2 ways to disable access to public Microsoft Store and deploy apps using "Microsoft Store online (new)" deployment in Intune - NOT using MSfB or Private Store

The Microsoft Store

The Microsoft Store, while generally considered a useful platform for accessing various applications, should be blocked on enterprise machines to maintain security and productivity. By restricting access to the Microsoft Store, organizations can minimize the risk of unauthorized or potentially malicious applications being installed on company devices. This proactive measure ensures that employees focus solely on approved software, fostering a controlled and secure computing environment within the enterprise.

Ways to block Microsoft Store using Intune

1. Block the Microsoft Store using Configuration Policy.

For blocking the store using configuration policy, we need to follow the below steps:
  • Go to intune.microsoft.com
  • Go to Devices > Windows > Configuration profiles > Create Profile
  • Choose Platform - "Windows 10 or later"
  • Choose Profile Type - "Templates" > "Administrative Templates" - Create
  • Give this policy a name and description and hit next.
  • Search for "Turn off the Store application" and enable it.
  • On the next page, assign the policy to a group of devices/users or all devices/users and create it.

Behavior of blocking the Microsoft Store using Configuration Policy

When the user tries to open the Microsoft Store, it will open but the user will see a message "Microsoft Store is blocked. Check with your IT or System Administrator."

Here's a quick five second video for your reference:



Pros and Cons of this configuration policy

Pros: The Microsoft Store will be blocked and the users can only install the apps which are managed and approved from the Company Portal application.

Cons: When we block the Microsoft Store using this policy, the "Microsoft Store app (new)" type of deployment will not work as expected. The Win32 apps will be installed in both required and for available, they can be installed form the company portal. But for the UWP apps, since these are dependent on the functionality of the actual Microsoft Store, those will fail.

Here's a screenshot from my testing with the Microsoft Store blocked using this configuration policy V/S the Microsoft Store unblocked:



2. Block the Microsoft Store using AppLocker XML

For blocking the store using AppLocker XML, we need to follow the below steps:
  • Go to intune.microsoft.com
  • Go to Devices > Windows > Configuration profiles > Create Profile
  • Choose Platform - "Windows 10 or later"
  • Choose Profile Type - "Templates" > "Custom" - Create
  • Give this policy a name and description and hit next.
  • Click on "Add" button in the "Configuration settings" page and enter the following values:

    Name: MSFT Block using Applocker
    Description: anything
    OMA URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/StoreApps/Policy
    Data type: String (XML file)

  • After you choose the Data type as "String (XML)", you can upload the XML file which is present at my GitHub here: 
    https://github.com/skoul27/msftblock
  • On the next page, assign the policy to a group of devices/users or all devices/users.
  • You can skip the applicability rules or define it as you want and create it.
Note: For AppLocker to be enforced, make sure the Application Identity service is running on the machine. If it's' not running, you can make it run by pushing a PowerShell script from Devices > Windows > PowerShell scripts > Create New.

Name it anything and upload the PowerShell script present at my GitHub:
https://github.com/skoul27/msftblock/blob/main/RunAppIDSvc.ps1

Behavior of blocking the Microsoft Store using AppLocker XML

When the user tries to open the Microsoft Store, it will show a pop-up which will say "This app has been blocked by your system administrator."

Here's a quick 5 second video for your reference:



Pros and Cons of the AppLocker XML.

Pros: The Microsoft Store will be blocked and the users can only install the apps which are managed and approved from the Company Portal application. EVEN the "Microsoft Store app (new)" type of deployment will work for both Win32 and UWP apps since we're not blocking the store just putting a lock over it.

Cons: Can't find any, let me know in the comments if you have anything 😉

Post a Comment

1 Comments