Disable Microsoft Store Apps in Windows using Intune

In this blog post, I will show you how to disable the Microsoft Store application on Windows 10/11 devices using Intune. To achieve this, you can use the “Turn off the Store application” setting from the Intune settings catalog. This setting effectively prevents direct access to Store apps.

When you configure this policy setting “Turn off the Store application” to disable Store apps, Users will still be able to access and Install Store apps from the Company Portal app and via Intune app management.

After you have disabled the MS Store via Intune, you can still use Microsoft Store apps (new) deployment to deploy store apps from the Intune admin center.

There are several other ways to disable or block Microsoft Store apps on Windows devices; I have discussed all the alternative methods in the blog post titled Disable/Block Microsoft Store in Windows: 7 Ways.

Important points about “Turn off the Store application” setting:

  • Prevents users from directly accessing the store using Windows package manager winget APIs.
  • Blocks random unmanaged Store app Installations by users on their devices.

If you use “Require Private Store Only” policy setting to disable Microsoft store, Store app will be blocked, but users can still utilize Winget APIs to Install apps on their devices. Therefore, don’t use Only display the private store policy setting to disable/block Microsoft Store on user’s devices.

Disable/Block Microsoft Store in Windows: 7 Ways

A Comprehensive guide

Steps to disable Microsoft Store apps using Intune

To disable the Microsoft Store application on your end user’s devices, you must set up a Device Configuration Profile in the Intune admin center. Here are the steps to do it:

  • Login on Microsoft Intune admin center
  • Go to Devices > Configuration profiles
  • Click on + Create Profile
  • Select Platform as Windows 10 and later
  • Profile type: Settings Catalog

Basics

In the Basics tab, you’ll enter details about the device configuration profile, such as its Name and Description.

  • Name – Disable Microsoft Store apps
  • Description – Turn off Store apps for all users, including Winget Installs

Configuration settings

Click on + Add settings and search for “Turn off store application.” Select the category “Administrative Templates\Windows Components\Store.” Select the setting “Turn off the Store application” to add it to the Configuration settings page.

Use the toggle next to the setting “Turn off the Store application” to enable this policy. If you hover your mouse over the (i) icon next to the setting name, you will find details about this setting below.

Denies or allows access to the Store application. If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. If you disable or don’t configure this setting, access to the Store application is allowed.

Turn off the Store application

I would also recommend configuring an additional setting for Allowing apps from Microsoft app store to auto-update. Click on + Add settings again and search “Microsoft app store“. In the list of settings, Select “Allow apps from the Microsoft app store to auto update“.

Use the drop-down menu next to the setting. Select Allowed. This will allow Microsoft Store apps deployed via Intune to be updated automatically (If the app supports it).

Specifies whether automatic update of apps from Microsoft Store are allowed. Most restricted value is 0.

Allow apps from the Microsoft app store to auto update

Assignments

You can assign this profile to an Entra security group, including users or devices. For a controlled deployment, it’s recommended to add devices to the group and target it. Once testing is successful and you want to apply the setting to all managed devices, you can also choose to + Add all devices.

Review + Create

On the “Review + Create” tab, review the device configuration profile settings, and then click “Create.”

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync either from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.

End-user Experience

Once this policy has been successfully applied to the end-user’s devices, any user attempting to launch the Microsoft Store application will encounter an error message stating “Microsoft Store is blocked.” Additionally, the error code “0x800704EC” will be displayed at the bottom of the window.

Failed to Install or Upgrade Microsoft Store package

After applying the ‘Turn off the Store application‘ policy to the target devices, the use of Winget will also be blocked. If you attempt to install any application using winget, you will receive the following error message:

Failed to install or upgrade Microsoft Store package because Microsoft Store client is blocked by policy

Failed to install or upgrade Microsoft Store package because Microsoft Store client is blocked by policy
Failed to install or upgrade Microsoft Store package because Microsoft Store client is blocked by policy

FAQs

What’s the OMA-URI setting to block the Microsoft Store?

Two OMA-URI settings can be used to block the Microsoft Store. One targets User Configuration, and the second one targets Computer configuration. Please find the settings below:

RemoveWindowsStore_1 [User-based configuration]
./User/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/RemoveWindowsStore_1

– RemoveWindowsStore_2 [Machine-based configuration]
./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/RemoveWindowsStore_2

How do you Disable Microsoft Store apps using Registry?

Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore and create a DWORD registry entry called RemoveWindowsStore and set its value to 1 to disable it.

To enable it again, set the DWORD registry entry RemoveWindowsStore value to 0.

How do you find logs related to Intune Device configuration profile deployment?

To find the logs related to your Intune deployment, Open Event Viewer > Application and Services logs > Microsoft > Windows > Devicemanagement-Enterprise-Diagnostics-Provider > Admin folder.

Search for Event ID 813 or 814 and go through the logs to find the one related to this deployment.

How do you block the Microsoft Store using Group Policy?

You can also easily block Microsoft Store using Group policy using below steps:

1. Press Windows + R to open Run dialog box.
2. Type gpmc.msc and press Enter to open the Group policy management console.
3. Go to Computer Configuration > Administrative templates > Windows Components > Store
4. Select “Turn off the Store application” and Edit this setting.
5. Select Enabled to enable this setting and press OK.

When you Enable “Turn off the store application,” it also disables app updates from Microsoft Store. Ensure you disable the policy setting ” Turn off automatic download and install” as well. This will allow store apps to update, keeping access to Microsoft Store blocked.

Conclusion

Consider blocking access to the Microsoft Store in your company because it offers a wide range of non-productive apps. Additionally, using the Microsoft Store can complicate app management for your IT administrators.

Instead, it’s advisable to centralize app management through a platform like Microsoft Intune, which provides greater control. Furthermore, Microsoft has introduced a new app type in Microsoft Intune for improved app management, which is the Microsoft Store app (new).

Microsoft App store Publish App Intune New method

4 thoughts on “Disable Microsoft Store Apps in Windows using Intune”

  1. Thanks to creating this article.

    One question: When Windows default apps like calculator, camera, Photos app not deployed via Intune; will they still be able to pull their updates from MS Store?

    Reply
  2. Hi,

    I’ve applyed this procedure, which seems to work because I can see :
    – the register entry is OK (RemoveWindowsStore = 1)
    – and the event viewer is showing me the good event :
    PolicyManager MDM : définir chaîne de stratégie. Stratégie : (RemoveWindowsStore_1). Zone : (ADMX_WindowsStore). EnrollmentID demandant la fusion : (72E0ECC1-EFE8-4087-9178-D51D4DBAD273). Utilisateur actuel : (S-1-5-21-1046232930-3145662814-1742998727-88664). Chaîne : (). Type d’inscription : (0x6). Étendue : (0x1).

    But I can still access the store and the winget installation is still working.
    What can I do to troubleshoot this issue ?

    Thanks in advance

    Best regards

    Reply
  3. Hello Jatin,
    Thanks for this article. I’ve followed your steps and created configuration policy via Intune.
    I too have the same problem reported above. Registry value showing “RemoveWindowsStore=1”.
    But still Microsoft Store is opening as normal and able to install apps. Would you like to share further troubleshooting steps?

    Reply

Leave a Comment