Replacing the Microsoft Store for Business with Endpoint Manager

Microsoft is changing the way you deliver managed applications to users’ desktops. It’s time to rethink how you’re doing it.

Exterior photo of the Microsoft office building.
Image: HJBC/Adobe Stock

Microsoft is in the process of changing the way businesses use the Microsoft Store as it brings its Package Manager tools into Endpoint Manager and deprecates the existing Microsoft Store for Business service. This means that it is no longer possible to use the Microsoft Store to purchase application licenses, but you can still download free and individually licensed applications.

Part of the solution involves changes to how Microsoft monetizes its Store, as well as big changes to how it fits into the Windows ecosystem. This allows vendors to provide their own licensing and payment frameworks outside of the Windows Store and even use their own download facilities. Where you used to have to buy and deploy tools like Adobe’s Creative Cloud directly from Adobe, now users can download the Creative Cloud application from the store and use assigned licenses to deploy applications to their PCs.

SEE: Ethics Policy: Supplier Relations (TechRepublic Premium)

This allows you to maintain a separate contractual relationship with companies and associate business subscriptions with users’ email addresses. The store is just an initial gateway – all downloads actually come from their own servers or hosted repositories.

Some companies used the Store for Business to provide features like the Windows HEVC codecs to their users. While paid apps like these won’t be available through the new Store services, users running a recent Windows install will not need to install many of these apps as they are now features in recent Windows versions.

Delivery by wing

An interesting aspect of the transition is the option to use Winget with private repositories, either with their own or with hosted services like Winget Pro. This approach bypasses Microsoft’s restrictions on hosting paid applications. Once you have licensed installers, you can store them in a winget repository and use scripts to deploy the applications to users. However, you must provide your own monitoring to ensure you have the correct number of licenses for deployed applications.

These private winget repositories do not have to be your own. It’s easy to see software vendors offering their own and providing winget scripts for use on their networks. This is where Endpoint Manager becomes the tool to subscribe to these repositories and provide users with download scripts based on their Azure Active Directory memberships.

Scripting winget

Scripting Winget is relatively easy. Microsoft provides samples for both batch scripts and PowerShell so you can provide launch actions that keep user applications up to date. Alternatively, remote PowerShell actions can handle updates and installs, using silent installs to minimize user disruption. How winget installs applications depends on the type of installer, so you may need to repackage an installer to get the options you need.

It is important to test winget scripts before running them. It will run installations one by one and start one when the previous one finishes; However, some installers start secondary processes and have a master installer that runs other installers to add modules. This can cause winget to start the next installer before one finishes. Use winget’s logs to understand how installs are running, and if needed, add timeouts between installs to avoid potential conflicts.

The way to modern management tools

By using Endpoint Manager to control access to public and private repositories, you transition to using modern management tools. Azure Active Directory becomes the source of knowledge about users and provides role-based access to repositories and to the scripts used to deploy applications. You can now be sure who has an application installed, who is up to date and who is actually using it. This approach simplifies the security of your network and understanding if you are properly licensed. Since over-licensing is as much of a problem as under-licensing, there is the prospect of significant savings in moving to a more managed software distribution model.

Intune users can then find published applications through the company portal and install them themselves. Administrators can treat it as a more user-friendly version of the Configuration Manager Software Center.

If you’re using the Microsoft Store for Business, it’s time to plan your transition to this new world powered by Winget technology. Microsoft will initially launch its own repository, which will be a mirror of the Microsoft Store and will give you access to all apps available to Windows users. Private repositories will follow in 2023, giving you time to consider repackaging applications.

How changes to the Microsoft Store mean changes to Autopilot

The changes affect how you use Autopilot to remotely configure new hardware. Because it’s currently built around using the Microsoft Store for Business to host provisioning profiles, you’ll need to switch to one of two options: Intune or the Microsoft 365 admin center. Autopilot profiles can be registered and managed using either tool, although you may need to manually migrate them from the Microsoft Store. If you’re working with an OEM to enroll new devices on Autopilot, you’ll need to give them a link to the new location for the required consent form that will be available in the Microsoft 365 admin center.

The new Endpoint Manager/Microsoft Store integration is currently in private preview, with a wider public preview coming soon. This is available on existing Endpoint Managers and is marked as a preview so you can start experimenting. Microsoft is making a big change here that impacts how you both provision new devices and manage applications. Therefore, you should start migrating to the new service as soon as possible to avoid service outages that could impact the delivery of security updates to your users.

From the comments on Microsoft’s blog posts on this topic, the biggest concern for many admins is moving to Intune as their main management platform. Today’s Intune is now a mature management platform that offers a lighter management approach using MDM tools instead of Group Policy, an approach that is easier to use and reduces sign-on times. It may take some time to migrate policies to a new platform and move user groups once you have configured and tested relevant policies.

Putting all the pieces together won’t be as difficult as it first appears. The tools may be different, but the underlying philosophy hasn’t changed. If anything, the addition of private repositories and Winget support should mean a much more flexible platform for managing the software deployed on your fleet of PCs.


Leave a Reply

Your email address will not be published. Required fields are marked *