Replacing Microsoft Store for Business with Endpoint Manager
Microsoft is changing the way you deliver managed apps to user desktops. It’s time to rethink the way you do it.
Microsoft is changing the way businesses use the Microsoft Store as it integrates its Package Manager tools into Endpoint Manager, obsoleting the existing Microsoft Store for Business service. This means that it will no longer be possible to use the Microsoft Store to purchase app licenses, although you can still download free and individually licensed apps.
Part of the solution comes with changes to how Microsoft monetizes its store, as well as big changes to how it fits into the Windows ecosystem. This allows vendors to provide their own licensing and payment frameworks outside of the Windows Store, and even use their own download facilities. Where you had to purchase and deploy tools like Adobe’s Creative Cloud directly from Adobe, you can now let users download the Creative Cloud app from the store and use assigned licenses to deliver apps to their PCs.
SEE: Ethics Policy: Supplier Relations (TechRepublic Premium)
This way, you can maintain a separate contractual relationship with businesses, assigning business subscriptions to users’ email addresses. The store is just an initial gateway – all downloads actually come from their own servers or hosted repositories.
Some companies have used Store for Business to roll out features like Windows HEVC codecs to their users. Although paid apps like this are not available through the new Store Services, users running an up-to-date Windows installation will not need to install many of these apps, as they are now available in current Windows. .
Delivery via winget
An interesting aspect of the transition is the ability to use winget with private repositories, either running your own or working with hosted services like Winget Pro. This approach avoids Microsoft’s restrictions on hosting paid applications. Once you have licensed installers, you can store them in a winget repository, using scripts to deploy the apps to users. However, you will need to provide your own audit, ensuring that you have the correct number of licenses for the applications deployed.
These private winget repositories do not need to be yours. It’s easy to see software vendors offering their own and providing winget scripts for use in your networks. Here, Endpoint Manager becomes the tool to subscribe to these repositories and provide download scripts to users based on their Azure Active Directory memberships.
Scripting Winget is relatively simple. Microsoft provides examples of batch scripts and PowerShell, so you can provide startup actions that keep user applications up to date. Alternatively, remote PowerShell actions can manage updates and installs, using silent installs to minimize user disruption. How winget installs apps depends on the installation type, so you may need to repackage an installer to get the options you need.
It is important to test winget scripts before running them. It will run installations in sequence, launching one when the previous one completes; however, some installers launch secondary processes, having a main installer that runs other installers to add modules. This may cause Winget to launch the next installer before it is complete. Use winget logs to understand how installs are performing, and if needed, you can add timeouts between installs to avoid potential conflicts.
The path to modern management tools
By using Endpoint Manager to control access to public and private repositories, you transition to using modern management tools. Azure Active Directory becomes the source of user knowledge, providing role-based access to repositories and scripts used to deliver applications. Now you can see who installed an app, who’s up to date, and who’s actually using it. This approach simplifies securing your network and understanding your license. With over-licensing being as much of a problem as under-licensing, moving to a more managed software distribution model can lead to significant cost savings.
Intune users can then find published apps through the company portal, allowing them to install them on their own. Administrators can treat it as a more user-friendly version of Configuration Manager Software Center.
If you use the Microsoft Store for Business, it’s time to start planning your transition to this new wing-powered world. Microsoft will launch its own repository first, which will be a mirror of the Microsoft Store, giving you access to all the apps available to Windows users. Private repositories will follow in 2023, giving you time to determine if you need to repackage apps.
How Microsoft Store changes mean Autopilot changes
The changes will affect how you use the autopilot to configure new hardware remotely. As it is currently built around using the Microsoft Store for Business to host deployment profiles, you will need to switch to one of two options: Intune or the Microsoft 365 admin center. Autopilot profiles can be registered and managed using both tools, although you may need to manually migrate them from the Microsoft Store. If you’re working with an OEM to register new devices with Autopilot, you’ll need to give them a link to the new location for the necessary consent form, which will be available in the Microsoft 365 admin center.
The new Endpoint Manager/Microsoft Store integration is currently in private preview, with a broader public preview planned soon. This will be available in existing Endpoint Manager instances, marked as preview, allowing you to start experimenting. Microsoft is making a big change here that affects both how you deploy new devices and manage apps, so you should start working on migrating to the new service as soon as possible to avoid any service disruptions that could affect the providing security updates to your users.
It’s clear from reading comments on Microsoft’s blog posts on the subject that the biggest pain point for many admins is moving to Intune as their primary management platform. Today’s Intune is now a mature management platform that offers a leaner approach to management using MDM tools instead of group policies, a more user-friendly approach, and reduced login times . Migrating policies to a new platform can take some time, moving user groups after you configure and test the relevant policies.
Assembling all the parts will not be as difficult as it seems at first glance. The tools may be different, but the underlying philosophy has not changed. On the contrary, the addition of private repositories and winget support should mean a much more flexible platform for managing software deployed across your PC fleet.