A new Group Policy setting (Only display the private store within the Windows Store app) in the Anniversary Update (Windows 10 1607) allows admins to disable the public store and restrict users to the private store in the Windows Store for Business.
Avatar

Windows 10 1511 introduced the Windows Store for Business, allowing you to create a private store through which you can offer volume-purchased apps to users in addition to the free apps of the public store. You can also register a mobile device management (MDM) client or a client management tool (for instance, Configuration Manager or Intune) to synchronize the apps you have licensed.

If you log on to the store using an Azure AD account, you will see a new tab with the name of your organization.

Private store in Windows 10

Private store in Windows 10

In Windows 10 1511, it was possible to restrict the store to only show apps to the end user that had been published in the business store, thereby restricting access to all apps available in the public store. However, you could only do this through the MDM channel using an Open Mobile Alliance (OMA) Device Management (DM) policy. In Windows 10 1607, we now have a new Group Policy setting: Only display the private store within the Windows Store app. You can find the new policy under Computer Configuration > Administrative Templates > Windows Components > Store.

The new Group Policy setting - Only display the private store within the Windows Store app

The new Group Policy setting - Only display the private store within the Windows Store app

If we enable this setting and don’t log in with an Azure AD account (for instance, with a Microsoft account), the Store app will not show any apps.

Store without apps after login with Microsoft account

Store without apps after login with Microsoft account

Only if you use an Azure AD account will you see the apps that are published for users in the business store.

Only the private store is available

Only the private store is available

This is a very useful feature for many organizations because you can restrict the apps available to users in the store. Users can install apps through the store, but admins maintain some level of control over the available apps.

The first time you launch the Store app and log in using an Azure AD account, unregistered computers will be registered automatically. Devices can also be registered in Azure AD with other methods such as Group Policy, Azure AD Join, and Intune.

It is important to note that when working with Intune, devices are always registered in Azure AD (The setting "Users may register their devices with Azure AD" is turned on for all users and cannot be changed.)

Devices managed with Intune are always registered in Azure AD

Devices managed with Intune are always registered in Azure AD

This is can be helpful because users can log in with their Azure AD accounts on any computer running Windows 10 1511 or later without the need to prepare the device for Azure AD.

I have been asked a couple of times if this new Group Policy setting also allows us to restrict the Edge extensions users can install.

No, this setting does not affect Edge extensions. Users can still install all extensions that are available in the public store. In the screenshot below, you can see that only the tab for the private store is avaiable but all Edge extensions are available.

Subscribe to 4sysops newsletter!

Microsoft Edge extensions in the store

Microsoft Edge extensions in the store

6 Comments
  1. Avatar
    Andrey Oliveira 7 years ago

    Perfect, except for the requirement of an Azure AD account.

    In a company, the app store can be a gateway for applications that can not be of interest to the company or do employees waste time.

    Despite the removal of the group policy that disabled the access to the app store, many administrators will block it completely in firewall or proxy. Since the only way to manage that can be installed is with an Azure AD account.

    It’s a shame, because with these requirements, things will continue to be made in the old way as could benefit from the application store.

    Particularly I prefer a store app to a desktop application. But unfortunately we blocked the store here in the company.

     

  2. Avatar
    Padraig Rocks 7 years ago

    Is this a way to block the Store entirely on Win10 Pro as the articles seems to say that the store will show blank if the GPO is configured but the company does not have an Azure account ?

    • Avatar
      Andrey Oliveira 7 years ago

      You’re right. I initially thought that just do not appear managed apps, since the first image of the app store, they appear as a tab aside, the end of the other tabs. But when reviewing the image, I saw that the entire store is blank.

  3. Avatar
    Günther 7 years ago

    How can you enable this gpo for mobile devices? We don’t use intune, only the o365 onboard mdm.

    Thanks in advance for any answer.

  4. Avatar
    Scott 5 years ago

    So we ran into an issue if you log off of the store and it shows the blank store, you can still search and install apps from the public store even though the GPO is set to restrict that. Seems like a bug possibly. Anyone experience that?

  5. Avatar
    Ali 4 years ago

    "So we ran into an issue if you log off of the store and it shows the blank store, you can still search and install apps from the public store even though the GPO is set to restrict that. Seems like a bug possibly. Anyone experience that?"

     

    Yes we do experience that, has anyone know work around? Thanks

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account