The Windows Store on Windows 10 and 11 can be a bit tricky. Cause you can't delete it (or apps like Camera and Calculator won't update). And if activated everyone can install apps like Candy Crush.
But luckily, we have the ability to block the Microsoft Store to only display apps from the Private Store (Microsoft Store for Business). In this blog post, we will dive into this Windows policy and explore how it can be implemented to enhance security and streamline app management.
Table of Contents
- Understanding the Windows Policy
- Benefits of Restricting the Microsoft Store
- Implementing the Policy with Intune and Settings Catalog
- Implementing the Policy with Intune and Registry / PowerShell
- Conclusion
Understanding the Windows Policy
The Windows policy that allows you to display only the Private Store within the Microsoft Store is a feature designed for organizations seeking to exercise strict control over the apps their users can access. By configuring this policy, you ensure that users within your organization can only discover and install apps from your organization's Private Store, effectively locking down the store's content to your curated selection.
Benefits of Restricting the Microsoft Store
Before we dive into the implementation details, it's crucial to understand why an organization might choose to enforce this policy:
- Enhanced Security: By limiting access to apps from the Private Store, you reduce the risk of users downloading potentially harmful or unauthorized software.
- Customization: The policy enables organizations to create a tailored set of apps that align with their specific needs, ensuring that users have access to the right tools for their roles.
- Simplified App Management: Managing a centralized Private Store allows administrators to control updates, licenses, and distribution more efficiently, guaranteeing that users always have access to the latest versions of approved apps.
Implementing the Policy with Intune and Settings Catalog
To configure Windows to display only the Private Store within the Microsoft Store, follow these steps:
1. Login to Microsoft Intune
- Go to Devices > Configuration profiles
- Click on + Create Profile
- Select Platform as Windows 10 and later
- Profile type: Settings Catalog
2. Basics Tab
Set a suitable Name and optionaly a Description.
- Name – WIN-PrivatMSStoreOnly
- Description – Only allow Private app store
3. Configuration settings
- Click on + Add settings
- Search for Require Private Store Only
- And Enable it.
4. Apply and Save
Save your policy and ensure that the policy is applied to the right group.
5. Test the Configuration
It's advisable to test the configuration on a subset of devices or a pilot group before rolling it out organization-wide to ensure that it works as expected.
By implementing this Windows policy, you've effectively restricted the Microsoft Store to only displaying apps from the Private Store, achieving greater control, customization, and security in your organization's app management.
Implementing the Policy with Intune and Registry / PowerShell
Unfortunately, this Settings won't work with a Windows Pro or Business license (Microsoft 365 Business Premium). In this Case you can create a Registry Key to achieve the same.
| Path | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsStore |
| Key | RequirePrivateStoreOnly |
| Value | 1 |
$Path = "HKLM:\Software\Policies\Microsoft\WindowsStore"
$Key = "RequirePrivateStoreOnly"
$KeyFormat = "dword"
$Value = "1"
New-Item $Path -Force | New-ItemProperty -Name $Key -Value $Value -PropertyType $KeyFormat -ForceCode language: PHP (php)Just safe and upload the following script to Intune and distribute it in the System context to the devices where you wish to restrict the Microsoft Store.
1. Login to Microsoft Intune
- Go to Devices > Windows > Scripts
- Select the tab: Platform Scripts
- Click on + Add
2. Basics Tab
Set a suitable Name and optionaly a Description.
- Name – WIN-PrivatMSStoreOnly
- Description – Only allow Private app store
3. Script settings
- Click on Script location
- Upload the saved scrfipt from you computer
- Select:
- Run this script using the logged on credentials: No
- Enforce script signature check: No
- Run script in 64 bit PowerShell Host: Yes
4. Apply and Save
Save your script and ensure it is applied to the devices within your organization.
Conclusion
Configuring Windows to display only the Private Store and to block all "consumer" apps within the Microsoft Store is a powerful strategy for organizations looking to enhance security, streamline app management, and ensure that users have access to the right tools. This policy, when correctly implemented, allows for a more controlled and customized app ecosystem tailored to your organization's unique needs and requirements.
