Skip to main content

If you haven’t locked down Microsoft Store, you may want to think again

By July 2, 2021March 8th, 2024Blog

On June 24th we finally got to see what Microsoft have in store for us with Windows 11. In particular, there were some very interesting announcements regarding the Microsoft Store:

  • You can now submit any type of application installer (including MSI and EXE packages) to the Store rather than purely AppX/MSIX formats, which have failed to gain traction with ISVs(independent software vendors).
  • New tooling has been provided to allow websites to be packaged up as PWAs (Progressive Web Applications) and submitted to Store. Your favourite sites will be able to be installed with the look and feel of a regular app.
  • Microsoft have partnered up with Amazon’s Android application store and you will be able to run Android apps natively in Windows.

The new Store is also expected to appear in Windows 10 also. You can find out more here:

What does this mean for Enterprise?

Now that Microsoft Store will be gaining lots more applications, does this mean Enterprises will no longer have to package and deploy these applications to ensure they’re kept up to date?

From what we have seen so far, this looks like a great option for consumers. Rather than having to negotiate the tricky waters of the worldwide web and fishing for what they hope is a bonafide installer, users can go to the Store as their first port of call for an ever-increasing number of applications.

However, this solution does not seem to have been put together with the needs of Enterprise in mind:

  • Much like the current Store, anybody is able to sign up and submit literally any application. We rely on Microsoft to verify that submission is coming from the actual vendor and to prevent any intrusion from malware. But judging from the number of fake apps currently infesting the Store, can we rely on this process for popular titles such as Adobe Reader and Google Chrome? Currently such apps can do little damage since they run in containers with restricted privileges, but opening this up to MSIs and EXEs running with full admin rights creates a huge security hole. If you haven’t locked down access to the Store already, you may want to think again!
  • The packages will not have the usual tweaks that an expert repackager would apply, for example cleaning up unwanted shortcuts, disabling telemetry and automatic updates, and gracefully closing down applications during the update process.
  • The application submission process lacks some basic things that Endpoint Manager requires such as uninstall commands, detection methods, and a distinction between per-user and per-machine installs, meaning that for now it is unlikely these applications will be able to be synced with Endpoint Manager via Microsoft Store for Business.

So it appears that for the foreseeable future, enterprises will still need to rely on application packaging in order to deploy their apps and keep them up to date. If you require any assistance with your packaging requirements, then give us a call!