Notepad vulnerabilties reported in our 100s of VMs because of notepad update is being in staging

Hello,

What you are seeing is a Windows AppX package management issue with Notepad, specifically where one version is fully installed (11.2508.38.0) and a newer version (11.2510.14.0) is stuck in the staged state across multiple VMs. A reboot does not clear staged packages because the AppX deployment pipeline requires either a commit or a cleanup of the staged package.

The proper way to resolve this is to force the staged package to complete installation or remove the staged copy so that the system can reattempt the update. On one of the affected machines, open PowerShell as Administrator and run:

Get-AppxPackage -Name Microsoft.WindowsNotepad -AllUsers

This will confirm both the installed and staged versions. To clear the staged package, run:

Remove-AppxPackage -Package Microsoft.WindowsNotepad_11.2510.14.0_x64__8wekyb3d8bbwe -AllUsers

If you want to force the update to complete instead of removing it, use:

Add-AppxPackage -Register "C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2510.14.0_x64__8wekyb3d8bbwe\AppxManifest.xml" -DisableDevelopmentMode -ForceApplicationShutdown

After this, check again with Get-AppxPackage to ensure only one version remains. If you remove the staged package, Windows Update or the Microsoft Store will push the newer version again, but this time it should install cleanly.

For environments with hundreds of VMs, you should script this cleanup using PowerShell Remoting or Intune/Configuration Manager so that the staged package is either removed or committed across all machines. The key point is that leaving both installed and staged versions causes vulnerability scanners to flag the package because the staged copy is not patched or usable.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

Domic Vo.

The behavior is caused by multiple versions of the modern Notepad app (Appx/MSIX) co‑existing in different states (Installed vs Staged) across user profiles. This matches the documented case where modern apps are reported as vulnerable because not all users are on the same version.

To remediate at scale, use one of these supported approaches.

1. Identify all users and versions on a VM Run in an elevated PowerShell session:

Get-AppxPackage Microsoft.WindowsNotepad -AllUsers

This shows, per VM, which users have 11.2508.38.0 installed and which have 11.2510.14.0 staged/installed.

2. Method 1 – Ensure the app is updated for all users For each VM:
3. From the Get-AppxPackage output, note the user SIDs that still have the old version (11.2508.38.0) installed.
4. Have those users sign in to that VM at least once (or reconnect via your session management solution). When a user signs in, the modern app registration completes and the newer package version is applied for that profile.
5. After all relevant users have signed in and the Store/updates have run, re‑run:

      Get-AppxPackage Microsoft.WindowsNotepad -AllUsers
   

   Confirm only the latest version remains for all users.

This method is appropriate if the app must remain available for all users and the goal is to clear the vulnerability report by aligning everyone on the latest version.

3. Method 2 – Remove old Notepad packages for all users If removing the old version is acceptable:
4. List all Notepad packages and users:

      Get-AppxPackage Microsoft.WindowsNotepad -AllUsers
   

5. If Notepad is provisioned in the image, list provisioned packages:

      Get-AppxProvisionedPackage -Online | 
        Format-Table DisplayName, PackageName
   

   If Microsoft.WindowsNotepad appears, it is provisioned for new users.
6. Remove the old Notepad package for all users on that VM (replace the version string if needed):

      Get-AppxPackage Microsoft.WindowsNotepad -AllUsers |
        Where-Object { $_.Version -eq [version]'11.2508.38.0' } |
        Remove-AppxPackage -AllUsers
   

7. If provisioned, remove the old provisioned package from the image so new profiles do not get it:

      Get-AppxProvisionedPackage -Online |
        Where-Object { $_.DisplayName -eq 'Microsoft.WindowsNotepad' } |
        Remove-AppxProvisionedPackage -Online
   

Repeat this via your management tooling (e.g., script, configuration management) across all affected VMs.

4. Method 3 – Remove stale user profiles that hold old versions If some SIDs correspond to users who no longer use those VMs, deleting those profiles removes their app registrations and associated older Notepad versions:

• Use standard profile cleanup methods (Group Policy/CSP or manual deletion) as documented, then rescan.

5. Verification After applying one of the methods on a VM:
6. Re‑run the vulnerability scan, or
7. Check C:\Program Files\WindowsApps for Notepad folders and confirm only the desired version remains. If direct access is blocked, copy the folder to another location and inspect there.

Apply the same scripted process across all VMs to normalize Notepad to a single version per machine and clear the vulnerability findings.

References:

• Modern apps or application packages are reported as vulnerable due to multiple versions