Choosing the right Windows 10 app store configuration

There are several options to configure the Windows 10 app store behaviour. In this post, I’d like to compare the different configurations with their implications. The following questions may come up in your Windows 10 project:

How to keep universal apps updated?
How to avoid un-managed download and installation of apps?
How to prevent the use of Microsoft accounts?

Computer configuration group policy for Windows 10 app store

In Computer Configuration – Administrative Templates – Windows Components – Store you can find the policy setting Turn off the Store application. If you set this one to enable, your users just see a notification that the app store is disabled on their system. The second important setting here is Turn off automatic Download and Install of updates.

Disadvantage
Your Windows Store apps will never get any updates. Besides the general problems with outdated software, here are just two examples where this could lead to issues:

After installing language packs and Features on Demand and after correctly applying all localization settings, all universal apps on a fully localized Windows installation are still in English, because apps can not be updated when the store is disabled by computer policy.

The version of the OneNote universal app which is included in the Windows 1511 image only supports Microsoft accounts for login at the first app start (Azure AD accounts can only be added later). Presumably, since Windows 8 you don’t want your users to authenticate with Microsoft accounts 😉 Be aware, that even if you are installing the full OneNote 2016 application with Office 2016, you’ll need the OneNote universal app in order to use modern features of the Edge browser like making web notes, drawing on websites and stuff like that. Newer updated versions of the OneNote universal app support Azure AD accounts at first login.

User configuration group policy for Windows 10 appstore

In User Configuration – Administrative Templates – Windows Components – Store you can also find the policy setting Turn off the Store application. If you enable this setting, users still get a notification when opening the store application:

The store app is blocked

But compared to the computer configuration policy, you are now able to apply updates to universal apps on your Windows 10.

Disadvantage
If you do not configure the computer policy Turn off automatic Download and Install of updates all of your Windows clients will download app updates from Microsoft directly. Especially in branch offices with bad WAN links this may impact your bandwidth dramatically. Just a few examples regarding app sizes: Calculator app – 6,1 MB, News app – 10MB, Mail and Calendar app – 148,9 MB. To avoid these downloads but keep your apps up-to-date, you can enable the computer policy and use Windows Store for Business to download an offline copy of the updated apps and deploy them via your ConfigMgr infrastructure or install them during your image creation process (your company needs an Azure tenant for the Windows Store for Business and app sideloading needs to be enabled in Windows).

MDM policy for app store

Unlike in Windows 10 Mobile, the Application Management/AllowStore setting in the Policy configuration service provider is not supported on desktops. You need no configure the AppLocker configuration service provider if you want to block the app store on desktops with MDM: https://msdn.microsoft.com/en-us/library/windows/hardware/dn920019.aspx

Group policy and MDM policy for private store

In Windows 10 Insider Preview Build 14295, Microsoft added a new group policy setting both for computer and user in Administrative Templates – Windows Components – Store: Only display the private store within the Windows store app. If you plan to use Windows store for Business you should choose this one, and users do not longer get the The app store is blocked notification:

2016-04-28 17_45_08-Store

The MDM setting ApplicationManagement/RequirePrivateStoreOnly is documented here: https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#ApplicationManagement_RequirePrivateStoreOnly

Instead of using Group policy or MDM policy, you can disable the public store via registry, which works also on previous Windows 10 builds. In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\ApplicationManagement\RequirePrivateStoreOnly set value to 1:

2016-04-28 17_44_45-Registry Editor

Disadvantage
Although the public store can not be accessed any longer, users are still able to enter a Microsoft account:

2016-04-28 17_45_24-

When they sign up with a Microsoft account, this error message comes up:

2016-04-28 17_50_02-

The most annoying issue here is that the added Microsoft account is visible in the store regardless of the error message. And when a users clicks on e.g. My Library, the store application crashes without any further error message:

2016-04-28 17_46_03-Store

Disable Microsoft accounts in Windows 10 app store with MDM policy and/or WMI

The group policy Accounts: Block Microsoft accounts in Computer configuration – Windows Settings – Security Settings – Local Policies – Security options which is already known from Windows 8 does not disable the usage of Microsoft accounts in the store application. You can configure this with the settings for Accounts/AllowMicrosoftAccountConnection and Accounts/AllowAddingNonMicrosoftAccountsManually in the Policy configuration service provider, which is documented here: https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Accounts_AllowMicrosoftAccountConnection

Fortunately, you don’t need a MDM solution but can enable these settings also via WMI. Here is the powershell code to create a new WMI instance for this:

$namespaceName = "root\cimv2\mdm\dmmap" 
$className = "MDM_Policy_Config01_Accounts02" 
New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID="./Vendor/MSFT/Policy/Config"; InstanceID="Accounts"; AllowMicrosoftAccountConnection=0; AllowAddingNonMicrosoftAccountsManually=0} 

With this setting, users see still the option to add a Microsoft account to the store. But the error message is slightly different and most important: the Microsoft account does not appear in the store:

2016-04-28 17_58_17-

Combining the private store setting and blocking Microsoft accounts, users cannot browse the public app store and are not able to authenticate with any other account than their company Azure account.

Disadvantage
Using this setting, Microsoft accounts are not only blocked in the store application. For example, the photos application also allows to enter a Microsoft account in order to sync all photos to a private OneDrive. You may decide on your own, if preventing this is a disadvantage or an advantage 😉

Users will see this message in the photos app:

2016-04-28 18_00_56-Photos_2

But keep in mind, that now it’s also impossible to add an (personal) email account to the built in Mail universal app.

Credit for the powershell script goes to Scott Breen, who published this on his blog in February 2016: http://blog.scottbreen.tech/2016/02/24/block-microsoft-accounts-windows-10/

Conclusion

Group Policy, Registry, MDM and WMI offer completely different options to configure the Windows 10 app store. Each of them leads to a different result. Choose wisely 😉

Leave a Reply