Windows 11 & Sticky Notes

[Devastator0]

Hi TPU Brainstrust,

I need some assistance/advice.

So, globally, my workplace is rolling out (via SCCM) Windows 11 to the bulk of users however, in the early stage of the rollout, we've seen an issue with both our Windows 11 21H2 & 22H2 images where, post deployment, if you try and run the Sticky Notes application you are prompted with a message saying that Sticky Notes requires an update before it'll work. Unfortunately, and I imagine that there is some logic behind it, my employer blocks connection to the Microsoft Store so no actual way to perform an update via that method.

I was wondering if anyone knew of a way of independently running something on a device which would allow the app to run the update and allow it to be functional?

I know this might seem like a silly, minor thing, but we've already had complaints from end users about it and the people who are actually responsible for the SOE and this sort of stuff can't seem to figure it out so I thought I'd throw the question out to the TPU community.

Would appreciate any advice/suggestions in regards to this!

 

[Space Lynx]

Not allowing Microsoft Store updates seems like a huge security risk to me, so the first thing I would do would be inform the IT Department about that, surely they aren't that incompetent.

also you will get more responses if you ask your question here:

Windows 11 General Discussion

With the leak and/or release of the Alpha build, the announcements and release of the Insider builds of Windows 11 there has been a lot of discussions in other threads that seem to be getting very off topic for those threads. It seems like good idea for Windows 11 to have it's own general...

www.techpowerup.com

 

[Bill_Bright]

Not allowing Microsoft Store updates seems like a huge security risk to me

Employers blocking access by their employees is a pretty common practice and actually eliminates a huge security risk, when properly managed.

By blocking such access, it prevents individual employees from downloading this and that, willy-nilly. It gives control over which updates, when and where updates will be applied, and by whom. In other words, it puts the responsibility and authority where it belongs - on the IT manager, not individual employees who may, or may not have any expertise in computer/network maintenance/support. That's a good thing.

Now, if the OP is the IT manager for the company and the employer does not allow even the IT manager access and has not explained the logic for blocking such access, that's a whole 'nother issue he needs to take up with the employer, and not here. We should not be helping users circumvent company policies.

 

[Devastator0]

Employers blocking access by their employees is a pretty common practice and actually eliminates a huge security risk, when properly managed.

By blocking such access, it prevents individual employees from downloading this and that, willy-nilly. It gives control over which updates, when and where updates will be applied, and by whom. In other words, it puts the responsibility and authority where it belongs - on the IT manager, not individual employees who may, or may not have any expertise in computer/network maintenance/support. That's a good thing.

Now, if the OP is the IT manager for the company and the employer does not allow even the IT manager access and has not explained the logic for blocking such access, that's a whole 'nother issue he needs to take up with the employer, and not here. We should not be helping users circumvent company policies.

Yeah, so, I'm a Field Tech engineer in one of the countries that my company exists and we've been fielding complaints about this from our end users. We've obviously reported this back to our central IT head office overseas but they don't seem to be able to come up with a solution for this (it's been outstanding for a while now supposedly). I'm not attempting to circumvent company policies, just trying to get some help in potentially providing an alternate solution to our central guys so that the necessary update(s) can be completed without needing to open up the Microsoft Store.

You're also right in saying that blocking the MS Store is to stop individual employees downloading garbage from there. They haven't explicitly said that this is why they do it, I'm just making an educated guess in that.

 

[OneMoar]

get a better IT company one that knows what they are doing because they ones you have Don't have a clue how to configure a windows 10/11 install

odds are they have messed with group policy or are running users with restricted perms which is preventing the store from querying weather or not the app install is complete
which causes this exact error
the solution is to login once with a administrator account and run the store app so it can finish setting up
or they have indeed disabled the installation of windows store apps but didn't set the policy to wait long enough post OOBE for the locally installed apps to finish setting up

there is no solution that doesn't require administrative permissions (downloading the appx package offline is possible but requires admin permisisons to install) and also won't bypass the default of not allowing sideload of appx packages

you can try using a chrome extension but some how I doubt you have permissions for that

Sticky Notes - Chrome Web Store

The first, truly sticky app for notes on your desktop! It is easy to manage and customize. Now also supports speech recognition!

chrome.google.com

tl;dr: you are f****d

 

[lexluthermiester]

I was wondering if anyone knew of a way of independently running something on a device which would allow the app to run the update and allow it to be functional?

If your employer is blocking it, they have good reason. Trying to find a way around such a limitation is grounds for termination with most companies and, depending on where you work, could be unlawful. It would be best for you to share your problem with the system/IT administrators and ask them for help. It might be as simple as patching an update package into the system images. That would depend greatly on the configuration your employer is using for software package deployment.

Not allowing Microsoft Store updates seems like a huge security risk to me

The opposite is actually true. Blocking services and API's access to the internet is standard practice for many companies because allowing such access is a HUGE security risk.

 

[Space Lynx]

The opposite is actually true. Blocking services and API's access to the internet is standard practice for many companies because allowing such access is a HUGE security risk.

well I just find it confusing, because lets say your company has windows 11 and uses sticky notes, well sticky notes connects to the internet because it syncs with the cloud, whether or not you have that sync setup is moot, it has actual code that connects sticky notes to the internet, so if a security vulnerability comes out for sticky notes, but its never being updated in the main windows 11 update rollout, and instead requires that security hole to be patched through a windows store sticky notes app update, doesn't that therefore mean the security risk increases by not having the IT department update microsoft apps occasionally but then after updating disconnect them from said updates at the end user level?

 

[Devastator0]

get a better IT company one that knows what they are doing

It's all internal, no external vendor.

odds are they have messed with group policy or are running users with restricted perms which is preventing the store from querying weather or not the app install is complete

No, so all users are blocked from accessing the store. When you attempt to launch it, you see the Store interface for like 1 second and then you get a message with an error code saying that access to the store has been blocked by your administrator. The problem is I think the particular image that they've taken for Windows 11. It is quite old and I'm guessing that when you attempt to first run Sticky Notes, it is able to check (somehow) that it needs an update but can't reach it due to the MS Store being blocked by GPO.

the solution is to login once with a administrator account and run the store app so it can finish setting up

This won't work either. There are no domain admin accounts and the local admin accounts that we can utilise also cannot access the store. It's blocked at group policy level.

It might be as simple as patching an update package into the system images

Yeah, that's what I'm thinking it might be however, until such a thing is fixed, I'm trying to see if there is an updated package for Sticky Notes available that can be downloaded and run manually using a local admin account (which I can use).

That would depend greatly on the configuration your employer is using for software package deployment.

At my workplace, SCCM along with Adaptiva for content distribution is used for Software Package deployment.

 

[Bill_Bright]

doesn't that therefore mean the security risk increases by not having the IT department update microsoft apps occasionally

I am afraid you are putting the wrong cart in front of the horse.

Nobody said or even implied that the IT department is not updating MS apps. What we said is the IT department is simply (and appropriately) managing which apps, when, how they are being updated, and, perhaps most importantly, by whom.

Management 101 says if you (the boss) are going to make someone responsible for something (IT dept for security and updates), you MUST give them the authority to carry out those duties.

If all the employees are able to upgrade their systems whenever they want, with whatever they want, that removes the authority to control the process from those who are responsible. When it comes to IS/IT security, that is a HUGE, potentially catastrophic risk - not to mention a HUGE upper management blunder.

 

[Space Lynx]

I am afraid you are putting the wrong cart in front of the horse.

Nobody said or even implied that the IT department is not updating MS apps. What we said is the IT department is simply (and appropriately) managing which apps, when, how they are being updated, and, perhaps most importantly, by whom.

Management 101 says if you (the boss) are going to make someone responsible for something (IT dept for security and updates), you MUST give them the authority to carry out those duties.

If all the employees are able to upgrade their systems whenever they want, with whatever they want, that removes the authority to control the process from those who are responsible. When it comes to IS/IT security, that is a HUGE, potentially catastrophic risk - not to mention a HUGE upper management blunder.

I still don't understand, because in the original post it states "sticky notes needs an update" is the issue.

 

[R-T-B]

Nobody said or even implied that the IT department is not updating MS apps. What we said is the IT department is simply (and appropriately) managing which apps, when, how they are being updated, and, perhaps most importantly, by whom.

It sounds an awful lot to me like they are just blocking the windows store domain at the DNS level bill. Perhaps OP could clarify though. Doing that would indeed be a pretty questionable practice.

 

[Bill_Bright]

because in the original post it states "sticky notes needs an update" is the issue

That's his claimed issue. You imply it is up the to employee to decide what updates, when and how they will be applied. That's not how it works in many companies - especially where centrally managed, identical workstations are desired

I know where I used to work, for example, where we had 400+ nodes in one facility, all approved updates were applied by the IT department, Friday night/Saturday morning.

As R-T-B notes, we need more information before we here at TPU can really understand the issue.

I will add if the OP cannot do his job because of this, he needs to report the problem to his supervisor and let it be handled at that level.

 

[lexluthermiester]

well sticky notes connects to the internet because it syncs with the cloud

It doesn't have to or need to. Sticky Notes are for sticking notes to the desktop. Syncing is a luxury that is completely unneeded.

so if a security vulnerability comes out for sticky notes, but its never being updated in the main windows 11 update rollout, and instead requires that security hole to be patched through a windows store sticky notes app update, doesn't that therefore mean the security risk increases by not having the IT department update microsoft apps occasionally but then after updating disconnect them from said updates at the end user level?

If the user/apps don't have access to the internet, there is no security risk.

 

[Bill_Bright]

Syncing is a luxury that is completely unneeded.

Unless there is a need for different employees to share those notes, or for employees to share between their own devices (work PC and laptop, for example). But that then introduces another layer of security concerns - especially if multiple employees need access.

If the user/apps don't have access to the internet, there is no security risk.

Totally agree. So we are back to the fact allowing employees free access to the MS store and other sites that allow downloads is a much bigger security risk than not updating those apps in a timely basis.

Can those risks be mitigated? Sure. But that takes some strict company policies prohibiting employees from doing that, thorough employee training and education concerning those policies, and a willingness of upper management to aggressively enforce those policies if violated - to include immediate termination. But for some employees, saying "don't do that" is like putting a plate of freshly baked chocolate chip cookies in front of a little kid (or me) and saying, "Don't touch!"

get a better IT company one that knows what they are doing

If management is calling the shots (and it appears they are) this has nothing to do with the IT company (or outsourced contractor), or their competence. They are simply following the guidelines/directives of company bosses - as they should.