Me and Earl and the Microsoft Store Apps

Last Updated on September 14, 2022 by rudyooms

This blog will be about securing the forgotten Microsoft Store. The Microsoft App Store is an ideal place to download Spotify/Netflix or games on a Company Owned device. Of course, you want to block or limit access.

In my opinion, you will need to start making use of all the features of the Company Portal and start distributing apps with it.

Are you going to block access to the Microsoft Store? or are you going to restrict apps that can be installed? or are you only going to show the private company store? And what about installing App packages manually, how are you going to deal with those packages?

I am going to divide this blog into multiple parts

  1. Requiring a Private store
  2. Limiting which apps that can be installed
  3. Preventing access to the Microsoft Store
  4. Turning off the Microsoft Store???
  5. Removing all Access to the Microsoft Store and installed Apps
  6. Blocking App Store packages only
  7. Conclusion

1.Requiring a Private Store

We will begin with the option to only show the private store and nothing more. I guess it’s the most restrictive solution you have.

It only requires a CSP to do so.


Or if you prefer the Settings Catalog (Duh… of course, you do). Just search Require Private Store Only and enable it.

But beware of the licensing requirements. The RequirePrivateStoreOnly needs a Windows 10 Education or Enterprise edition to function.

Testing it!

When you take a look at the Microsoft Store, you will notice only your Private/Store Company Microsoft Store apps are available.

2. Limit Applications

If you don’t have the proper licensing but you still want to restrict access to the Microsoft Store, you could configure Applocker

To set up Applocker, you need still to create a custom CSP Rule. Configuring Applocker with the settings catalog still isn’t supported.



Content of the XML

<RuleCollection Type="Appx" EnforcementMode="Enabled">
	<FilePublisherRule Id="617edd5b-3360-4281-9724-21e453587fce" Name="Alle ondertekende toepassingspakketten" Description="Hiermee kunnen leden van de groep Iedereen ondertekende toepassingspakketten uitvoeren." UserOrGroupSid="S-1-1-0" Action="Allow">
			<FilePublisherCondition PublisherName="CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="*"> 
				<BinaryVersionRange LowSection="" HighSection="*" />
	<FilePublisherRule Id="617edd5b-3360-4281-9724-21e443587fce" Name="Whitelist Microsoft Windows app" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
			<FilePublisherCondition PublisherName="CN=MICROSOFT Windows, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="*">
				<BinaryVersionRange LowSection="" HighSection="*" />

Looking at the XML above, you will notice I am using FIlePublisherRules to make sure only Microsoft Apps may be installed. All other Apps will fail to install.

When deploying this Applocker policy to all devices, you could check if the new Applocker policy has been applied by taking a look at this Applocker folder c:\Windows\System32\AppLocker\MDM\

Testing it!

After you are sure the Applocker policy is applied, you can try to download Spotify in the Microsoft Store. It will not even download nor it will install it!

Also, take a look at the “Store Event log”.  To translate it: “Packet distribution is blocked by a policy”.

Also downloading and installing the App Package manually will be restricted and you will be prompted with an error code: 0x800704ec

3.Preventing access to the whole Microsoft App Store

When you don’t want to go down the road to limit access to the store, you could also block access to the Microsoft App Store. But you have to ask yourself a question: Do you really want to block the Microsoft App store?


When you prevent access to the whole Microsoft Store for your whole device instead of your users, all of your Modern Apps are not going to be updated because they can only be updated via the Store or Windows Updates for Business, not with existing software management solutions or WSUS. Does this sound like a security/vulnerability problem to me? Yes, it does!


HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsStore\RemoveWindowsStore REG_DWORD 1


HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsStore\RemoveWindowsStore REG_DWORD 1

If you enable this setting, access to the Store application is denied. As mentioned earlier access to the Store is required for installing app updates.

Still, reading? You could configure this setting by configuring an administrative Template. Beware! This policy is not going to work when you have a Windows 10 Pro license, you will need enterprise!

Testing it!

4. Turning off access to the Microsoft Store??

When preventing access to the Microsoft Store is not enough, we also could remove the possibility to search the whole Microsoft Store? Let’s look at this administrative template: “Turn off access to the store” and what Microsoft has to say about it.

When reading the above text, we will know when we configure this option the end-user will not have the possibility to “open with” anymore when they try to open a file with an unhandled file type. HUH? So turning off access to the Microsoft Store will only remove the possibility to search the Microsoft Store when you have a file with an unknown file protocol?

To test it, I have created a simple file with a file extension. ubk

As shown above, no Microsoft Store…… but changing it back to .txt will return the possibility to “search the Microsoft Store.”

So please skip this one!… The name Microsoft has given it doesn’t do what you would expect when you are reading the title: Turn off access to the Microsoft Store. But I needed to mention this policy because I think it’s a weird one.

5. Removing all Access to the Microsoft Store and installed Apps

If you want to step it up a notch, you could also remove all access to the Microsoft Store and all installed applications.

Unfortunately, there is no GUI method to configure this setting. Luckily there is a CSP available. (beware of the Enterprise requirement!)



Data Type : Integer

Value: 1

When the CSP is deployed to your device you could try to open the Microsoft Store. It will give you a nice error message

BEWARE: It also blocks the Company Portal App! Check out this blog to read the whole story behind it!

6.Blocking App Store packages only

Now we have made sure the Microsoft App Store is limited or blocked we need to take a look at how to prevent manually Appx installations because they don’t need the store to install Apps? Of course, when you have configured Applocker, the applocker rules will also be applied when you want to install the appx files manually

If you enable this policy, non-administrators will be unable to initiate the installation of Windows app packages.

But beware: All users will still be able to install Windows app packages via the Microsoft Store!!

You can configure this setting by also creating a new settings catalog: Block Non Admin user Install

Okay, it looks kinda weird you need to switch the flip to Allow… but reading the information will show you what to choose!

“If you enable this policy, non-administrators will be unable to initiate the installation of Windows app packages.”

“If you disable or do not configure this policy, all users will be able to initiate the installation of Windows app packages”


Download an Appx Package


Why block access to the Microsoft Store, when you can manage it? Blocking access to the Microsoft Store is not the way to go in my opinion!!!!

3x08 temporada 3 homer simpson GIF - Find on GIFER

11 thoughts on “Me and Earl and the Microsoft Store Apps

  1. this is a great article – thanks.
    I have a question. using the xml to restrict MS apps is part of a solution I have implemented. How can that xml be extended to allow for a list of apps that can be installed. ie all MS apps plus Facebook and Netflix? is that easy?

    1. Normally when you are not blocking the Microsoft Store apps with applocker you can turn on audit mode. The name just says it all.. When you have a test device you can open applocker on it and create a new publisher file hash with the information you got from the audit events. another possibility would be to download the appxpackages offline so you could create a publisher rule by selecting them.. When you have your whole applocker store rules configured you can export it and import it intune

  2. Yes, great article. Question about

    Can I prevent that a user can logoff in private store and lgon with a account from another company and see their private store apps

    1. Hi,

      First thanx! 🙂 That’s a good question indeed… I am not sure if that’s possible to prevent.. I will take a look what I find out tomorrow

  3. Hi – great article. I have been trying some of the various options, as we use Pro licences I tried option 2 – it worked! I’d now like to revert to the previous state – how can I do that? I have deleted the policy from Endpoint, and removed the file from the AppLocker folder and restarted – still blocked in the MS Store.

      1. Hey – thanks for coming back to me – I ended up clearing the entire folder under AppLocker, restarted and I’m working again! I should probably have left the MDM folder, but figured that would be recreated as necessary.

  4. Block Non Admin user Install => Allow

    Does it mean the policy is ON or to Allow non admin user to install, if you turn it off it says disable.

    That’s confusing.

  5. Can I safely disable the Microsoft Store if I am installing the apps through MEM or making Microsoft Store apps available through the Company Portal or does it still need to be enabled for updates?

    1. Hi it depends on which option you choosed because the Microsoft store could be needed to update those apps. Like I am also explaining in this blog

Leave a Reply

Your email address will not be published.

16  +    =  20