With the recent changes to the store, both the Intune integration and the new Windows 11 store, you may want to restrict what your users can install.
Blocking the store completely is an option, but that will stop your Windows apps from updating (including the likes of calculator and notepad) and also block any apps deployed in Intune using the Store integration.
All scripts used here can be found on GitHub
Settings Catalog
This option is only available if you have Windows Enterprise licensing:
Simply create a new Settings Catalog policy, select Microsoft App Store and slide the option to require private store only:
If you are on Windows Pro however, that won’t work, for that you need other options. Bring on the PowerShell!
The magic key is:
Script
The WindowsStore reg key probably doesn’t exist so in the script we will check for its existence and create accordingly:
Write-Host "Requiring Private Store Only"
$store = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore"
If (!(Test-Path $store)) {
New-Item $store
}
Set-ItemProperty $store RequirePrivateStoreOnly -Value 1 Remediation
As this also needs Enterprise licensing, using a remediation isn’t a great option here, but I will include it anyway.
First, we need to detect if the key exists and is set correctly:
$Path = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore"
$Name = "RequirePrivateStoreOnly"
$Value = 1
Try {
$Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
If ($Registry -eq $Value){
Write-Output "Compliant"
Exit 0
}
Write-Warning "Not Compliant"
Exit 1
}
Catch {
Write-Warning "Not Compliant"
Exit 1
}Then remediate it:
Write-Host "Requiring Private Store Only"
$store = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore"
If (!(Test-Path $store)) {
New-Item $store
}
Set-ItemProperty $store RequirePrivateStoreOnly -Value 1 Setting that key should give you a store blocked message when users try and access, but will still allow you to deploy and update apps centrally.
Hope this was useful!
Isn’t this work only because MS has ceased the support for Private Store completely? So, if you had this setting, cos you hosted your apps in the Microsoft Business Store, you had only access to that store. But now, since the private store has been discontinued for like 1-2 months now, if this setting is still there – or if you add it, it literally blocks access to the store.
Doesn’t seem the best practice though… :S
This is to stop your users from accessing the store and installing whatever they want from it. You then deploy apps via the new Intune store integration.
This is absolutely best practice and the recommended approach
As ever Andrew on the ball. Cheers for this, Came across the same issue only a couple of weeks ago.
Glad it’s useful 🙂
There are some apps that only appear to install via the Store app and won’t deploy from Company Portal. How do you resolve those?
Do you have any examples? I will do some testing
Thank you Andrew, will look into this. We now block it with Applocker – this also allows Intune Company Portal apps to work just fine, but if this is better, I am more than happy to switch to this approach. Much appreciated.
Glad you’ve found it useful!