How to force Windows apps to update with no access to Microsoft Store?

Question

Is there a way to force a Windows app to check the Microsoft Store for updates via commandline or some other way?

In my current environment, access to the Microsoft Store is disabled for end users. A recent vulnerability came up for a Windows app, and I need to make sure it is patched on all endpoints. Most stations seem to have automatically updated to the newest version of the app, but a few haven't updated. Without creating a new package or installing additional tools (no winget or PSWindowsUpdate allowed), is there a way to initiate the update check/process for Windows apps without accessing the Microsoft Store?

Answer 1

Hello,

There is no supported command‑line switch or API that forces a single Windows Store app to check for updates outside of the Microsoft Store client. The update mechanism for Store apps is tied directly to the Store infrastructure and the AppX servicing stack. When Store access is disabled for end users, the only supported ways to ensure apps are patched are either through centralized management or by re‑packaging the app.

In enterprise environments, Microsoft recommends handling this through Microsoft Intune, Configuration Manager (SCCM), or WSUS with the “Microsoft Store for Business” integration. These tools allow administrators to push app updates without requiring end‑user access to the Store. If those are not available in your environment, the only other supported method is to manually download the updated app package (APPX/MSIX) from the Store for Business or directly from the vendor, then deploy it via PowerShell with Add-AppxPackage or DISM /Add-ProvisionedAppxPackage.

There is no hidden command to force the Store update check from Task Scheduler or PowerShell without Store connectivity. The reason some endpoints updated automatically is because the Store service was able to run in the background before access was restricted. The machines that did not update will remain out of date until you push the updated package yourself or re‑enable Store connectivity long enough for the update to apply.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!Domic Vo.

Answer 2

There is no supported command-line or remote trigger that forces a specific Microsoft Store app to immediately check for and install updates when Store UI access is disabled, without using additional tools such as winget or custom packaging.

In this scenario, updating Store apps on endpoints relies on the existing Store/OS update mechanisms and policies:

1. Ensure Store access for updates is not blocked by policy
   If the Turn off the Store application policy (RemoveWindowsStore) is enabled in the computer context, it also turns off app updates:
   • GPO: Computer Configuration\Administrative Templates\Windows Components\Store → Turn off the Store application
     When configured in the computer context, this policy turns off app updates for Store apps. To allow automatic updates while still blocking end-user Store UI, configure as follows:
   • Leave Turn off the Store application Not configured or configure it in the user context only, so app updates are not disabled.
2. Allow automatic Store app updates
   The Turn off Automatic Download and Install of updates policy controls whether Store apps auto-update:
   • GPO: Computer Configuration\Administrative Templates\Windows Components\Store → Turn off Automatic Download and Install of updates`
   • Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore → AutoDownload (REG_DWORD)
     • 2 = apps will not be updated
     • 4 = apps will be automatically updated
       To ensure Store apps auto-update:
   • Set Turn off Automatic Download and Install of updates to Disabled or Not configured (which allows automatic updates), or explicitly set AutoDownload to 4.
3. Confirm Store endpoints are reachable
   Even if policies are correct, Store apps will not update if required endpoints are blocked by firewall/proxy. Verify that the documented Microsoft Store and Windows Update endpoints are allowed so the Store can download app updates.
4. Use Intune for Store app updates (if applicable)
   In environments using Intune with the new Microsoft Store integration:
   • The Turn off the Store application setting does not affect Intune’s ability to install or update Microsoft Store apps.
   • As long as Turn off Automatic Download and Install of updates is not enabled, the Microsoft Store automatically updates UWP apps, including built-in apps.
     For Win32 Store apps with an active Intune assignment, updates are still automatically applied even if Turn off Automatic Download and Install of updates is set.
5. Windows App (Windows 365 client) specific behavior
   If the app in question is the Windows App (Windows 365 client):
   • When installed from the Microsoft Store, it always follows Microsoft Store update settings and cannot have automatic updates fully disabled from within the app.
   • A background task checks for updates every 8 hours and installs them when the app is closed.
   • If installed via standalone MSIX, updates can come from a CDN or Store depending on the DisableAutomaticUpdates registry value under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsApp, but Store-pushed updates still apply if the app originated from the Store.

Given the constraints (no winget, no additional tools, Store UI blocked), the practical options are:

• Ensure Store app updates are not disabled by GPO/registry.
• Ensure required Store/Windows Update endpoints are reachable.
• If using Intune, rely on Intune + Store integration to push the latest version.
• For any outlier machines that still do not update after policies and connectivity are corrected, the remaining supported approach is to redeploy the app (for example, via Intune or another management tool) using a package that contains the patched version.

There is no built-in, Store-independent command or API in this context that can be invoked on endpoints to force an immediate Store update check for a specific app without using additional tools.

---

References:

• Group Policy and packaged apps
• Configure access to the Microsoft Store app
• Add Microsoft Store Apps to Microsoft Intune
• Configure Windows App updates on Windows
• Troubleshoot Microsoft Store app download failures
• How to use the Microsoft Store Web Installer to distribute your apps on the web
• Auto-update and repair apps