Unpinning the Microsoft Store using Intune

The Microsoft store is a useful app, but realistically, no-one needs it pinned to the taskbar, especially on Intune managed machines where you want everyone using Company Portal.

So, how do we remove it? In this post I’m going to run through the 4 different options available to you:

  • Registry
  • PowerShell Script
  • Proactive Remediation
  • Custom OMA-URI
  • ADMX Importing
  • ADMX Ingestion

I should warn you now, two of them simply don’t work!

Registry

The easiest one to start with, if you look at old fashioned GPO, there is a policy called NoPinningStoreToTaskBar which removes and blocks it from being re-added.

If we visit the ever useful admx.help website here we can see the exact registry key it is applying

Using whatever tool you prefer, simply apply this key:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer]
"NoPinningStoreToTaskbar"=dword:00000001

This isn’t my preferred way though because it needs a reboot and it just feels a bit clunky

PowerShell Script

Now we’re more into my territory! We can deploy a PowerShell script in the user context to find the app and unpin it (script here)

$apps = ((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items())
foreach ($app in $apps) {
$appname = $app.Name
if ($appname -like "*store*") {
$finalname = $app.Name
}
}

((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $finalname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}

As you can see, it’s looking through the taskbar for any apps which contain Store, then grabbing the name and calling an Unpin

It’s quick, it’s easy and it works. But, it only runs once…

Proactive Remediations

Enter my favourite, Proactive Remediations, let’s take the code which works and feed it into a Proactive Remediation, it will give us better control, more reporting and we can set it to repeat for any naughty users

First up, we need to detect it (script here)

##We're looping through the verbs so it's going to be easier to count
$pinned = 0
##Loop through verbs for the store app
$apps = ((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | Where-Object { $_.Name -eq "Microsoft Store" }).verbs()
foreach ($app in $apps) {
    ##Is Unpin an option?
if ($app.Name -eq "Unpin from tas&kbar") {
    ##Yep, increment the counter
$pinned++
}
}

#Has it been found?
if ($pinned -gt 0) {
Write-Warning "Store has been pinned"
exit 1
}
else {
write-host "Not pinned"
exit 0
}

This time, we’re looking for any apps with store in the name and then simply checking if we found any. If we did, send an exit 0 and remediate:

Remediation script here

$apps = ((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items())
foreach ($app in $apps) {
$appname = $app.Name
if ($appname -like "*store*") {
$finalname = $app.Name
}
}

((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $finalname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}

Exactly the same as the standard PowerShell script

Custom OMA-URI

After digging through the Microsoft documents, I found the CSP here

Which would give me this URI:

./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/NoPinningStoreToTaskbar

After deploying the policy with a setting of 1 it immediately failed with a generic error 0x87d1fde8, so off to the Event Logs (Applications and Services – Microsoft – Windows – DeviceManagement-Enterprise-Diagnostics-Provider – Admin.

Checking the registry confirms it isn’t there:

Clearly this policy isn’t yet supported out of the box (which is probably why it’s not in Settings Catalog)

Let’s try something else

ADMX Importing

Using the new Preview feature to import ADMX files, I grabbed the Taskbar ADMX and ADML files from my domain controller and imported them in

Upload and Import successful, looking positive

So onto a policy:

Safe to say that’s not going to work either. One more thing to try

ADMX Ingestion

The old fashioned approach, first I took the Taskbar.admx policy and stripped out everything I didn’t need, leaving this:

<?xml version="1.0" encoding="utf-8"?>
<!--  (c) 2006 Microsoft Corporation  -->
<policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
    <policyNamespaces>
        <target prefix="taskbar" namespace="Microsoft.Policies.TaskBar2" />
        <using prefix="windows" namespace="Microsoft.Policies.Windows" />
    </policyNamespaces>
    <resources minRequiredRevision="1.0" />
    <policies>
        <policy name="NoPinningStoreToTaskbar" class="User" displayName="$(string.NoPinningStoreToTaskbar)" explainText="$(string.NoPinningStoreToTaskbar_Help)" key="Software\Policies\Microsoft\Windows\Explorer" valueName="NoPinningStoreToTaskbar">
            <parentCategory ref="windows:StartMenu" />
            <supportedOn ref="windows:SUPPORTED_Windows_6_3" />
            <enabledValue>
                <decimal value="1" />
            </enabledValue>
            <disabledValue>
                <decimal value="0" />
            </disabledValue>
        </policy>
    </policies>
</policyDefinitions>

Then I created a quick policy to Ingest the ADMX template into here:

./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/MSStore/Policy/TaskbarADMX

Again, another error in Intune, back to the event logs and we have a new error:

Digging around further on Microsoft Docs and I found this page, in particular this part:

As we saw in the original registry key, that’s exactly where it populates!

Conclusion

So, the end result is, until the ADMX policy is allowed, or added to Settings Catalog, PowerShell is basically your only option for dealing with this!

Posted in Intune