Block Microsoft Store apps using Intune except winget

In my recent blog post, I outlined the steps to disable Microsoft Store apps, including Winget. However, some situations may require you to block Store apps while still being able to use Winget APIs for downloading and installing applications on Windows 10/11 devices.

In this blog post, I’ll guide you through blocking Store apps without affecting Winget on Windows devices. We’ll achieve this by utilizing the Require Private Store Only policy setting, which restricts access to the Microsoft store.

If you use “Require Private Store Only” policy setting to disable Microsoft store, Store app will be blocked, but users can still utilize winget APIs to Install random apps from Store.

Require Private Store Only

If your goal is to prevent end-users from installing random applications from the Store without interfering with the Windows Package Manager, all you need to do is enable the ApplicationManagement/RequirePrivateStoreOnly setting.


Steps to disable Microsoft Store using Intune Except Winget

To disable the Microsoft Store using Intune, please follow these steps:

  • Sign in to the Intune admin center.
  • Go to Devices > Configuration > Create > New Policy.
  • Select Platform as Windows 10 and later.
  • Profile type: Settings Catalog.


The basics tab will provide information about the device configuration profile, such as name and description.

  • Name – Disable Microsoft Public App Store.
  • Description – Disable MS Store, excluding Winget API.

Configuration settings

Click on + Add settings and then search for Microsoft App Store. This should list all settings related to the Microsoft App Store. Check Require Private Store Only and toggle the setting to Enable.

Require Private Store Only setting on Intune admin center
Require Private Store Only setting on Intune admin center


Click Add groups and select the Entra security group containing Windows 10/11 test devices. Once testing proves successful, you can expand the deployment by including additional devices in the group.

Review + Create

Review the deployment and click on Create to start the deployment process.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.

End-User Experience

Let’s see what happens from the end user’s perspective when the policy is successfully applied. Follow these steps:

  1. Click on the Start button.
  2. In the search bar, type Microsoft Store and press Enter.
  3. When you open the Microsoft Store, you may encounter one of the following error messages:
  1. Microsoft Store is blocked. Please check with your IT or system administrator. Code: 0x800704EC.
  2. Try that again. The page could not be loaded. Please try again and refresh the page. The code is 0x80131500.
  3. This place is off-limits, Not sure how you got here, but there’s nothing for you here. Report this problem. Refresh this Page.


What is the OMA-URI setting to block Microsoft Private Store?

Name: Disable MS Store
OMA-URI: ./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly
Data Type: Integer
Value: 1

OMA-URI setting to block Microsoft Store
OMA-URI setting to block Microsoft Store

Where to find the RequirePrivateStoreOnly registry entry?

To locate RequirePrivateStoreOnly registry entry, please follow below steps:

> Go to Start > Search for Registry Editor. Click on it to open.

>Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore registry key.

>On the right-hand side, you will find a DWORD registry entry called “.

The value of RequirePrivateStoreOnly will be either 0 or 1, depending on whether it’s disabled or enabled. If it’s set to 0, then it’s not enabled, and if it’s set to 1, that means the setting is enabled.

How do you find logs related to Intune Device configuration profile deployment?

To find the logs related to your Intune deployment, Open Event Viewer > Application and Services logs > Microsoft > Windows > Devicemanagement-Enterprise-Diagnostics-Provider > Admin folder.
Search for Event ID 813 or 814 and go through the logs to find the one related to this deployment.

How do you block the Microsoft Store using Group Policy?

You can also easily block Microsoft Store using Group policy using below steps:

1. Press Windows + R to open Run dialog box.
2. Type gpmc.msc and press Enter to open the Group policy management console.
3. Go to User Configuration or Computer Configuration > Administrative templates > Windows Components > Store
4. Select “Only display the private store within the Microsoft Store app” and Edit this setting.
5. Select Enabled to enable this setting and press OK.

Other Microsoft App Store Settings available on the Intune admin center

Setting NameDetailed Information about the Policy setting
Allow All Trusted AppsDetailed Information about the Policy-setting
Allow apps from the Microsoft app store to auto updateIf you enable this setting and the “Allow all trusted apps to install” Policy, you can develop Microsoft Store apps and install them directly from an IDE.
Allow Developer UnlockIf you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the Windows—storage API.
Allow Game DVRThis setting enables or disables the Windows Game Recording and Broadcasting features. If you disable this setting, Windows Game Recording won’t be allowed.
Allow Shared User App DataDisable turns off the launch of all apps from the Microsoft Store that came pre-installed or were downloaded. Apps won’t be updated. Your Store will also be disabled. Enable turns all of it back on. This setting applies only to Windows Enterprise and Education editions.
Block Non Admin User InstallIf you enable this policy, non-Administrators cannot initiate installation of Windows app packages. Administrators who wish to install an app must do so from an Administrator context (for example, an Administrator PowerShell window). All users can still install Windows app packages via the Microsoft Store if permitted by other policies.
Disable Store Originated AppsIf you enable this policy, a Windows app can share data with other instances of that app. Data is shared through the SharedLocal folder, which is available through the Windows storage API.
Launch App After Log OnIf you enable this policy setting, some of Windows Installer’s security features are bypassed. It permits installations to be completed that would be halted due to a security violation.
MSI Allow User Control Over InstallIf you enable this policy setting, some of Windows Installer’s security features are bypassed. It permits installations to be completed that otherwise would be halted due to a security violation.
MSI Always Install With Elevated PrivilegesIf you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in the Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers.
MSI Always Install With Elevated Privileges (User)This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders.
Require Private Store OnlyIf you enable this setting, users won’t be able to view the retail catalog in the Microsoft Store but can view apps in the private store.


Consider blocking access to the Microsoft Store in your company because it offers a wide range of non-productive apps. Additionally, using the Microsoft Store can complicate app management for your IT administrators.

Instead, it’s advisable to centralize app management through a platform like Microsoft Intune, which provides greater control. Furthermore, Microsoft has introduced a new app type in Microsoft Intune for improved app management: the Microsoft Store app (new).

You can select a Microsoft Store app (new) that connects with the Microsoft Store to search for apps and publish them directly via Intune. As Microsoft Store for Business is retiring, it is recommended that this app deployment method be switched to, which is much easier and faster than other app deployment methods in Intune.

Microsoft App store Publish App Intune New method

2 thoughts on “Block Microsoft Store apps using Intune except winget”

  1. One of my bloatware script removes Microsoft.Store from the appx with the other bloatware. This removes the actual app from the device.

    I did start pushing Microsoft stock apps (Photos, Paint3d) via Intune. Will these apps auto update? Or do I need to remove the store app from the bloatware removal script and make sure its installed on the device?

    Thanks for the help!

    • Hello CE,

      The Microsoft Store is the primary source for installing and updating important system apps and drivers. If you remove the Microsoft Store, you’ll lose the ability update existing apps.

      Some apps might rely on the Microsoft Store framework for updates and licensing. If you remove the Microsoft Store, these apps might not work properly or might not update correctly.

      Windows updates can sometimes be distributed through the Microsoft Store. Removing it might complicate the update process or prevent you from accessing certain updates.


Leave a Comment