Disable Microsoft Store Apps In Windows Using Intune

Q: How to Disable Microsoft Store apps using Registry?

Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore and create a DWORD registry entry called RemoveWindowsStore and set its value to 1 to disable it. To enable it again, set the DWORD registry entry RemoveWindowsStore value to 0.

Q: How to find logs related to Intune Device configuration profile deployment?

To find the logs related to your Intune deployment, Open Event Viewer > Application and Services logs > Microsoft > Windows > Devicemanagement-Enterprise-Diagnostics-Provider > Admin folder. Search for Event ID 813 or 814 and go through the logs to find the one related to this deployment.

This blog post will show you how to disable the Microsoft Store application on Windows 10/11 devices using Intune. To achieve this, you can use the Turn off the Store application option in the Intune settings catalog. This setting effectively prevents direct access to Store apps.

When configuring this policy setting, Turn off the Store application to disable Store apps. Users can still access and Install Store apps from the Company Portal app and via Intune app management.

After you have disabled the MS Store via Intune, you can still deploy store apps from the Intune admin center using Microsoft Store apps (new) deployment.

There are several other ways to disable or block Microsoft Store apps on Windows devices; I have discussed all the alternative methods in the blog post titled Disable/Block Microsoft Store in Windows: 7 Ways.

Essential points about Turn off the Store application setting:

Prevents users from directly accessing the store using the Windows package manager winget APIs.
Blocks random unmanaged Store app Installations by users on their devices.

If you use the Require Private Store Only policy setting to disable the Microsoft Store, the Store app will be blocked, but users can still use Winget APIs to Install apps on their devices. Therefore, don’t use the Only display the private store policy setting to disable/block the Microsoft Store on users devices.

Disable/Block Microsoft Store in Windows: 7 Ways
A Comprehensive guide

Steps to disable Microsoft Store apps using Intune

To disable the Microsoft Store application on your end user’s devices, you must set up a Device Configuration Profile in the Intune admin center. Here are the steps to do it:

Sign in to the Intune admin center.
Go to Devices > Configuration > Create > New Policy.
Select Platform as Windows 10 and later.
Profile type: Settings Catalog.

Basics

In the Basics tab, you’ll enter details about the device configuration profile, such as its Name and Description.

Name – Disable Microsoft Store apps
Description – Turn off Store apps for all users, including Winget Installs

Configuration settings

Click on + Add settings and search for Turn off store application. Select the category Administrative Templates\Windows Components\Store. Select the setting Turn off the Store application to add it to the Configuration settings page.

To enable this policy, use the toggle next to the Turn off the Store application setting. If you hover your mouse over the (i) icon next to the setting name, you will find details about this setting below.

Denies or allows access to the Store application. If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. If you disable or don’t configure this setting, access to the Store application is allowed.
Turn off the Store application

I recommend configuring an additional setting to allow auto-update apps from the Microsoft app store. Click on + Add settings again and search Microsoft app store. Select Allow apps from the Microsoft app store to auto-update in the list of settings.

Use the drop-down menu next to the setting. Select Allowed. This will allow Microsoft Store apps deployed via Intune to be updated automatically (If the app supports it).

Specifies whether automatic update of apps from Microsoft Store are allowed. Most restricted value is 0.
Allow apps from the Microsoft app store to auto update

Assignments

You can assign this profile to an Entra security group, including users or devices. For a controlled deployment, adding devices to the group and targeting it is recommended. Once testing is successful and you want to apply the setting to all managed devices, you can also choose to + Add all devices.

Review + Create

Review the device configuration profile settings on the Review + Create tab, then click Create.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.

End-user Experience

Once this policy has been successfully applied to the end-user’s devices, any user attempting to launch the Microsoft Store application will encounter an error message stating that the Microsoft Store is blocked. The error code 0x800704EC will also be displayed at the bottom of the window.

Failed to Install or Upgrade Microsoft Store package

After applying the Turn off the Store application policy to the target devices, Winget will also be blocked. If you attempt to install any application using winget, you will receive the following error message:

Failed to install or upgrade Microsoft Store package because Microsoft Store client is blocked by policy

FAQs

What’s the OMA-URI setting to block the Microsoft Store?

Two OMA-URI settings can be used to block the Microsoft Store. One targets User Configuration, and the second one targets Computer configuration. Please find the settings below:

– RemoveWindowsStore_1 [User-based configuration]
./User/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/RemoveWindowsStore_1

– RemoveWindowsStore_2 [Machine-based configuration]
./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/RemoveWindowsStore_2

How to Disable Microsoft Store apps using Registry?

Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore and create a DWORD registry entry called RemoveWindowsStore and set its value to 1 to disable it.

To enable it again, set the DWORD registry entry RemoveWindowsStore value to 0.

How to find logs related to Intune Device configuration profile deployment?

To find the logs related to your Intune deployment, Open Event Viewer > Application and Services logs > Microsoft > Windows > Devicemanagement-Enterprise-Diagnostics-Provider > Admin folder.

Search for Event ID 813 or 814 and go through the logs to find the one related to this deployment.

How to block the Microsoft Store using Group Policy?

You can also easily block Microsoft Store using Group policy using below steps:

1. Press Windows + R to open the Run dialog box.
2. Type gpmc.msc and press Enter to open the Group policy management console.
3. Go to Computer Configuration > Administrative templates > Windows Components > Store
4. Select “Turn off the Store application” and Edit this setting.
5. Select Enabled to enable this setting and press OK.

When you Enable “Turn off the store application,” it also disables app updates from Microsoft Store. Ensure you disable the policy setting ” Turn off automatic download and install” as well. This will allow store apps to update, keeping access to Microsoft Store blocked.

Conclusion

Consider blocking access to the Microsoft Store in your company because it offers a wide range of non-productive apps. Additionally, using the Microsoft Store can complicate app management for your IT administrators.

Instead, it’s advisable to centralize app management through a platform like Microsoft Intune, which provides greater control. Furthermore, Microsoft has introduced a new app type in Microsoft Intune for improved app management: Microsoft Store app (new).

Microsoft App store Publish App Intune New method

5 thoughts on “Disable Microsoft Store Apps in Windows using Intune”

veer

January 8, 2024 at 10:21 am

Thanks to creating this article.

One question: When Windows default apps like calculator, camera, Photos app not deployed via Intune; will they still be able to pull their updates from MS Store?
- Star
  
  February 2, 2024 at 12:17 pm
  
  Hi,
  
  I’m asking myself exactly the same question. Do you have the answer?
  
  Thanks
- David Henderson
  
  March 21, 2024 at 1:20 pm
  
  lso have the same query… will this kill updates to calculator camera notepat etc…
thieumasan

February 7, 2024 at 10:50 am

Hi,

I’ve applyed this procedure, which seems to work because I can see :
– the register entry is OK (RemoveWindowsStore = 1)
– and the event viewer is showing me the good event :
PolicyManager MDM : définir chaîne de stratégie. Stratégie : (RemoveWindowsStore_1). Zone : (ADMX_WindowsStore). EnrollmentID demandant la fusion : (72E0ECC1-EFE8-4087-9178-D51D4DBAD273). Utilisateur actuel : (S-1-5-21-1046232930-3145662814-1742998727-88664). Chaîne : (). Type d’inscription : (0x6). Étendue : (0x1).

But I can still access the store and the winget installation is still working.
What can I do to troubleshoot this issue ?

Thanks in advance

Best regards
Ajithpal

February 26, 2024 at 2:17 pm

Hello Jatin,
Thanks for this article. I’ve followed your steps and created configuration policy via Intune.
I too have the same problem reported above. Registry value showing “RemoveWindowsStore=1”.
But still Microsoft Store is opening as normal and able to install apps. Would you like to share further troubleshooting steps?

Disable Microsoft Store Apps in Windows using Intune

Table of Contents