In my recent blog post, I outlined the steps to completely disable Microsoft Store apps, including Winget. However, some situations may require you to block Store apps while still being able to use Winget APIs for downloading and installing applications on Windows 10/11 devices.
In this blog post, I’ll guide you through the process of blocking Store apps without affecting Winget on Windows devices. We’ll achieve this by utilizing the “Require Private Store Only” policy setting, which effectively restricts access to the Microsoft store.
If you use “Require Private Store Only” policy setting to disable Microsoft store, Store app will be blocked, but users can still utilize winget APIs to Install random apps from Store.
Require Private Store Only
If your goal is to prevent end-users from installing random applications from the Store without interfering with the Windows Package Manager, all you need to do is enable the “ApplicationManagement/RequirePrivateStoreOnly” setting.
Table of Contents
Steps to disable Microsoft Store using Intune except Winget
To disable the Microsoft Store using Intune, please follow these steps:
- Login on Microsoft Intune admin center
- Go to Devices > Configuration profiles
- Click on + Create Profile
- Select Platform as Windows 10 and later
- Profile type: Settings Catalog
Basics
In basics tab, we will provide information about the device configuration profile like Name and Description.
- Name – Disable Microsoft Public App store
- Description – Disable MS Store excluding Winget API
Configuration settings
Click on + Add settings and then search for Microsoft App store. This should list all settings related to Microsoft App store. Check Require Private Store Only and toggle the setting to Enable.
Assignments
You can assign this profile to an Azure AD group, which can include users or devices. For a controlled deployment, it’s recommended to add devices to the group and target it. Once testing is successful and you want to apply the setting to all managed devices, you can also choose to + Add all devices.
Review + Create
On the “Review + Create” tab, review the device configuration profile settings, and then click “Create.”
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync either from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.
End-User Experience
Let’s see what happens from the end user’s perspective when the policy is successfully applied. Follow these steps:
- Click on the “Start” button.
- In the search bar, type “Microsoft Store” and press Enter.
- When you open Microsoft Store, you may encounter one of the following error messages:
- “Microsoft Store is blocked. Please check with your IT or system administrator. Code: 0x800704EC.”
- “Try that again. The page could not be loaded. Please try again and refresh the page. Code: 0x80131500.”
- This place is off-limits, Not sure how you got here, but there’s nothing for you here. Report this problem. Refresh this Page.
FAQs
What is the OMA-URI setting to block Microsoft Private Store?
Please find below OMA-URI setting to block Microsoft Private store:
Name: Disable MS Store
OMA-URI: ./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly
Data Type: Integer
Value: 1
Where to find RequirePrivateStoreOnly registry entry?
To locate RequirePrivateStoreOnly registry entry, please follow below steps:
> Go to Start > Search for Registry Editor. Click on it to open.
>Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore registry key.
>On the right-hand side you will find a DWORD registry entry called “.
RequirePrivateStoreOnly“
The value of RequirePrivateStoreOnly will be either 0 or 1 depending upon if its disabled or enabled. If it’s set to 0 then its not enabled and If it’s set to 1 that means the setting is enabled.
How to find logs related to Intune Device configuration profile deployment?
To find the logs related to your Intune deployment, Open Event Viewer > Application and Services logs > Microsoft > Windows > Devicemanagement-Enterprise-Diagnostics-Provider > Admin folder.
Search for Event ID 813 or 814 and go through the logs to find the one related to this deployment.
How to block Microsoft Store using Group Policy?
You can also easily block Microsoft Store using Group policy using below steps:
1. Press Windows + R to open Run dialog box.
2. Type gpmc.msc and press Enter to open Group policy management console.
3. Go to User Configuration or Computer Configuration > Administrative templates > Windows Components > Store
4. Select “Only display the private store within the Microsoft Store app” and Edit this setting.
5. Select Enabled to enable this setting and press OK.
Other Microsoft App Store Settings available on Intune admin center
| Setting Name | Detailed Information about the Policy setting |
|---|---|
| Allow All Trusted Apps | If you enable this policy setting, you can install any LOB or developer-signed Windows Store app (which must be signed with a certificate chain that can be successfully validated by the local computer). |
| Allow apps from the Microsoft app store to auto update | Specifies whether automatic update of apps from Microsoft Store are allowed. Most restricted value is 0. |
| Allow Developer Unlock | If you enable this setting and enable the “Allow all trusted apps to install” Policy, you can develop Microsoft Store apps and install them directly from an IDE. |
| Allow Game DVR | This setting enables or disables the Windows Game Recording and Broadcasting features. If you disable this setting, Windows Game Recording won’t be allowed. |
| Allow Shared User App Data | If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the Windows. Storage API. |
| Block Non Admin User Install | If you enable this policy, non-Administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Administrator PowerShell window). All users will still be able to install Windows app packages via the Microsoft Store, if permitted by other policies. |
| Disable Store Originated Apps | Disable turns off the launch of all apps from the Microsoft Store that came pre-installed or were downloaded. Apps won’t be updated. Your Store will also be disabled. Enable turns all of it back on. This setting applies only to Enterprise and Education editions of Windows. |
| Launch App After Log On | List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are to be launched after logon. |
| MSI Allow User Control Over Install | If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to a security violation. |
| MSI Always Install With Elevated Privileges | If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers. |
| MSI Always Install With Elevated Privileges (User) | This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders. |
| Require Private Store Only | If you enable this setting, users won’t be able to view the retail catalog in the Microsoft Store, but they will be able to view apps in the private store. |
Conclusion
Consider blocking access to the Microsoft Store in your company because it offers a wide range of non-productive apps. Additionally, using the Microsoft Store can complicate app management for your IT administrators.
Instead, it’s advisable to centralize app management through a platform like Microsoft Intune, which provides greater control. Furthermore, Microsoft has introduced a new app type in Microsoft Intune for improved app management which is Microsoft Store app (new).
You can select Microsoft Store app (new) which connects with Microsoft Store to search the apps and publish them directly via Intune. As Microsoft Store for Business is getting retired, it is recommended to switch to this method of app deployment which is much easier and faster than other app deployment methods in Intune.
One of my bloatware script removes Microsoft.Store from the appx with the other bloatware. This removes the actual app from the device.
I did start pushing Microsoft stock apps (Photos, Paint3d) via Intune. Will these apps auto update? Or do I need to remove the store app from the bloatware removal script and make sure its installed on the device?
Thanks for the help!
Hello CE,
The Microsoft Store is the primary source for installing and updating important system apps and drivers. If you remove the Microsoft Store, you’ll lose the ability update existing apps.
Some apps might rely on the Microsoft Store framework for updates and licensing. If you remove the Microsoft Store, these apps might not work properly or might not update correctly.
Windows updates can sometimes be distributed through the Microsoft Store. Removing it might complicate the update process or prevent you from accessing certain updates.