Machine Wide Provisioning (Install for All Users)

Machine Wide Provisioning (Install for All Users)
83

Upvotes

Upvote

 Oct 14 2020
12 Comments (12 New)
In the backlog

Currently there is no convenient way for end end user who has purchased software from an ISV to install a side-loaded MSIX package machine-wide (for all users). Software is often licensed on a per-machine basis and not tied to a specific user. Non-technical users should be able to double-click on an MSIX package and have it installed machine-wide if the vendor has configured it to do so.

 

Perhaps there are other ways to accomplish this, but here is a suggestion.

 

Introduce an 'AllUsers' restricted capability to the appxmanifest file that flags the package so that when a user double-clicks the package to install it, it gets provisioned for all users (naturally would require specifying allowElevation in the manifest as well). Similarly, any user who tries to uninstall the package should get prompted for elevated privileges - once elevated, the uninstall should uninstall for all users.

 

Without this ability, I can't see how MSIX will replace MSI in the long term.

Comments
Microsoft
Status changed to: In the backlog
 
Copper Contributor

This really is an essential feature. We where just in the process of migrating to MSIX when I realized its not possible to create an installer package that non-technical users can install machine-wide as a default. For certain target audiences and certain applications this is an essential feature.

In case you are not aware...

 

1) MSIX Installation may be performed in powershell using the Add-AppXProvisionedPackage cmdlet.  This methods provisions the package in a way such that any user logging into the box will have the installation registered for them.  This might provide what you need for the "all user install" scenario.  This functionality is also available from DISM in case you are thinking about image management.

 

2) Supposedly, there is group policy support today to prevent uninstalls.  I'm not sure if it is AD or AAD only.  I think that today the control is a hammer affecting everything, but John mentioned more granular controls in the works in his recent video.

Copper Contributor

Thanks @TIMOTHY_MANGAN that is good to know.

 

Sadly, it does not help me. And I'm slightly frustrated that such a great effort like MSIX is missing such an essential feature like machine-wide installation. The vast majority of my customers is large enough an organization to feature many multi-user machines, but not large enough to perform typical setup tasks scripted with PowerShell. Basically that puts MSIX out of the picture for us as a company.

So how are you getting the apps on there today?

Copper Contributor

Either installer executables created with NSIS, installed with elevated permissions, or MSI's created with WIX, installed with the AllUsers feature enabled.

 

In both cases, a user with elevated permissions would install the app for all users of the machine. In some cases the separate user accounts may even refer to the same person and user accounts are used for privilege separation.

 

But in most cases its an admin that physically goes to the machines (or uses remote login) and actually installs the software.

So I'm guessing the requirement is not only no managed deployments but for double-click as typing "msiexec filename" is no easier than typing "add-appxprovisionedapp filename".

 

In that case you could modify the file type association command on those machines for ".msix" to run that.  

Copper Contributor

So I'm guessing the requirement is not only no managed deployments but for double-click as typing "msiexec filename" is no easier than typing "add-appxprovisionedapp filename".


Why would you think that?

Copper Contributor

@John Vintzel also see related  Project Reunion github request here : 

Add per-machine storage support to MSIX 

 https://github.com/microsoft/ProjectReunion/issues/13 

Copper Contributor

@TIMOTHY_MANGAN @John Vintzel 

the ask here is "Machine Wide Install/Uninstall for all users just like MSI through Elevation" and definitely NOT "Machine Wide Provisioning" as Machine Wide Provisioning still installs/registers the app on per user basis. 

Copper Contributor

Is there any ETA for when this might become a thing? My org is looking at replacing some custom solutions with Winget. The inability to push out software as machine wide installs or run Winget as system is a roadblock for us. So now we are looking at another custom PowerShell wrapper for Winget. Which is slightly better than our current solution, but it would be much easier if we could just use Winget as Winget without a PowerShell wrapper to make it behave how we want.

Brass Contributor

Adding;

 

  <Capabilities>
    <rescap:Capability Name="packagedServices" />
  </Capabilities>
 
Causes the MSIX to install Elevated (much like an MSI) 

 

Psycorp_0-1710261052653.png

 

Having an option under Properties like;

 

    <upa10:InstallForAllUsers>
      <uap10:InstallForAllUsers Value="True" />
    </upa10:InstallForAllUsers>
 
That provisions the package for All Users without the use of PowerShell (User would have to pass UAC or be running from an Admin level PowerShell/CMD/WT prompt) would make a lot of sense (well, at least to me) and help out as Users are just used to installing by Double Clicking things, and not having to use PowerShell.