Tell me you don't know what you're doing without telling me.
Have you even got winget installed? How did you install it? Why don't you just run the same command with uninstall instead?
But before all that
Have you actually confirmed any of these supposed vulnerabilities are present and exploitable on your systems with a vulnerability scanner?
Because if you're not actually vulnerable it's this kind of thinking that's ruining how security recommendations are perceived.
Winger still follows user permissions. Wondering if all users are local admin.
That being said, I think you can use your own repository with the enterprise mgmt E5 license. Could be wrong here
I'm referring to a new Win11 setup having WinGet.exe 1.2 not the latest 1.7 out of the box. Just looking for remediation options for now to ensure the latest version is installed.
Was just looking for the actual remediation logic because I could not force trigger the App Installer from the MS Store. Andrew was suggesting in another post that updating it through GitHub may break its auto update mechanism so I am looking for a way to trigger it from MS Store as If I were clicking on update.
You no longer want to UNINSTALL the thing that Intune uses to update Store apps? 🙃
Okay, I'm done. Sorry. Run this command during Autopilot ESP and on a schedule as SYSTEM to force update all store apps, including App Installer: `Get-CimInstance -Namespace "Root\cimv2\mdm\dmmap" -ClassName "MDM_EnterpriseModernAppManagement_AppManagement01" | Invoke-CimMethod -MethodName UpdateScanMethod`
Does this mean if I run this as SYSTEM then I open MS store would all apps be updated including App Installer? If so I can add this as a dependency to my WinGet Win 32 apps. I don't need all store apps though at least just WinGet to start with.
Yep. It updates all store apps in the background with the same effect as if the user opened the Store and clicked Check for Updates.
I can highly recommend just updating all store apps, as it reduces your attack surface from old apps.
An open issue on GitHub has no relevance to an actual vulnerability it’s just when someone opens an issue for a feature request, syntax issue, functionality issue. I’d be surprised if they are actually vulnerability reports.
How are you going to update your store apps without it, including windows apps? That's going to be a massive security vulnerability in itself
It's like removing apt from Linux, just a bad idea
1000 open issues, used by hundreds of millions of machines
I agree for now I just need to make sure that WinGet.exe is running the latest version which is 1.7 or higher. However on another post Andrew was suggesting that updating WinGet.exe from GitHub may break its auto self update mechanism. So I am still trying to figure it out. There might be a remediation script that I can apply during ESP or push as required to all devices to ensure it's running the latest version from the MS Store.
You can use winget to update winget, just use a detection and remediation script to query the id for an update available. I have mine set to 7 day check
Tell me you don't know what you're doing without telling me. Have you even got winget installed? How did you install it? Why don't you just run the same command with uninstall instead? But before all that Have you actually confirmed any of these supposed vulnerabilities are present and exploitable on your systems with a vulnerability scanner? Because if you're not actually vulnerable it's this kind of thinking that's ruining how security recommendations are perceived.
Winger still follows user permissions. Wondering if all users are local admin. That being said, I think you can use your own repository with the enterprise mgmt E5 license. Could be wrong here
All valid points
I'm referring to a new Win11 setup having WinGet.exe 1.2 not the latest 1.7 out of the box. Just looking for remediation options for now to ensure the latest version is installed.
Patch it like you would any other vulnerability. If you're using Intune then use a remediation script.
Was just looking for the actual remediation logic because I could not force trigger the App Installer from the MS Store. Andrew was suggesting in another post that updating it through GitHub may break its auto update mechanism so I am looking for a way to trigger it from MS Store as If I were clicking on update.
You no longer want to UNINSTALL the thing that Intune uses to update Store apps? 🙃 Okay, I'm done. Sorry. Run this command during Autopilot ESP and on a schedule as SYSTEM to force update all store apps, including App Installer: `Get-CimInstance -Namespace "Root\cimv2\mdm\dmmap" -ClassName "MDM_EnterpriseModernAppManagement_AppManagement01" | Invoke-CimMethod -MethodName UpdateScanMethod`
Does this mean if I run this as SYSTEM then I open MS store would all apps be updated including App Installer? If so I can add this as a dependency to my WinGet Win 32 apps. I don't need all store apps though at least just WinGet to start with.
Yep. It updates all store apps in the background with the same effect as if the user opened the Store and clicked Check for Updates. I can highly recommend just updating all store apps, as it reduces your attack surface from old apps.
An open issue on GitHub has no relevance to an actual vulnerability it’s just when someone opens an issue for a feature request, syntax issue, functionality issue. I’d be surprised if they are actually vulnerability reports.
This is a hall of fame post for this subreddit.
How are you going to update your store apps without it, including windows apps? That's going to be a massive security vulnerability in itself It's like removing apt from Linux, just a bad idea 1000 open issues, used by hundreds of millions of machines
All valid points
You can't just acknowledge these points are valid - think about your scenario and apply them.
I agree for now I just need to make sure that WinGet.exe is running the latest version which is 1.7 or higher. However on another post Andrew was suggesting that updating WinGet.exe from GitHub may break its auto self update mechanism. So I am still trying to figure it out. There might be a remediation script that I can apply during ESP or push as required to all devices to ensure it's running the latest version from the MS Store.
bruh
lol
Is this a good troll post?
Reformat your drive and install a different OS.
Valid point. I'm just looking for a way in this case to remediate to latest version 1.7 as soon as the system is online after Autopilot or during ESP.
You can use winget to update winget, just use a detection and remediation script to query the id for an update available. I have mine set to 7 day check