If you’re managing a fleet of computers in a business, you may not want users being able to access everything in the Microsoft Store. Having users a few clicks away from installing ‘Slotomainia’ or ‘Ninja World’ might not be what you want readily available on a business computer. You may also not want other services that can contribute to data leakage, or shadow IT type solutions that users decide to adopt.
As long as you are running Windows 10 Enterprise or Education, you could completely disable the Microsoft Store functionality by either using Applocker to maintain a whitelist of allowed packaged apps, or using Group Policy to enable the “Turn off Store application” under Computer Configuration > Administrative Templates > Windows Components.
For Windows 10 Pro and Home users, this won’t work so you’ll have to try other methods such as uninstalling Windows Store on each PC with the PowerShell command Get-AppxPackage *windowsstore* | Remove-AppxPackage
Disabling the Microsoft Store entirelybut you may find that there is a requirement to use a few of the Microsoft Store apps by your users. For this option (again just for Enterprise and Education, and you’ll need Office 365 or Azure AD), you can instead have a Private Store. This is enabled again in Group Policy, using the setting “Only display the private store within the Microsoft Store app” again under Computer Configuration > Administrative Templates > Windows Components.
The Microsoft Store will look pretty bare at this stage (I see the 5 apps in the screenshot below by default), so you’ll want to add or remove some apps. This is done online, Enterprise customers go to https://businessstore.microsoft.com and education customers go to https://educationstore.microsoft.com. You’ll need to sign in with an account that’s an Azure AD or Office 365 Global Administrator, but can then grant access to others.
To add an app, under ‘Shop for my group’ you can search or click through options to find the app you’re after – I’ve chosen Microsoft To-Do for this example. Going onto the app’s page will give you a button that says ‘Get the app’. Once you click that, you’ll see the message “Microsoft To-Do has been purchased and added to your inventory.” After you’ve done that, go to the “Manage” tab and then the “Products and Services” option on the right hand side. Find the app, click the ellipsis (…) and choose “Add to private store”
You will finally see a message saying that the app has been added to your store, but may take up to 36 hours* to show.
There’s also the option to assign an app to a user, this is only needed if it’s a licensed or paid for app that you want to give only to certain users – you may have bought 10 copies of a particular Windows Store app and need to control who has access to it.
It’s worth having a look through the other options on this page as you can control settings such as letting users make purchases, what your organisation will be called in the Microsoft Store app and if you get invoices for the store via email.
Overall the Private Microsoft Store is rather easy to set up, lets you give users self-service access to apps that you allow, and gives you an easy way of letting someone install a Microsoft Store app in the future without having to enable the entire store.
*Update 2nd August 2018
There’s been a great improvement to the 36 hour wait, it’s now within 15 minutes! More details here
4 thoughts on “Controlling Microsoft Store Access”
IMO, one of the most bizarre decisions made by the Store team right now is not having a means of filtering/restricting the store by category. As an admin, I may want to allow my users to install apps from the “Productivity” category. Let’s face it, the biggest ones we want to block are probably Games and Social Media apps, so why not let us filter by those categories?
If the company has turned off access to the Windows Store, is this the only way of giving some people access while keeping it shut down for others?
I second the filter by category. I would love to allow our users to download themes or productivity apps but block social/video streaming/games.
Come on guys… don’t be so naive. You think that an app dev properly categorizing their app as to limit themselves to how users they can reach is going to be something they do? If that is the only thing that preventing my app from getting installed on many business computers, then of course I am going to lie. Then it becomes a mess for some team at Microsoft to manage.
Which is why they probably created the whole private store.