This week is all about access to the Microsoft Store. And more specifically, about a single policy setting to potentially turn of access to the Microsoft Store. Many organizations struggle with the Microsoft Store on Windows devices, because the Microsoft Store enables users to install apps in their profile that aren’t necessarily work related. That brings organization on a crossroad. When an organization decides to block access to the Microsoft Store, there were already different options available. So far, the most effective methods were to either configure Windows to show the private store only, or to use AppLocker. None of those methods, however, would be complete and simple. Often it was still possible to use
winget to still install apps, or the configuration would get more complex. That now has changed, as Microsoft has (re)introduced a policy setting that will block access to Microsoft Store application and to Microsoft Store apps via
winget. This post will provide more information about that setting, the configuration of that setting, and the user experience after applying the configuration.
Note: The intention of this post is not to discuss providing access to the Microsoft Store, or not. This post is purely focussed on providing a technical capability to address an often heard question.
Configuring the access to the Microsoft Store application
When looking at configuring access to the Microsoft Store, Microsoft recently (re)introduced the Turn off the Store application policy setting. In name that policy setting already existed for a while. In functionality that setting now does more than just blocking access to the Microsoft Store application. That setting now also blocks access to the Microsoft Store via
winget. And on top of all that, this setting still allows the built-in Windows apps to update and still allows Microsoft Intune to install Microsoft Store apps, by using the Microsoft Store app (new) type. That uses the Intune Management Extension for the installation.
When being familiar with the functionalities of the policy setting, it’s time to have a look at the configuration options. The most important and useful configuration option is by using the Settings Catalog profile in Microsoft Intune. The Settings Catalog contains the settings that are available via the WindowsStore.admx. That means that those settings are ADMX-backed and directly available for use. The following eight steps walk through the creation of a Settings Catalog profile that contains the required setting to block the Microsoft Store application, by using the mentioned policy setting.
- Open the Microsoft Intune admin center portal and navigate to Devices > Windows > Configuration profiles
- On the Windows | Configuration profiles blade, click Create profile
- On the Create a profile blade, provide the following information and click Create
- Platform: Select Windows 10 and later to create a profile for Windows 10 and Windows 11 devices
- Profile: Select Settings catalog to select the required setting from the catalog
- On the Basics page, provide the following information and click Next
- Name: Provide a name for the profile to distinguish it from other similar profiles
- Description: (Optional) Provide a description for the profile to further differentiate profiles
- Platform: (Greyed out) Windows 10 and later
- On the Configuration settings page, as shown below in Figure 1, perform the following actions
- Click Add settings and perform the following in Settings picker
- Select Administrative Templates as category
- Select Windows Components > Store as subcategory
- Select Turn off the Store application as setting
- Switch the slider with Turn off the Store application to Enabled and click Next
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, configure the assignment and click Next
- On the Review + create page, verify the configuration and click Create
Note: This configuration is just an example for this specific policy setting. This policy setting can also be part of any Settings Catalog profile that’s already in use within the tenant.
Experiencing the access to the Microsoft Store
After the configuration is applied, it’s really easy to experience the behavior as a standard user. When the user starts the Microsoft Store application, the user will receive the message Microsoft Store is blocked (as shown below in Figure 2). When the user now starts any shell to use
winget, the user will still be able to search for apps but won’t be able to actually install the apps (as shown below in Figure 2). Besides that, there is also a nice addition for newly installed devices. On those devices, the Microsoft Store application will automatically be removed from the Taskbar.
Note: To configure the other applications that can be installed via
winget, please refer to this post: Configuring Windows Package Manager – All about Microsoft Intune (petervanderwoude.nl)
For more information about managing the Microsoft Store, refer to the following docs.