Microsoft recently published the following vulnerability cve-2021-43890 that is currently exploited by malware like Emotet/Trickbot/Bazaloader.
If your computer doesn’t have access to the store, it may not be that straightforward to install the fixed universal app to all users of a Windows 10 computer.
If the computer is not vulnerable, it’ll tell you the above message.
If it installed the required patched universal app, it’ll say “Successfully provisionned Microsoft.DesktopAppInstaller”.
You can run the code in a scheduled tasked running under the System account. Any user that has an interactive session opened will get the new Appx in his account.
If there’s a local user profile but the user is not logged on, it’ll automatically get the updated appx after an interactive logon.
| #Requires -RunAsAdministrator | |
| [CmdletBinding()] | |
| Param() | |
| Begin {} | |
| Process { | |
| if ([version]'1.16.13405.0' -gt [version](Get-AppxPackage –Name 'Microsoft.DesktopAppInstaller' –ErrorAction SilentlyContinue).Version) { | |
| $zip = (Join-Path –Path $env:TEMP –ChildPath 'Microsoft.DesktopAppInstaller_1.16.13405.0_8wekyb3d8bbwe.zip') | |
| $zipFolder = "$($zip -replace '\.zip','')" | |
| if (-not(Test-Path –Path $zip)) { | |
| $HT = @{ | |
| Uri = 'https://download.microsoft.com/download/6/6/8/6680c5b1-3fbe-4b70-8189-90ea08609563/Microsoft.DesktopAppInstaller_1.16.13405.0_8wekyb3d8bbwe.zip' | |
| UseBasicParsing = $true | |
| ErrorAction = 'Stop' | |
| OutFile = $zip | |
| } | |
| try { | |
| Invoke-WebRequest @HT | |
| } catch { | |
| Write-Warning –Message "Failed to download zip because $($_.Exception.Message)" | |
| } | |
| } | |
| if (Test-Path –Path $zip) { | |
| if ((Get-FileHash –Path $zip).Hash -eq 'e79cea914ba04b953cdeab38489b3190fcc88e566a43696aaefc0eddba1af6ab' ) { | |
| try { | |
| Expand-Archive –Path $zip –DestinationPath (Split-Path $zipFolder –Parent) –Force –ErrorAction Stop | |
| } catch { | |
| Write-Warning –Message "Failed to unzip because $($_.Exception.Message)" | |
| } | |
| if ('Valid' -in (Get-ChildItem –Path "$($zipFolder)\*" –Include * –Recurse –Exclude '*.xml' | Get-AuthenticodeSignature | | |
| Select-Object –ExpandProperty Status | Sort-Object –Unique) | |
| ) { | |
| $HT = @{ | |
| Online = $true | |
| PackagePath = Join-Path –Path $zipFolder –ChildPath 'Microsoft.DesktopAppInstaller_1.16.13405.0_8wekyb3d8bbwe.msixbundle' | |
| SkipLicense = $true | |
| ErrorAction = 'Stop' | |
| } | |
| try { | |
| $r = Add-AppxProvisionedPackage @HT | |
| if ($r.Online) { | |
| Write-Verbose 'Successfully provisionned Microsoft.DesktopAppInstaller' –Verbose | |
| } | |
| } catch { | |
| Write-Warning –Message "Failed to install Appx because $($_.Exception.Message)" | |
| } | |
| } | |
| } else { | |
| Write-Warning –Message "Downloaded zip file thumbprint (SHA256) doesn't match" | |
| } | |
| } else { | |
| Write-Warning –Message "Zip file $($zip) not found" | |
| } | |
| } else { | |
| Write-Verbose –Message 'Current Microsoft.DesktopAppInstaller appx version is not vulnerable' –Verbose | |
| } | |
| } | |
| End {} |
>_ 
Hello,
How did you get the download location below
Uri = ‘https://download.microsoft.com/download/6/6/8/6680c5b1-3fbe-4b70-8189-90ea08609563/Microsoft.DesktopAppInstaller_1.16.13405.0_8wekyb3d8bbwe.zip’
It should help to patch offline a similar problem with March 2022 store appx vulnerabilities
cve-2022-24451 and cve-2022-24453
Hello,
I found it on the page https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43890
in the FAQ section
Just too bad they didn’t disclose the url for cve-2022-24451 and cve-2022-24453
According to their KBs https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24451 and
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24453
Only Volume Licensing customers can get a direct download for offline patching
Thanks for your response