Windows 10 and the Microsoft Store

A screenshot of a video game

Many companies would like to turn off the Microsoft Store so that not everyone installs “Netflix” or “Ages of Empires” on their corporate device. There are many ways, but which one is the right one, that depends. The risk exists that if the store is deactivated incorrectly, the integrated apps (for example the calculator or the photo app) will not receive any updates. However, there are a few basics that need to be clarified before you can get started.

Microsoft Store vs. Store4Business

Actually there are two stores at Microsoft, both use the same app. The normal store is intended for private individuals. Here you can find all apps and games and the licenses are attached to a private Microsoft account (Live-ID). The “store 4 business” is intended for companies. For this, the employee must be logged in with his company account. Company account in this context means an Azure-AD ID, no matter if it is with AD-Sync or a pure online ID. But this also means that without Azure-AD there is no company store.

Advertisements

Why a corporate store

There are a few reasons that speak for a corporate store. The most important are subjects like:

  • Control of applications
  • license management
  • Easier administration

Especially the topic of license management is important. For the Normal Store, the licenses are linked to the personal accounts of the employees. If they leave the company, they take the licenses with them. With a company store, the license is linked to company identity and can be reassigned by the administrator.

Application control is also important for IT. Not every company wants games or software that is not necessary for corporate purposes installed on the devices.

Problems if the store is disabled incorrectly

In the web, you will find various instructions for deactivating the store. From removing the store app from the WIM or OS with PowerShell commands, or blocking the store application with AppLocker or the Windows Firewall. There are many other variations, but why not just block the store?

The problem is that the Modern Apps can only be updated via the Store or Windows Updates for Business, not via existing software management solutions or WSUS. Therefore there is a danger that security vulnerabilities will not be fixed.

Variants of disabling the Microsoft Store

But how can you disable the store now? There are different variations, depending on what the target is.

Use Store 4 Business only

This is the right attitude for companies that want to use Store 4 Business. However, if no SSO is configured, there is a risk that employees will log on with another company ID. Especially for students there is the danger that they will log in with a university ID. The faculties that use Azure-AD, for example for Office365, have a compatible ID to the company ID.

This method does not prevent the apps from being updated via the store.

Window Store at startup with "Show only private store in Microsoft Store" policy enabled
Window Store at startup with “Show only private store in Microsoft Store” policy enabled
Window Store after logon with "Show only private store in Microsoft Store" policy enabled
Window Store after logon with “Show only private store in Microsoft Store” policy enabled

Settings over group policy

Computer Configuration > Policies > Administrative templates > Windows Components > Store > View Private Store Only in Microsoft Store

Alternatively, this can also be done in the user context

User Configuration > Policies > Administrative Templates > Windows Components > Store > View Private Store Only in Microsoft Store

Settings over registry

Computer:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsStore\RequirePrivateStoreOnly REG_DWORD 1

User:

HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsStore\RequirePrivateStoreOnly REG_DWORD 1

Deactivating the store

The general shutdown of the store is a bit more complicated. The apps can only be updated if this setting is configured user-based. If the policy is enabled in the computer configuration, no application updates can be done.

SETTING VIA GROUP POLICY

Computer Configuration > Policies > Administrative templates > Windows Components > Store > Disable Store application

Alternatively, this can also be done in the user context. This is my recommendation if you want to disable the store.

User Configuration > Policies > Administrative templates > Windows Components > Store > Disable Store application

Setting over Registry

Computer:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsStore\RemoveWindowsStore REG_DWORD 1

User:

HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsStore\RemoveWindowsStore REG_DWORD 1

Further settings around the Microsoft Store

Disable automatic download and installation of updates

Normally, the user can control if apps are updated automatically. If Central IT wants to make the decision, then this is the right setting.

View the Microsoft Store after disabling automatic app updates with the policy "Disable automatic download and installation of updates".
View the Microsoft Store after disabling automatic app updates with the policy “Disable automatic download and installation of updates”.
View the Microsoft Store after enabling automatic app updates with the policy "Disable automatic download and installation of updates".
View the Microsoft Store after enabling automatic app updates with the policy “Disable automatic download and installation of updates”.

SETTING VIA GROUP POLICY

Computer Configuration > Policies > Administrative Templates > Windows Components > Store > Disable automatic download and installation of updates

SETTINGS VIA REGISTRY

Disable:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore\AutoDownload REG_DWORD 2

Enable:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore\AutoDownload REG_DWORD 4

Disable access to the store

An attitude that is very promising at first view. Unfortunately, this changes when you read the description.

“This policy setting determines whether to use the Store service to find an application for opening a file with an unknown file association.

Source: Microsoft Group Policy
Screenshot when opening unknown file extensions before activating the policy "Disable access to the store".
Screenshot when opening unknown file extensions before activating the policy “Disable access to the store”.
Screenshot when opening unknown file extensions after activating the policy "Disable access to the store".
Screenshot when opening unknown file extensions after activating the policy “Disable access to the store”.

SETTING VIA GROUP POLICY

Computer Configuration > Policies > Administrative Templates > System > Internet Communications Management > Internet Communications Settings > Accessing the Store

SETTINGS VIA REGISTRY

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer\NoUseStoreOpenWith REG_DWORD 1

Disable all apps from Microsoft Store (Enterprise Edition required)

“If you disable this setting, all pre-installed or downloaded Microsoft Store apps will be prevented from starting. The apps will not update and the store will be disabled. When you enable the setting, all options are enabled again. This setting applies only to the Enterprise and Education editions of Windows”.

Source: Microsoft Group Policy

The policy must be deactivated so that the setting becomes active.

It is also important to note that this also applies to the pre-installed applications such as the calculator, maps and the photo app. The Microsoft Edge Browser is not affected.

Screenshot when starting apps after activating the policy "Disable all apps from Microsoft Store".
Screenshot when starting apps after activating the policy “Disable all apps from Microsoft Store”.

SETTING VIA GROUP POLICY

Computer Configuration > Policies > Administrative templates > Windows Components > Store > Disable All Apps from the Microsoft Store

SETTINGS VIA REGISTRY

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsStore\DisableStoreApps REG_DWORD 1

Important notes

  • Test the settings. Especially if you have handled the Microsoft Store differently before. Also, test whether the settings still work after a release change.
  • Check if the updates are really applied.
  • Keep in mind that some settings are only effective with the Enterprise Edition. Even though they may work with a Professional release, they may not work at all. It’s been done before. Please read our article: “Choosing the right Windows 10 Edition“.

This article first appeared on Infrastrukturhelden.de in German.

This article is a translation of the Infrastrukturhelden.de article “Windows 10 und der Microsoft Store” (Published – 2019-04-16). Links may refer to other Infrastrukturhelden.de articles, these may also be available in English language.

Also it can be, that I still use screenshots of German systems. However, where it is possible for me with little effort, I insert screenshots of English systems.

Advertisements

Author: Fabian Niesen

Fabian Niesen has been working as an IT consultant for years. Here he writes privately and independently of his employer. Among others he is certified as MCSA Windows Server 2008 / 2012, MCSA Office 365, MCSA Windows 10, MCSE Messaging, MCT and Novell Certified Linux Administrator. Since 2016 he is also MCT Regional Lead for Germany. His hobbies are social media, blogging, medieval markets, historical songs and house building.

Leave a Reply

Your email address will not be published. Required fields are marked *