Easily removing access to the Microsoft Store

by

This week is all about access to the Microsoft Store. And more specifically, about a single policy setting to potentially turn of access to the Microsoft Store. Many organizations struggle with the Microsoft Store on Windows devices, because the Microsoft Store enables users to install apps in their profile that aren’t necessarily work related. That brings organization on a crossroad. When an organization decides to block access to the Microsoft Store, there were already different options available. So far, the most effective methods were to either configure Windows to show the private store only, or to use AppLocker. None of those methods, however, would be complete and simple. Often it was still possible to use winget to still install apps, or the configuration would get more complex. That now has changed, as Microsoft has (re)introduced a policy setting that will block access to Microsoft Store application and to Microsoft Store apps via winget. This post will provide more information about that setting, the configuration of that setting, and the user experience after applying the configuration.

Note: The intention of this post is not to discuss providing access to the Microsoft Store, or not. This post is purely focussed on providing a technical capability to address an often heard question.

Configuring the access to the Microsoft Store application

When looking at configuring access to the Microsoft Store, Microsoft recently (re)introduced the Turn off the Store application policy setting. In name that policy setting already existed for a while. In functionality that setting now does more than just blocking access to the Microsoft Store application. That setting now also blocks access to the Microsoft Store via winget. And on top of all that, this setting still allows the built-in Windows apps to update and still allows Microsoft Intune to install Microsoft Store apps, by using the Microsoft Store app (new) type. That uses the Intune Management Extension for the installation.

When being familiar with the functionalities of the policy setting, it’s time to have a look at the configuration options. The most important and useful configuration option is by using the Settings Catalog profile in Microsoft Intune. The Settings Catalog contains the settings that are available via the WindowsStore.admx. That means that those settings are ADMX-backed and directly available for use. The following eight steps walk through the creation of a Settings Catalog profile that contains the required setting to block the Microsoft Store application, by using the mentioned policy setting.

  1. Open the Microsoft Intune admin center portal and navigate to Devices > Windows > Configuration profiles
  2. On the Windows | Configuration profiles blade, click Create profile
  3. On the Create a profile blade, provide the following information and click Create
  • Platform: Select Windows 10 and later to create a profile for Windows 10 and Windows 11 devices
  • Profile: Select Settings catalog to select the required setting from the catalog
  1. On the Basics page, provide the following information and click Next
  • Name: Provide a name for the profile to distinguish it from other similar profiles
  • Description: (Optional) Provide a description for the profile to further differentiate profiles
  • Platform: (Greyed out) Windows 10 and later
  1. On the Configuration settings page, as shown below in Figure 1, perform the following actions
  • Click Add settings and perform the following in Settings picker
    • Select Administrative Templates as category
    • Select Windows Components > Store as subcategory
    • Select Turn off the Store application as setting
  • Switch the slider with Turn off the Store application to Enabled and click Next
Figure 1: Overview of configuring turning off the Store
  1. On the Scope tags page, configure the required scope tags and click Next
  2. On the Assignments page, configure the assignment and click Next
  3. On the Review + create page, verify the configuration and click Create

Note: This configuration is just an example for this specific policy setting. This policy setting can also be part of any Settings Catalog profile that’s already in use within the tenant.

Experiencing the access to the Microsoft Store

After the configuration is applied, it’s really easy to experience the behavior as a standard user. When the user starts the Microsoft Store application, the user will receive the message Microsoft Store is blocked (as shown below in Figure 2). When the user now starts any shell to use winget, the user will still be able to search for apps but won’t be able to actually install the apps (as shown below in Figure 2). Besides that, there is also a nice addition for newly installed devices. On those devices, the Microsoft Store application will automatically be removed from the Taskbar.

Figure 2: Overview of the user experience with access to the Store turned off

Note: To configure the other applications that can be installed via winget, please refer to this post: Configuring Windows Package Manager – All about Microsoft Intune (petervanderwoude.nl)

More information

For more information about managing the Microsoft Store, refer to the following docs.

21 thoughts on “Easily removing access to the Microsoft Store”

  1. Hi Peter, Hi Folks!
    “..intention .. is not to discuss providing access to the Microsoft Store, or not.”
    But let me please ask a quick question: Back in the days i didn’t advice >most< customers to block the store without thinking about the downsides, e.g. how to handle updates of the built-in apps or installing languages via store. Is this behavior still current today?

    Reply

    • Hi Patrick,
      This does enable you to update the built-in apps. However, that something is possible is not a reason to do it. So, the behavior changed, but that doesn’t mean that the discussion should change.
      Regards, Peter

      Reply
  2. Pingback: Microsoft Roadmap, messagecenter en blogs updates van 13-09-2023 - KbWorks

  3. The policy states “Access to the Store is required for installing app updates”.

    Ok, built-in apps will be updated, I guess apps distributed with Intune will be updated as well when enabling this configuration?

    Reply
  4. Pingback: The latest technology news Week 37-2023 - ivobeerens.nl
  7. Pingback: Intune Newsletter - 15th September 2023 - Andrew Taylor

  8. Is this only for Windows Enterprise or does it apply to Windows 10/11 Professional as well? It’s unfortunately not that clear on websites.

    Thank you for your guide!

    Reply

  9. Okay nevermind: The MS Docs is not that good.
    In the table they say: Supported on all OS, in the text box they say: Only on Enterprise.. 😀

    And:Below the setting they say: “Access to the Store is required for installing app updates.”
    Strange…

    Reply

      • Thank you very much for making this a bit clearer.
        But can you explain the logic behind the ms docs CSP?
        In this example the setting “RemoveWindowsStore_2” from the ADMX_WindowsStore states (in the table) that all Editions are marked with a green checkmark. I thought, that this means, this setting should be made throught device scope and is applicable for all marked OS versions.
        (In the lilac textbox they say it is only supported on enterprise and education)

        Very confusing. 🙁

        Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.