Windows 8 was the first of Microsoft’s OSes to debut the Microsoft Store – Microsoft’s very own app store that allows users to locate and install applications from within their walled-garden, free from malware and always updated, while accounting for software purchases through the user’s account.
However, Windows 10 was the first to implement security features to manage how devices can access, interface, and install apps from the Microsoft Store in an effort to secure devices against unauthorized apps and their use through Group Policy extensions.
Since an organization’s needs may change from one to the next, there are multiple avenues that may be used to block native apps from being launched, restrict the use of Microsoft Store apps from being accessed, or point the link to a private store that is managed by IT and provides access only to apps that the organization has made available to users.
Just a quick note about managing the Microsoft Store through Group Policy. This will require either Windows 10 Education or Enterprise versions and be build 1607 or newer as those versions use the updated ADMX templates.
SEE: Windows 10 April 2018 Update: An insider’s guide (free PDF) (TechRepublic)
Prevent users from launching Microsoft Store apps
- Launch Group Policy Management Console (GPMC).
- Navigate to the Computer Configuration | Administrative Templates | Windows Components | Store node.
- Locate the “Disable all apps from the Windows Store” policy and double-click to open it. Select the radio-button next to Enabled, then click the OK button to enable the policy. This will disable any application(s) installed from the Microsoft Store and will not allow them to run, though it will not remove them from the system.
Disable the Microsoft Store
- In the same GPMC node above in step #2, locate the “Turn off the Store application” and double-click to open it. Select the radio-button next to Enabled, then click the OK button to enable the policy. This will disable the Microsoft Store completely, making it inaccessible to users.
Allow only the private store to be accessed
- To restrict user access to a private store managed by IT, the organization must first have established an account with the Microsoft Store for Business or Education and have published applications to the store.
- In the same GPMC node above in step #2, locate the “Only display the private store within the Windows Store app” and double-click to open it. Select the radio-button next to Enabled, then click the OK button to enable the policy. This will direct users to the private store instead of the publicly available catalog, allowing them to only download private store apps.
Disable specified applications using AppLocker
- Launch GMPC and navigate to Computer Configuration | Windows Settings | Security Settings | Applications Control Policies | AppLocker.
- Right-click on Packaged App Rules and click on Create New Rule.
- The wizard will open, click the Next button.
- In the Permissions section, use the Select… button to locate the name of a user or security group you wish to apply the permission to and select the radio-button next to Allow or Deny to set the correct action that should be applied. Click the Next button to continue.
- In the Publisher section, you can use the Browse… button to locate the app to configure by using the Select… button to Use an installed packaged app as a reference, or template for the rule. Click the Next button to proceed.
- The next section, Exceptions, is optional to configure. It allows IT to setup any exception(s) to the rule by using the Add… button to stipulate certain versions of applications, or to further restrict them by a setting, such as Publisher, Version, or Package Name. Click Next to continue.
- In the Name section, enter a Name and optional Description of the newly configured rule, then press the Create button to add it to AppLocker for enforcement.