefaultNTUSER.DAT"
# It was easier to write-output twice than combine the two objects.
$DefaultProfile | Where-Object { $ExcludedUsers -notcontains $_.UserName } | Write-Output
}
}
$UserProfiles | Where-Object { $ExcludedUsers -notcontains $_.UserName } | Write-Output
}
}
process {
$Path = "SoftwarePoliciesMicrosoftWindowsStore"
$Name = "RemoveWindowsStore"
$Value = 0
# Get each user profile SID and Path to the profile. If there are any exclusions we'll have to take them into account.
$UserProfiles = Get-UserHives -IncludeDefault
# If the Disable-WindowsStore script was used we'll need to check applocker
[xml]$AppLockerXML = Get-AppLockerPolicy -Local -Xml
if ($AppLockerXML.AppLockerPolicy.RuleCollection.FilePublisherRule) {
$AppLockerXML.AppLockerPolicy.RuleCollection.FilePublisherRule | ForEach-Object {
if (($_.Action -eq "Deny") -and ($_.Conditions.FilePublisherCondition.ProductName -like "*Microsoft.WindowsStore*")) {
Write-Warning "Removing AppLocker file publishing rules for the Windows Store!"
[Void]$_.ParentNode.RemoveChild($_)
}
}
if($AppLockerXML.AppLockerPolicy.RuleCollection.FilePublisherRule.id.Count -eq "1" -and $AppLockerXML.AppLockerPolicy.RuleCollection.FilePublisherRule.Name -eq "(Default Rule) All signed packaged apps"){
$AppLockerXML.AppLockerPolicy.RuleCollection.FilePublisherRule | ForEach-Object {
if($_.ParentNode){
[Void]$_.ParentNode.RemoveChild($_)
}
}
$AppLockerXML.AppLockerPolicy.RuleCollection | ForEach-Object {
if($_.Type -eq "Appx"){
$_.EnforcementMode = "NotConfigured"
}
}
}
$AppLockerXML.Save("$env:TEMPapplocker.xml")
Set-AppLockerPolicy -XmlPolicy "$env:TEMPapplocker.xml"
Remove-Item "$env:TEMPapplocker.xml"
}
$script:DisabledWinRun = $true
$failedUsers = @()
# Loop through each profile on the machine
Foreach ($UserProfile in $UserProfiles) {
# Load User ntuser.dat if it's not already loaded
If (($ProfileWasLoaded = Test-Path Registry::HKEY_USERS$($UserProfile.SID)) -eq $false) {
Start-Process -FilePath "cmd.exe" -ArgumentList "/C reg.exe LOAD HKU$($UserProfile.SID) `"$($UserProfile.UserHive)`"" -Wait -WindowStyle Hidden
}
# Manipulate the registry
$key = "Registry::HKEY_USERS$($UserProfile.SID)$($Path)"
Set-HKProperty -Path $key -Name $Name -Value $Value -PropertyType DWord
if ($(Get-ItemProperty -Path $key -Name $Name -ErrorAction Ignore).$Name -ne $Value) {
$script:DisabledWinRun = $false
$failedUsers += $UserProfile.UserName
}
# Unload NTuser.dat
If ($ProfileWasLoaded -eq $false) {
[gc]::Collect()
Start-Sleep 1
Start-Process -FilePath "cmd.exe" -ArgumentList "/C reg.exe UNLOAD HKU$($UserProfile.SID)" -Wait -WindowStyle Hidden | Out-Null
}
}
Start-Sleep -Seconds 30
if ($script:DisabledWinRun) {
# All $UserProfiles updated
exit 0
}
else {
$failedUsers | ForEach-Object { Write-Error "Failed to update user `"$_`"" }
Write-Error "One or more user profiles failed to update"
exit 1
}
}
end {}
Accédez à plus de 700 scripts dans le Dojo NinjaOne
Description détaillée
Le script fonctionne selon une séquence claire :
Initialisation :
- Deux fonctions, Test-IsElevated et Test-IsSystem, vérifient que le script dispose des droits requis.
- Le script met ensuite en place une autre fonction, Set-HKProperty, pour faciliter les opérations de registre.
- Une fonction plus complexe, Get-UserHives, récupère les chemins d’accès au registre pour tous les utilisateurs réels.
Processus :
- Il définit le chemin, le nom et la valeur pour activer le Microsoft Store.
- Il récupère les profils des utilisateurs et vérifie s’il existe des règles de verrouillage des applications susceptibles d’empêcher l’accès au Microsoft Store, en apportant les modifications nécessaires.
- Il interroge chaque profil d’utilisateur, en manipulant le registre pour s’assurer que le Microsoft Store est activé.
- Il valide le succès de l’opération.
Fin :
- Le script se termine par un retour d’information sur l’état de la situation.
Cas d’utilisation potentiels
Étude de cas : Imaginez un grand établissement d’enseignement en train de migrer son infrastructure logicielle. Il a récemment intégré l’écosystème de Microsoft, mais découvre que le Microsoft Store est inaccessible aux étudiants et aux professeurs. Au lieu de configurer individuellement des milliers de profils, notre script résout le problème en une seule fois, garantissant à chacun un accès rapide aux applications nécessaires.
Comparaisons
Si les configurations manuelles ou l’utilisation d’outils distincts sont des options, elles peuvent être lourdes et sujettes à des erreurs, en particulier à grande échelle. Ce script automatise et rationalise le processus, réduisant considérablement le risque d’erreurs tout en économisant du temps.
FAQ
- Des droits d’administrateur sont-ils nécessaires pour exécuter ce script ?
Oui, cela nécessite des privilèges élevés. - Ce script fonctionnera-t-il sur les anciennes versions de Windows ?
Il est conçu pour Windows 10 et Server 2016. - Certains utilisateurs peuvent-ils être exclus ?
Oui, les exclusions peuvent être gérées par les paramètres de la fonction Get-UserHives.
Implications
Bien que le script simplifie grandement l’activation du Microsoft Store, un accès non surveillé peut exposer les utilisateurs à des applications non approuvées. Les professionnels de l’informatique doivent assurer un équilibre entre l’accessibilité et la sécurité, en tenant compte des vulnérabilités potentielles.
Recommandations
- Sauvegardez toujours les paramètres actuels avant de déployer de tels scripts.
- Examinez régulièrement les applications activées dans le Microsoft Store pour s’assurer qu’elles sont conformes aux directives de l’entreprise.
- Sensibilisez en permanence les utilisateurs aux bonnes pratiques en matière d’applications.
Conclusions
NinjaOne, avec son approche globale de l’informatique, complète des outils tels que ce script, en offrant une gestion optimale et une supervision plus complète. En intégrant les deux, les professionnels de l’informatique peuvent non seulement activer le Microsoft Store de manière simple, mais aussi garantir que son utilisation est optimisée et sécurisée.
