MS Store App Update Issue

Question

Hi,

We have a slight issue and i'm a bit stuck.

We have a GPO that auto updates the MS Store apps.

This is fine.

However, if we have users that have previously logged onto a machine, it wont update the apps for those users (seemingly).

This means we have machines with out of date MS Store apps (who will never logon to that machine again) and updating them as a current user, doesn't update the app centrally.

Some of these are very old and when we are logged onto the machine, there are no updates awaiting installation.

It makes no sense that when an app is updated, its not update machine wide?!

Does anyone know of a way around this please as its flagging in our Qualys scans as high vulnerabilities

Some examples (which are flagging but are years old) - are:

Microsoft Windows Codecs Library Remote Code Execution (RCE) Vulnerability for March 2022

Microsoft Office app Remote Code Execution (RCE) Vulnerability

Microsoft Paint 3D Remote Code Execution (RCE) Vulnerability for March 2022

Microsoft Windows Codecs Library Remote Code Execution Vulnerabilities - November 2020

Microsoft 3D Viewer Remote Code Execution (RCE) Vulnerability - November 2021

Microsoft 3D Viewer Multiple Vulnerabilities - June 2021

Answer 1

My apology, I messed up the inside quotes.

powershell -nop -ep bypass -c "Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register \"$($_.InstallLocation)\AppXManifest.xml\"}"  

Some packages will generate expected errors because they're are part of desktop (Windows.Search, StartMenuExperienceHost, Client.CBS).

Answer 2

Maybe you can explain this in better terms? Your GPO policy is enabling MS Store apps to auto-update and that works. But you have users who visit machines once in a while, and have outdated app provisioning profiles? And Qualsys is flagging the dormant user profiles, and not the installed app versions?

If that's what you mean, just run a PowerShell task to re-register apps for all user profiles.

powershell -nop -ep bypass -c "Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}"  

Answer 3

Morning,

Yeah an odd one really.

About 10% of our machines are flagging one or more of the above vulnerabilities relating to old MS Store apps (Paint 3D, Codecs etc)

Google doesn't give up much, other than the suggestion that when MS Store apps are updated, they are only updated for the logged on user and not machine wise.

I'm wondering if its the case that users that may have logged on say a year ago to that/a machine, and never logged on again to that same machine, still have have an old version registered even though other user have been on that/those machines?

I can see these older versions in C:/Program Files/WindowsApps in the affected machines but obviously cant deal with them/delete them directly from there.

Ill try your script and see if that helps - thank you!

Answer 4

Hi again...

Am i missing something as it just pipes out the below

Answer 5

Hmm, i get this now!