How the heck do you get a handle on Windows Apps?

Posted by ObjectiveFit4093@reddit | sysadmin | View on Reddit | 1 comments

I have been struggling with this for a while. Windows 11 Enterprise. I do not have Intune. Users are blocked from using the Microsoft Store, but a lot crap is still installed. For instance, I have one machine that shows several versions of Edge installed under the store. Presumably, the different versions are under different profiles. So how are you all managing this?

[-]

kheldorn@reddit

Windows apps are a pest. Even more so than userspace (appdata) installed applications.

Whoever came up with that has a very special place in hell.

As to what we are doing ... currently evaluating.

Since the inception of Windows 10 we've had the store blocked for both users and machines. I'm not testing a set of policies that allows the machine access to the store (by also setting a machine-wide proxy (WinHttpSettings registry key)) and then running a small powershell script in System context that triggers the update feature of the store. This updates the installed apps on the system and on next logon will update the apps in the user profile.

While this will not get the apps in unused profiles updated .. it is better than nothing. And whenever an unused profile is logged back in the next time it should also update.

Any findings of vulnerabilities in unused profiles will have to be ignored though. Can't really do anything else there.

As for the powershell script that's doing the magic:

$namespaceName = "root\cimv2\mdm\dmmap"

$className = "MDM_EnterpriseModernAppManagement_AppManagement01"

$wmiObj = Get-WmiObject -Namespace $namespaceName -Class $className

$result = $wmiObj.UpdateScanMethod()

It might need to run multiple times to update all apps, but at some point it should do the job.

As I said, still evaluating...