You can use Microsoft Store to download and Install applications, games etc. which could be published by Microsoft or third party developers. Microsoft Store also updates the app automatically when a new version of the app is available.
As Microsoft store provides useful business applications, it also contains applications which may not be relevant to the organization. For Example: Apps like NetFlix, Spotify, Whatsapp etc. This could be a security risk for the organization where users can download any third party app which could allow upload of Internal classified documents.
One solution is to block Microsoft store completely and manage the applications from Microsoft Intune or SCCM. However, when Microsoft Store is blocked, the apps installed from the store won’t receive automatic updates.
If you would like to block installation of random applications from the Store application by the end user without blocking the Intune and Windows Package Manager store integration, Just enable ApplicationManagement/RequirePrivateStoreOnly
Create Device Configuration Profile
For disabling Microsoft store using Intune, Please follow below steps:
- Login on Microsoft Intune admin center
- Go to Devices > Configuration profiles
- Click on + Create Profile
- Select Platform as Windows 10 and later
- Profile type: Settings Catalog
Basics
In basics tab, we will provide information about the device configuration profile like Name and Description.
- Name – Disable Microsoft Public App store
- Description – This device configuration profile will disable Microsoft Public App store and enable only Private app store.
Configuration settings
Click on + Add settings and then search for Microsoft App store. This should list all settings related to Microsoft App store. Check Require Private Store Only and toggle the setting to Enable.
Assignments
In the assignments tab, you can click on + Add all users or + Add all devices to target all users or all devices. However, if you want to target this profile only to specific group of users / devices, then you have to create an Azure AD security group and then target that group.
Review + Create
On Review + Create tab, review the profile and click on Create. This will create the deployment profile and disable Microsoft public app store.
Intune Policy Refresh Cycle
The Device will Sync / Check in to start deployment of this profile. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the download and installation process. You can also use Powershell to force initiate Intune refresh cycle.
Also, you can restart the device first which also starts the device check-in process. Manual sync is not mandatory on user’s devices as the device check-in process happens automatically. But if you are testing the deployment on a test device then this can speed up your testing and can save some time.
End User Experience
Let’s check the end user Experience when the policy is applied successfully. Go to Start > search for Microsoft Store and click on it to open. You may get any of the below error messages:
- Microsoft Store is blocked, Check with your IT or system administrator. Code 0x800704EC.
- Try that again. Page could not be loaded. Please try that again. Refresh the page. Code 0x80131500
- This place is off-limits, Not sure how you got here, but there’s nothing for you here. Report this problem. Refresh this Page.
What is the OMA-URI setting to block Microsoft Store
Its easier to use Settings Catalog to block Microsoft store via Intune Device configuration profile. However, you can also create a custom device configuration profile and use below OMA-URI setting to block Microsoft public app store and only allow private store on windows devices.
- Name: Disable MS Store
- OMA-URI: ./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly
- Data Type: Integer
- Value: 1
Where to locate RequirePrivateStoreOnly registry entry
As you have seen in previous sections, there are two ways to block Microsoft store using Intune. First one is by using settings catalog and second one is by using OMA-URI settings. Whichever way you select, it’s going to create a registry entry on the target device to disable Microsoft store.
To locate RequirePrivateStoreOnly registry entry, please follow below steps:
- Go to Start > search for Registry Editor. Click on it to open.
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore registry key
- On right hand side you will find a DWORD registry entry called “RequirePrivateStoreOnly“
The value of RequirePrivateStoreOnly will be either 0 or 1 depending upon if its disabled or enabled. If it’s set to 0 then its not enabled and If it’s set to 1 that means the setting is enabled.
All available Microsoft App Store Settings in Intune
| Setting Name | Detailed Information about the Policy |
|---|---|
| Allow All Trusted Apps | If you enable this policy setting, you can install any LOB or developer-signed Windows Store app (which must be signed with a certificate chain that can be successfully validated by the local computer). |
| Allow apps from the Microsoft app store to auto update | Specifies whether automatic update of apps from Microsoft Store are allowed. Most restricted value is 0. |
| Allow Developer Unlock | If you enable this setting and enable the “Allow all trusted apps to install” Policy, you can develop Microsoft Store apps and install them directly from an IDE. |
| Allow Game DVR | This setting enables or disables the Windows Game Recording and Broadcasting features. If you disable this setting, Windows Game Recording won’t be allowed. |
| Allow Shared User App Data | If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the Windows. Storage API. |
| Block Non Admin User Install | If you enable this policy, non-Administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Administrator PowerShell window). All users will still be able to install Windows app packages via the Microsoft Store, if permitted by other policies. |
| Disable Store Originated Apps | Disable turns off the launch of all apps from the Microsoft Store that came pre-installed or were downloaded. Apps won’t be updated. Your Store will also be disabled. Enable turns all of it back on. This setting applies only to Enterprise and Education editions of Windows. |
| Launch App After Log On | List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are to be launched after logon. |
| MSI Allow User Control Over Install | If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to a security violation. |
| MSI Always Install With Elevated Privileges | If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers. |
| MSI Always Install With Elevated Privileges (User) | This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders. |
| Require Private Store Only | If you enable this setting, users won’t be able to view the retail catalog in the Microsoft Store, but they will be able to view apps in the private store. |
Conclusion
You should consider blocking Microsoft store in your company as it provides access to a lot of non-productive apps. Also, It makes it difficult for an IT admin to manage all the apps downloaded via MS Store. All the apps should be managed from a central place like Microsoft Intune or SCCM. Microsoft has also released a new App type in Microsoft Intune.
You can select Microsoft Store app (new) which connects with Microsoft store to search the apps and publish it directly via Intune. As Microsoft store for business is getting retired, Its recommended to switch to this method of app deployment which is much easier and faster then other app deployment methods in Intune.
One of my bloatware script removes Microsoft.Store from the appx with the other bloatware. This removes the actual app from the device.
I did start pushing Microsoft stock apps (Photos, Paint3d) via Intune. Will these apps auto update? Or do I need to remove the store app from the bloatware removal script and make sure its installed on the device?
Thanks for the help!
Hello CE,
The Microsoft Store is the primary source for installing and updating important system apps and drivers. If you remove the Microsoft Store, you’ll lose the ability update existing apps.
Some apps might rely on the Microsoft Store framework for updates and licensing. If you remove the Microsoft Store, these apps might not work properly or might not update correctly.
Windows updates can sometimes be distributed through the Microsoft Store. Removing it might complicate the update process or prevent you from accessing certain updates.