Winget --scope machine not working for appx applications

[Vicent8899]

Brief description of your issue

Installing Appx applications with Winget in a machine --scope machine context does not work. We want to install it for all users of a machine Windows 10 22H2.

For instance when trying to install the appx smapone app

Winget install smapone --scope machine

We enabled debug logging and we got this result:

023-08-24 14:49:39.371 [CLI ] Device wide install for msstore type is not supported under admin context.
2023-08-24 14:49:39.371 [CLI ] Terminating context: 0x8a150113 at D:\a_work\1\s\external\pkg\src\AppInstallerCLICore\Workflows\MSStoreInstallerHandler.cpp:b7

Despite the error in the logs the scope machine for Winget required admin rights.

At the moment we are installing it like this, but it does not install for all users.
winget install $app --verbose --accept-source-agreements --accept-package-agreements --silent

Your help is appreciated.

Steps to reproduce

For instance when trying to install the appx smapone app
Winget install smapone --scope machine
results in error
023-08-24 14:49:39.371 [CLI ] Device wide install for msstore type is not supported under admin context.
2023-08-24 14:49:39.371 [CLI ] Terminating context: 0x8a150113 at D:\a_work\1\s\external\pkg\src\AppInstallerCLICore\Workflows\MSStoreInstallerHandler.cpp:b7

Expected behavior

The expected behavior is that the appx application should install for all users under the machine scope.

Actual behavior

We are failing to install the appx package under the machine scope.

Environment

WinGet, version [1.5.1881]
OS: Windows.Desktop v10.0.19045.3324
Package: Microsoft.DesktopAppInstaller v1.20.1881.0

[Trenly]

Looking at the code, I see this comment:

// TODO: There was a bug in InstallService where admin user is incorrectly identified as not admin,
// causing false access denied on many OS versions.
// Remove this check when the OS bug is fixed and back ported.

Tracing back, it was initially added by @yao-msft in this PR -

• Block msix provisioning api calls where known OS bugs exist #2855

In this case, based on the code, the expected behavior is that the appx application should be blocked from install under the machine scope until the OS bugs have been fixed.

[bthorpkt]

This should provision AppX Packages system wide so all users get them w/ registrations so they appear in the users space and for uninstall 'unprovision the appx package'

[gabrielgbs97]

You can install machine wide apps with current OS APIs. See Add-AppxProvisionedPackage, it installs an Appx as part of windows image, at next login or new user login, they will register it. If there is an update, the app may update an re-registered by store/PMAPI in user context.

Winget should perform equivalent functionality to add-appxprovisionedpackage when performing machine install of modern apps.

[bthorpkt]

Here is what we expect winget to do, but it falls completely short of being able to do:

1. Run as system to install MSSTORE Appx and MSIX files system wide as-is with the --scope machine flag [and do the below]
2. when running as system, download the source files, if it needs to some temp location (this also fails when you do a download in winget because.... for some odd reason needs to auth to Entra ID WITH some sketchy rights (https://www.deploymentresearch.com/using-winget-to-download-microsoft-store-applications/) so you have to hop into userspace with a user on your tenant to pull the files if you're trying to script this all out which I am
3. As @gabrielgbs97 notes, provision the appx or msix as a system level app, which will register with each user on the system thus being "system installed"

The core reasons for this are the Store for Business being pulled and support for WSFB being pulled from SCCM. We manage machines that are multi-user and don't want 50 or 100 copies of the apps installed on machines for each user and prefer the app be system provisioned and registered for each user instead.

We also want to ensure apps on machines are up to date from the store by forcing a winget update on all of them, even the Out Of Box apps such as Notepad or MSPaint.

There are a ton of people apparently trying to do this or similar via PowerShell per https://techcommunity.microsoft.com/t5/windows-it-pro-blog/use-winget-1-8-to-download-microsoft-store-apps/ba-p/4204522

[github-account1111]

Maybe Microsoft should make Store apps installable system-wide instead of duplicating a copy of the same app for every user. That was a weird decision to begin with and is wasteful at best. No other OS does this, mobile or desktop.