Many companies would like to turn off the Microsoft Store so that not everyone installs “Netflix” or “Ages of Empires” on their corporate device. There are many ways, but which one is the right one, that depends. The risk exists that if the store is deactivated incorrectly, the integrated apps (for example the calculator or the photo app) will not receive any updates. However, there are a few basics that need to be clarified before you can get started.
Microsoft Store vs. Store4Business
Actually there are two stores at Microsoft, both use the same app. The normal store is intended for private individuals. Here you can find all apps and games and the licenses are attached to a private Microsoft account (Live-ID). The “store 4 business” is intended for companies. For this, the employee must be logged in with his company account. Company account in this context means an Azure-AD ID, no matter if it is with AD-Sync or a pure online ID. But this also means that without Azure-AD there is no company store.
Why a corporate store
There are a few reasons that speak for a corporate store. The most important are subjects like:
- Control of applications
- license management
- Easier administration
Especially the topic of license management is important. For the Normal Store, the licenses are linked to the personal accounts of the employees. If they leave the company, they take the licenses with them. With a company store, the license is linked to company identity and can be reassigned by the administrator.
Application control is also important for IT. Not every company wants games or software that is not necessary for corporate purposes installed on the devices.
Problems if the store is disabled incorrectly
In the web, you will find various instructions for deactivating the store. From removing the store app from the WIM or OS with PowerShell commands, or blocking the store application with AppLocker or the Windows Firewall. There are many other variations, but why not just block the store?
The problem is that the Modern Apps can only be updated via the Store or Windows Updates for Business, not via existing software management solutions or WSUS. Therefore there is a danger that security vulnerabilities will not be fixed.
Variants of disabling the Microsoft Store
But how can you disable the store now? There are different variations, depending on what the target is.
Use Store 4 Business only
This is the right attitude for companies that want to use Store 4 Business. However, if no SSO is configured, there is a risk that employees will log on with another company ID. Especially for students there is the danger that they will log in with a university ID. The faculties that use Azure-AD, for example for Office365, have a compatible ID to the company ID.
This method does not prevent the apps from being updated via the store.
Settings over group policy
Computer Configuration > Policies > Administrative templates > Windows Components > Store > View Private Store Only in Microsoft Store
Alternatively, this can also be done in the user context
User Configuration > Policies > Administrative Templates > Windows Components > Store > View Private Store Only in Microsoft Store
Settings over registry
Computer:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsStore\RequirePrivateStoreOnly REG_DWORD 1
User:
HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsStore\RequirePrivateStoreOnly REG_DWORD 1
Deactivating the store
The general shutdown of the store is a bit more complicated. The apps can only be updated if this setting is configured user-based. If the policy is enabled in the computer configuration, no application updates can be done.
SETTING VIA GROUP POLICY
Computer Configuration > Policies > Administrative templates > Windows Components > Store > Disable Store application
Alternatively, this can also be done in the user context. This is my recommendation if you want to disable the store.
User Configuration > Policies > Administrative templates > Windows Components > Store > Disable Store application
Setting over Registry
Computer:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsStore\RemoveWindowsStore REG_DWORD 1
User:
HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsStore\RemoveWindowsStore REG_DWORD 1
Further settings around the Microsoft Store
Disable automatic download and installation of updates
Normally, the user can control if apps are updated automatically. If Central IT wants to make the decision, then this is the right setting.
SETTING VIA GROUP POLICY
Computer Configuration > Policies > Administrative Templates > Windows Components > Store > Disable automatic download and installation of updates
SETTINGS VIA REGISTRY
Disable:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore\AutoDownload REG_DWORD 2
Enable:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore\AutoDownload REG_DWORD 4
Disable access to the store
An attitude that is very promising at first view. Unfortunately, this changes when you read the description.
“This policy setting determines whether to use the Store service to find an application for opening a file with an unknown file association.
Source: Microsoft Group Policy
SETTING VIA GROUP POLICY
Computer Configuration > Policies > Administrative Templates > System > Internet Communications Management > Internet Communications Settings > Accessing the Store
SETTINGS VIA REGISTRY
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer\NoUseStoreOpenWith REG_DWORD 1
Disable all apps from Microsoft Store (Enterprise Edition required)
“If you disable this setting, all pre-installed or downloaded Microsoft Store apps will be prevented from starting. The apps will not update and the store will be disabled. When you enable the setting, all options are enabled again. This setting applies only to the Enterprise and Education editions of Windows”.
Source: Microsoft Group Policy
The policy must be deactivated so that the setting becomes active.
It is also important to note that this also applies to the pre-installed applications such as the calculator, maps and the photo app. The Microsoft Edge Browser is not affected.
SETTING VIA GROUP POLICY
Computer Configuration > Policies > Administrative templates > Windows Components > Store > Disable All Apps from the Microsoft Store
SETTINGS VIA REGISTRY
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsStore\DisableStoreApps REG_DWORD 1
Important notes
- Test the settings. Especially if you have handled the Microsoft Store differently before. Also, test whether the settings still work after a release change.
- Check if the updates are really applied.
- Keep in mind that some settings are only effective with the Enterprise Edition. Even though they may work with a Professional release, they may not work at all. It’s been done before. Please read our article: “Choosing the right Windows 10 Edition“.
This article first appeared on Infrastrukturhelden.de in German.
This article is a translation of the Infrastrukturhelden.de article “Windows 10 und der Microsoft Store” (Published – 2019-04-16). Links may refer to other Infrastrukturhelden.de articles, these may also be available in English language.
Also it can be, that I still use screenshots of German systems. However, where it is possible for me with little effort, I insert screenshots of English systems.
Thanks very nice blog!