This week is all about access to the Microsoft Store. And more specifically, about a single policy setting to potentially turn of access to the Microsoft Store. Many organizations struggle with the Microsoft Store on Windows devices, because the Microsoft Store enables users to install apps in their profile that aren’t necessarily work related. That brings organization on a crossroad. When an organization decides to block access to the Microsoft Store, there were already different options available. So far, the most effective methods were to either configure Windows to show the private store only, or to use AppLocker. None of those methods, however, would be complete and simple. Often it was still possible to use winget
to still install apps, or the configuration would get more complex. That now has changed, as Microsoft has (re)introduced a policy setting that will block access to Microsoft Store application and to Microsoft Store apps via winget
. This post will provide more information about that setting, the configuration of that setting, and the user experience after applying the configuration.
Note: The intention of this post is not to discuss providing access to the Microsoft Store, or not. This post is purely focussed on providing a technical capability to address an often heard question.
Configuring the access to the Microsoft Store application
When looking at configuring access to the Microsoft Store, Microsoft recently (re)introduced the Turn off the Store application policy setting. In name that policy setting already existed for a while. In functionality that setting now does more than just blocking access to the Microsoft Store application. That setting now also blocks access to the Microsoft Store via winget
. And on top of all that, this setting still allows the built-in Windows apps to update and still allows Microsoft Intune to install Microsoft Store apps, by using the Microsoft Store app (new) type. That uses the Intune Management Extension for the installation.
When being familiar with the functionalities of the policy setting, it’s time to have a look at the configuration options. The most important and useful configuration option is by using the Settings Catalog profile in Microsoft Intune. The Settings Catalog contains the settings that are available via the WindowsStore.admx. That means that those settings are ADMX-backed and directly available for use. The following eight steps walk through the creation of a Settings Catalog profile that contains the required setting to block the Microsoft Store application, by using the mentioned policy setting.
- Open the Microsoft Intune admin center portal and navigate to Devices > Windows > Configuration profiles
- On the Windows | Configuration profiles blade, click Create profile
- On the Create a profile blade, provide the following information and click Create
- Platform: Select Windows 10 and later to create a profile for Windows 10 and Windows 11 devices
- Profile: Select Settings catalog to select the required setting from the catalog
- On the Basics page, provide the following information and click Next
- Name: Provide a name for the profile to distinguish it from other similar profiles
- Description: (Optional) Provide a description for the profile to further differentiate profiles
- Platform: (Greyed out) Windows 10 and later
- On the Configuration settings page, as shown below in Figure 1, perform the following actions
- Click Add settings and perform the following in Settings picker
- Select Administrative Templates as category
- Select Windows Components > Store as subcategory
- Select Turn off the Store application as setting
- Switch the slider with Turn off the Store application to Enabled and click Next
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, configure the assignment and click Next
- On the Review + create page, verify the configuration and click Create
Note: This configuration is just an example for this specific policy setting. This policy setting can also be part of any Settings Catalog profile that’s already in use within the tenant.
Experiencing the access to the Microsoft Store
After the configuration is applied, it’s really easy to experience the behavior as a standard user. When the user starts the Microsoft Store application, the user will receive the message Microsoft Store is blocked (as shown below in Figure 2). When the user now starts any shell to use winget
, the user will still be able to search for apps but won’t be able to actually install the apps (as shown below in Figure 2). Besides that, there is also a nice addition for newly installed devices. On those devices, the Microsoft Store application will automatically be removed from the Taskbar.
Note: To configure the other applications that can be installed via winget
, please refer to this post: Configuring Windows Package Manager – All about Microsoft Intune (petervanderwoude.nl)
More information
For more information about managing the Microsoft Store, refer to the following docs.
Hi Peter, Hi Folks!
“..intention .. is not to discuss providing access to the Microsoft Store, or not.”
But let me please ask a quick question: Back in the days i didn’t advice >most< customers to block the store without thinking about the downsides, e.g. how to handle updates of the built-in apps or installing languages via store. Is this behavior still current today?
Hi Patrick,
This does enable you to update the built-in apps. However, that something is possible is not a reason to do it. So, the behavior changed, but that doesn’t mean that the discussion should change.
Regards, Peter
The policy states “Access to the Store is required for installing app updates”.
Ok, built-in apps will be updated, I guess apps distributed with Intune will be updated as well when enabling this configuration?
Hi Skaggake,
True. The description with the policy setting is not yet updated. Apps distributed via Intune should also be updated via Intune.
Regards, Peter
So you mean, even if the store is blocked, built-in apps will be updated nevertheless?
Correct, the built-in apps will still update.
Regards, Peter
..so the built in apps originating from MS Store will still update after disabling the Store app?
Correct, Eirik. Built-in apps will still update.
Regards, Peter
Is this only for Windows Enterprise or does it apply to Windows 10/11 Professional as well? It’s unfortunately not that clear on websites.
Thank you for your guide!
Hi Marcus,
According to the docs, only for Enterprise. See also: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-windowsstore?WT.mc_id=EM-MVP-5001447#removewindowsstore_2
Regards, Peter
Hi Peter, could it be that you overlooked something? 😉
It is possible for Pro, Enterprise, Education, SE, …
🙂
Hi Patrick,
No, I didn’t forget. I deliberately didn’t mention it, as it’s always really confusing depending on the configuration path. When using this path via Intune, Windows Pro is not an option. See also: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-windowsstore?WT.mc_id=EM-MVP-5001447#removewindowsstore_2
Regards, Peter
Okay nevermind: The MS Docs is not that good.
In the table they say: Supported on all OS, in the text box they say: Only on Enterprise.. 😀
And:Below the setting they say: “Access to the Store is required for installing app updates.”
Strange…
That matches a bit with what I just replied to your previous comment. It’s always confusing, depending on the configuration path.
Regards, Peter
Thank you very much for making this a bit clearer.
But can you explain the logic behind the ms docs CSP?
In this example the setting “RemoveWindowsStore_2” from the ADMX_WindowsStore states (in the table) that all Editions are marked with a green checkmark. I thought, that this means, this setting should be made throught device scope and is applicable for all marked OS versions.
(In the lilac textbox they say it is only supported on enterprise and education)
Very confusing. 🙁
I wish I could explain that logic. The best would be to ask Microsoft.
Regards, Peter
I just applied the setting, hoping, it would also block WinGet but it doesnt do that, am i missing something?
Hi Nas,
This doesn’t completely block winget. This only makes sure that users can’t install apps of the Store anymore. No matter the channel used. To block winget, look at configuring the Windows Package Manager: https://petervanderwoude.nl/post/configuring-windows-package-manager/
Regards, Peter