- Remote help for Intune and Microsoft Endpoint Manager - Tue, Jan 25 2022
- Windows 10/11 Azure AD/Intune Enterprise subscription is not valid - Mon, Nov 8 2021
- Upgrade from Windows 10 to Windows 11 with Setupconfig.ini and Intune - Wed, Sep 22 2021
Windows 10 1511 introduced the Windows Store for Business, allowing you to create a private store through which you can offer volume-purchased apps to users in addition to the free apps of the public store. You can also register a mobile device management (MDM) client or a client management tool (for instance, Configuration Manager or Intune) to synchronize the apps you have licensed.
If you log on to the store using an Azure AD account, you will see a new tab with the name of your organization.
Private store in Windows 10
In Windows 10 1511, it was possible to restrict the store to only show apps to the end user that had been published in the business store, thereby restricting access to all apps available in the public store. However, you could only do this through the MDM channel using an Open Mobile Alliance (OMA) Device Management (DM) policy. In Windows 10 1607, we now have a new Group Policy setting: Only display the private store within the Windows Store app. You can find the new policy under Computer Configuration > Administrative Templates > Windows Components > Store.
The new Group Policy setting - Only display the private store within the Windows Store app
If we enable this setting and don’t log in with an Azure AD account (for instance, with a Microsoft account), the Store app will not show any apps.
Store without apps after login with Microsoft account
Only if you use an Azure AD account will you see the apps that are published for users in the business store.
Only the private store is available
This is a very useful feature for many organizations because you can restrict the apps available to users in the store. Users can install apps through the store, but admins maintain some level of control over the available apps.
The first time you launch the Store app and log in using an Azure AD account, unregistered computers will be registered automatically. Devices can also be registered in Azure AD with other methods such as Group Policy, Azure AD Join, and Intune.
It is important to note that when working with Intune, devices are always registered in Azure AD (The setting "Users may register their devices with Azure AD" is turned on for all users and cannot be changed.)
Devices managed with Intune are always registered in Azure AD
This is can be helpful because users can log in with their Azure AD accounts on any computer running Windows 10 1511 or later without the need to prepare the device for Azure AD.
I have been asked a couple of times if this new Group Policy setting also allows us to restrict the Edge extensions users can install.
No, this setting does not affect Edge extensions. Users can still install all extensions that are available in the public store. In the screenshot below, you can see that only the tab for the private store is avaiable but all Edge extensions are available.
Subscribe to 4sysops newsletter!
Microsoft Edge extensions in the store
Perfect, except for the requirement of an Azure AD account.
In a company, the app store can be a gateway for applications that can not be of interest to the company or do employees waste time.
Despite the removal of the group policy that disabled the access to the app store, many administrators will block it completely in firewall or proxy. Since the only way to manage that can be installed is with an Azure AD account.
It’s a shame, because with these requirements, things will continue to be made in the old way as could benefit from the application store.
Particularly I prefer a store app to a desktop application. But unfortunately we blocked the store here in the company.
Is this a way to block the Store entirely on Win10 Pro as the articles seems to say that the store will show blank if the GPO is configured but the company does not have an Azure account ?
You’re right. I initially thought that just do not appear managed apps, since the first image of the app store, they appear as a tab aside, the end of the other tabs. But when reviewing the image, I saw that the entire store is blank.
How can you enable this gpo for mobile devices? We don’t use intune, only the o365 onboard mdm.
Thanks in advance for any answer.
So we ran into an issue if you log off of the store and it shows the blank store, you can still search and install apps from the public store even though the GPO is set to restrict that. Seems like a bug possibly. Anyone experience that?
"So we ran into an issue if you log off of the store and it shows the blank store, you can still search and install apps from the public store even though the GPO is set to restrict that. Seems like a bug possibly. Anyone experience that?"
Yes we do experience that, has anyone know work around? Thanks