With the recent changes to the store, both the Intune integration and the new Windows 11 store, you may want to restrict what your users can install.
Blocking the store completely is an option, but that will stop your Windows apps from updating (including the likes of calculator and notepad) and also block any apps deployed in Intune using the Store integration.
All scripts used here can be found on GitHub
Settings Catalog
This option is only available if you have Windows Enterprise licensing:
Simply create a new Settings Catalog policy, select Microsoft App Store and slide the option to require private store only:
If you are on Windows Pro however, that won’t work, for that you need other options. Bring on the PowerShell!
The magic key is:
Script
The WindowsStore reg key probably doesn’t exist so in the script we will check for its existence and create accordingly:
Write-Host "Requiring Private Store Only"
$store = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore"
If (!(Test-Path $store)) {
New-Item $store
}
Set-ItemProperty $store RequirePrivateStoreOnly -Value 1 Remediation
As this also needs Enterprise licensing, using a remediation isn’t a great option here, but I will include it anyway.
First, we need to detect if the key exists and is set correctly:
$Path = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore"
$Name = "RequirePrivateStoreOnly"
$Value = 1
Try {
$Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
If ($Registry -eq $Value){
Write-Output "Compliant"
Exit 0
}
Write-Warning "Not Compliant"
Exit 1
}
Catch {
Write-Warning "Not Compliant"
Exit 1
}Then remediate it:
Write-Host "Requiring Private Store Only"
$store = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore"
If (!(Test-Path $store)) {
New-Item $store
}
Set-ItemProperty $store RequirePrivateStoreOnly -Value 1 Setting that key should give you a store blocked message when users try and access, but will still allow you to deploy and update apps centrally.
Hope this was useful!
Isn’t this work only because MS has ceased the support for Private Store completely? So, if you had this setting, cos you hosted your apps in the Microsoft Business Store, you had only access to that store. But now, since the private store has been discontinued for like 1-2 months now, if this setting is still there – or if you add it, it literally blocks access to the store.
Doesn’t seem the best practice though… :S
This is to stop your users from accessing the store and installing whatever they want from it. You then deploy apps via the new Intune store integration.
This is absolutely best practice and the recommended approach
Are you sure that Intune apps auto update? This does not seem to be the case for us. We use the private store setting as I do not want users using the store. However, intune did not auto update an installed application (note, I *can* script winget to update via the packageID but that is a separate thing).
I needed to removed and reinstall a new package in intune to auto update. Further testing revealed that removing the private store restriction AND running a WSRESET yielded automatic updates but users can now use the store.
Not ideal as this seems I will need to either look at a WINGET scripting scheduled task solution (I have the bare bones of this working as a SYSTEM context), maintaining an APPLOCKER or WDAC solution, manually removing and adding new store installations within intune (this isnt going to happen!).
It certainly used to, the behaviour may have changed since the new policy was introduced:
https://www.petervanderwoude.nl/post/easily-removing-access-to-the-microsoft-store/
I’ll do some testing with the script as well this end, which OS are you running?
As ever Andrew on the ball. Cheers for this, Came across the same issue only a couple of weeks ago.
Glad it’s useful ๐
There are some apps that only appear to install via the Store app and won’t deploy from Company Portal. How do you resolve those?
Do you have any examples? I will do some testing
Thank you Andrew, will look into this. We now block it with Applocker – this also allows Intune Company Portal apps to work just fine, but if this is better, I am more than happy to switch to this approach. Much appreciated.
Glad you’ve found it useful!
Hi ,
Thanks for help and appreciated!
Its working with Win10,11.
Excellent, glad it’s working
Will this work with Windows 10 Professional?
Yes, it should do
Hi,
We tested it with a Windows 11 Pro 23H2, and we never managed to disable or block the store, even with the registry key (when we launch the test script, we are “compliant”).
Is this workaround disable with a recent Windows Update ? Or do we miss something ?
We have 500 computers in windows Pro, and we want to avoid upgrading our all company only to disable the store …
If anyone has an idea : we are interested !
Benjamin
Hi,
Can you see if this works?
https://www.joeyverlinden.com/block-the-microsoft-store-via-intune-windows-11/
It seems some versions of Windows don’t acknowledge the reg key
Thank you for your quick answer !
We donโt have intune in this particular environnement, we are using the old way : on premise AD with GPO. We have 1200 endpoints, Iโm scared of the pricing when we talk about intune ๐
It seems we have strange behaviors with the reg key : it works on our test computer, but fail on others (same version).
You could turn off the store, but allow app updates via GPO
At the user level turn it off:
User Policies\Admin Templates\Windows Components\Store\Turn Off The Store Application=Enabled
Then at the computer level in the same place, allow updates.
So how do you block the public store now that this policy is deprecated?
AllowStore
“This policy is deprecated and may be removed in a future release.”
For enterprise, use the private store settings catalog option
For machines running Pro, setting the reg key should work