- Remote help for Intune and Microsoft Endpoint Manager - Tue, Jan 25 2022
- Windows 10/11 Azure AD/Intune Enterprise subscription is not valid - Mon, Nov 8 2021
- Upgrade from Windows 10 to Windows 11 with Setupconfig.ini and Intune - Wed, Sep 22 2021
Windows 10 1511 introduced the Windows Store for Business, allowing you to create a private store through which you can offer volume-purchased apps to users in addition to the free apps of the public store. You can also register a mobile device management (MDM) client or a client management tool (for instance, Configuration Manager or Intune) to synchronize the apps you have licensed.
If you log on to the store using an Azure AD account, you will see a new tab with the name of your organization.
In Windows 10 1511, it was possible to restrict the store to only show apps to the end user that had been published in the business store, thereby restricting access to all apps available in the public store. However, you could only do this through the MDM channel using an Open Mobile Alliance (OMA) Device Management (DM) policy. In Windows 10 1607, we now have a new Group Policy setting: Only display the private store within the Windows Store app. You can find the new policy under Computer Configuration > Administrative Templates > Windows Components > Store.
If we enable this setting and don’t log in with an Azure AD account (for instance, with a Microsoft account), the Store app will not show any apps.
Only if you use an Azure AD account will you see the apps that are published for users in the business store.
This is a very useful feature for many organizations because you can restrict the apps available to users in the store. Users can install apps through the store, but admins maintain some level of control over the available apps.
The first time you launch the Store app and log in using an Azure AD account, unregistered computers will be registered automatically. Devices can also be registered in Azure AD with other methods such as Group Policy, Azure AD Join, and Intune.
It is important to note that when working with Intune, devices are always registered in Azure AD (The setting "Users may register their devices with Azure AD" is turned on for all users and cannot be changed.)
This is can be helpful because users can log in with their Azure AD accounts on any computer running Windows 10 1511 or later without the need to prepare the device for Azure AD.
I have been asked a couple of times if this new Group Policy setting also allows us to restrict the Edge extensions users can install.
No, this setting does not affect Edge extensions. Users can still install all extensions that are available in the public store. In the screenshot below, you can see that only the tab for the private store is avaiable but all Edge extensions are available.