Our vulnerability scanning software is finding a bunch of workstations with unpatched Photos, codecs and other apps that usually come and update via MS Store. It is around 10% of a whole fleet. After a bit of tinkering we are guessing that it doesn't update on its own if user never opened Store and logged in via SSO to M365 account. Although it seems unlikely that 90% of users were opening Store. It could also be something related to VPN/proxy/network, but we don't see a viable pattern.

We have Store for Business. It is managed by another team which we can reach out to if needed (they manage whole M365 service). Intune is not currently in use and i only know that they are preparing to test Autopilot. It might be possible to do something in Intune, if we find correct people with access, etc.

Tried looking whether it is possible to somehow install updates "offline", by downloading some package, pushing it via deployment tools, maybe with some script. Haven't found anything yet.

Does anyone have any working solution to achieve that. Scripts, Intune policy, something else? Other than asking thousands of users to open Store and login :)