Share via

Enforce Microsoft store security updates

Silverman, Alan 26 Reputation points
2021-07-06T15:23:36.207+00:00

Is there any way to push out Windows Store security updates for vulnerabilities (such as for https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31946) either via WSUS or GPO? Our vulnerability assessment tools show that the vulnerable versions of the applications are still on a lot of machines.

We found 2 things in the update process:

  1. Currently users will get the security updates when their log into their profiles, which is OK for the active profile, though we would like to get the updates out system-wide.
  2. If some users have installed vulnerable apps on a shared machine, then the apps that were installed on a profile which is not logged into are not updating and that machine is still flagged as vulnerable. We don't know how to update these "passive" profiles. Or we would be OK removing a profile after 30 days to remove the vulnerability -- but we don't know if there is a GPO way to accomplish this either.

thanks

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,404 questions
0 comments
Accepted answer
  1. Daisy Zhou 24,046 Reputation points Microsoft Vendor
    2021-07-07T03:14:46.337+00:00

    Hello @SilvermanAlan-3521,

    Thank you for posting here.

    Here are the answers for your references.

    1) Currently users will get the security updates when their log into their profiles, which is OK for the active profile, though we would like to get the updates out system-wide.

    A1: Based on my knowledge and research, there is no such GPO to enforce Microsoft store security updates.

    And I also have discussed with the WSUS engineers, they tell me WSUS pushes Windows Update, not Microsoft store APP updates.

    For your request, I have read the link you provided above. I can see:

    112318-get1.png

    Get updates for apps and games in Microsoft Store
    https://support.microsoft.com/en-us/account-billing/get-updates-for-apps-and-games-in-microsoft-store-a1fe19c0-532d-ec47-7035-d1c5a1dd464f

    It seems the only to enforce Microsoft store security updates is via Windows Store and with user login.

    2) If some users have installed vulnerable apps on a shared machine, then the apps that were installed on a profile which is not logged into are not updating and that machine is still flagged as vulnerable. We don't know how to update these "passive" profiles. Or we would be OK removing a profile after 30 days to remove the vulnerability -- but we don't know if there is a GPO way to accomplish this either.

    A2: You can try the following GPO setting:

    Computer Configuration\Administrative Templates\System\User Profiles\Delete user profiles older than a specified number days on system restart==>Enabled

    Description:
    This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days. Note: One day is interpreted as 24 hours after a specific user profile was accessed.

    If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that have not been used within the specified number of days.

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.