Remove Appx if version less than

Question

First off, thanks for taking the time to read my issue and hopefully point me in the right direction.

Second, I hate Appxpackages :)

My understanding of how an Appx works is the following, so please correct me if you think I have got it wrong. When a user signs into a PC various windows applications based on Appxpackages will get installed at the current release. For example the calculator could be;

Microsoft.WindowsCalculator_11.2210.0.0_x64__8wekyb3d8bbwe

The user may never sign into that PC again, 6 months down the line there could be a vulnerability discovered in this application and it gets patched with an update. However, this only applies if the user signs in and the store does its job of updating out of date appxpackages.

The issue with this is, if you are in an enterprise environment and you use something like Qualys to scan your clients it will show this vulnerability. Furthermore you could have a mix of users and each user could have a different version.

I'd like to develop a method with powershell to check for the version of the appxpackage for all users and for any user that does not have the currently patched version it uninstalls, I don't believe it is possible to update for a user not signed in.

My idea is to use something along the lines of this

[version]$version=(get-appxpackage -Name *Microsoft.WindowsCalculator* -Allusers).Version

If ($Version -eq [version]"11.2210.0.0")
{
    "Minimum version met"
}
ElseIf ($Version -lt [version]"11.2210.0.0")
{
Remove-AppxPackage -Package $version -Allusers
}

I'm certain it won't work, but I can't think how to deal with it. I know I can't use $version as that just finds all versions, so for the else-if I were to user $version it would just remove all versions for everyone.

In the past I have done something similar for the Teams.exe application within Appdata folders for each user. That was much easier to deal with as I know the installer folder in appdata, I could easily query the version number and cycle through each user profile one at a time, but I don't see a way to do this for appxpackages.

Any guidance on this would be really appreciated.

Answer 1

I'm on mobile, so I can't test this.

Have you tried looking at Get-AppxPackageManifest? I can't see the object it returns from the docs, but I'm sure there would be a current version property' or even in Get-AppxPackage

So maybe try

# check for installed, or something version in the output 
Get-AppxPackage -Name *Microsoft.WindowsCalculator* | Get-Member

# If there wasn't a property, see if the manifest has one 
Get-AppxPackage -Name *Microsoft.WindowsCalculator* | Get-AppxPackageManifest | Get-Member

If there's a property that works the commands would be something like this.

$version = (Get-AppxPackage -Name *Microsoft.WindowsCalculator* | Get-AppxPackageManifest). # fill in property

# you could use a switch statement for this purpose
Switch ($value -Lt 11.2210.0.0)
    'true' { Get-AppxPackage -Name *Microsoft.WindowsCalculator* | Remove-AppxPackage -whatif # keep here for testing, and remove -whatif when satisfied}
    'false' { Write-Output ' The installed version is  $($version), and is not vulnerable} 

Try just one user first, and then try the -alluser tag

Hopefully this can help.

Get-Command *appx*