Managing Apps in the Microsoft Store.

Managing Apps in the Microsoft Store.

The Microsoft Store. An ideal place to download Spotify/Netflix on a Company Owned device. Of course, you want to block this.

There are several ways to block the Microsoft Store so it can’t be accessed at all. But why not only allowing certain Apps, so only Microsoft Apps or Company apps can be installed/opened.

The best option is to make sure only your Private store is available. It only requires a CSP to do so.

./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly

But, looking at the requirements. It needs a Windows 10 Education or Enterprise license.  What to do, when you don’t have a license like this? Use Applocker instead!

To setup Applocker, you need to create a custom CSP Rule:

./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/StoreAppsGroup/StoreApps/Policy

The content of the XML:


<RuleCollection Type=”Appx” EnforcementMode=”Enabled”>

    <FilePublisherRule Id=”617edd5b-3360-4281-9724-21e453587fce” Name=”Alle ondertekende toepassingspakketten” Description=”Hiermee kunnen leden van de groep Iedereen ondertekende toepassingspakketten uitvoeren.” UserOrGroupSid=”S-1-1-0″ Action=”Allow”>

      <Conditions>

        <FilePublisherCondition PublisherName=”CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US” ProductName=”*” BinaryName=”*”>

          <BinaryVersionRange LowSection=”0.0.0.0″ HighSection=”*” />

        </FilePublisherCondition>

      </Conditions>

    </FilePublisherRule>

<FilePublisherRule Id=”617edd5b-3360-4281-9724-21e443587fce” Name=”Whitelist Microsoft Windows app” Description=”” UserOrGroupSid=”S-1-1-0″ Action=”Allow”>

      <Conditions>

        <FilePublisherCondition PublisherName=”CN=MICROSOFT Windows, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US” ProductName=”*” BinaryName=”*”>

          <BinaryVersionRange LowSection=”0.0.0.0″ HighSection=”*” />

        </FilePublisherCondition>

      </Conditions>

</FilePublisherRule>

</RuleCollection>


If you want to make sure the Applocker policy is applied, check if a Policy file is created in the Applocker folder c:\Windows\System32\AppLocker\MDM\

After the Applocker policy is applied, you can try to download Spotify in the Microsoft Store. It will not even download or install it!

Also, take a look at the “Store Event log”.  To translate it: “Packet distribution is blocked by a policy”.

Conclusion: Why blocking access to the Microsoft Store, when you can manage it?

Leave a Reply

Your email address will not be published. Required fields are marked *