Hello, I’m having some issues uninstalling and\or updating MSFT Store apps such as Paint 3D and VP9 Video extensions (these 2 have vulnerabilities, CVEs 2021-31983 and 2021-28464). I haven’t yet had a chance to figure out why Windows Updates, which is set to auto run on the systems, isn’t updating these to a newer version.
To update to a newer, non-vuln version, I’ve run:
action uses wow64 redirection {not x64 of operating system}
createfile until END_OF_FILE
dism.exe /online /add-provisionedAppxPackage /packagepath:"__Download\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe.Appx" /skiplicense
END_OF_FILE
Note: The above is supposed to upgrade for all users, like the below uninstall should as well
And to uninstall:
Get-AppXPackage -AllUsers -PackageTypeFilter All -Name Microsoft.MSPaint | Remove-AppxPackage -AllUsers
For both, I only seem to get about a 1/3 of the systems complete successfully. Unfortunately I don’t have access to Bigfix right now, but what I’ve seen is on the upgrade attempt using the Dism tool, on many the Dism log content looks identical to test systems that did upgrade, but the vuln is still there and pulling WMI data still shows the older version.
For the uninstall, the failures report back -1 and have a generic “unable to uninstall, see vendor” type verbiage.
I have more details I can provide, but my main question is just uninstalling or upgrading MSFT Store apps (in \Program Files\WindowsApps dir.) in general and what might be some best practices or other attempts I can try beside the two mentioned above.
I was able to pull the logs on some of the uninstall failures, and a consistent error I see is:
Error executing script C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__bes18.ps1: Get-AppXPackage : The trust relationship between this workstation and the primary domain failed. (Exception from ;HRESULT: 0x800706FD);
However, this only seem to happen when running a powershell action script type using the drop-down menu. When I create another powershell action by using the Bigfix script type using the “createfile until END_OF_FILE” method and coding my ‘pshell script inside that file, I’m not seeing this error and actions are running to completion.
I’m in process to test the uninstall using createfile to see what happens, but this is curious behavior (note nodes are often remoted in and so may not be joined to a domain, but all of them have several recent successful actions).
This sounds like the process which is running the command has exceeded the Kerberos ticket validity period. I have seen this happen with some extremely long running processes (days).
Capture the uptime of the endpoint, and the amount of time the BESClient process has been running then open a support ticket with HCL. It sounds like the BESClient might be holding onto the powershell session for too long for the powershell-native actionscript.
A good test is to (after you capture this information) restart the BESClient on this machine and re-take the exact same action and see if it works. If it does, then my assumption may be correct and dev should take a look at this.
In the meantime, I’m running some verbose uninstall and upgrade actions so should have something more to post soon, because I’m still struggling to get either working on the majority of systems (even without using native powershell).
One interesting note I found is that the system account is not allowed to re-register apps to the MSFT Store, even with the -AllUsers flag set:
Get-AppxPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register … and so on.
Returns a “The Local System Account is not allowed to perform this operation” (and I verified the Sys account has FC to \Program Files\WindowsApps