How to Restrict Users to Private Store with Group Policy in Windows 10

A new Group Policy setting (Only display the private store within the Windows Store app) in the Anniversary Update (Windows 10 1607) allows admins to disable the public store and restrict users to the private store in the Windows Store for Business.

Windows 10 1511 introduced the Windows Store for Business, allowing you to create a private store through which you can offer volume-purchased apps to users in addition to the free apps of the public store. You can also register a mobile device management (MDM) client or a client management tool (for instance, Configuration Manager or Intune) to synchronize the apps you have licensed.

If you log on to the store using an Azure AD account, you will see a new tab with the name of your organization.

Private store in Windows 10

In Windows 10 1511, it was possible to restrict the store to only show apps to the end user that had been published in the business store, thereby restricting access to all apps available in the public store. However, you could only do this through the MDM channel using an Open Mobile Alliance (OMA) Device Management (DM) policy.

In Windows 10 1607, we now have a new Group Policy setting: Only display the private store within the Windows Store app. You can find the new policy under Computer Configuration > Administrative Templates > Windows Components > Store.


The new Group Policy setting – Only display the private store within the Windows Store app

If we enable this setting and don’t log in with an Azure AD account (for instance, with a Microsoft account), the Store app will not show any apps.

Store without apps after login with Microsoft account

Only if you use an Azure AD account will you see the apps that are published for users in the business store.

Only the private store is available

This is a very useful feature for many organizations because you can restrict the apps available to users in the store. Users can install apps through the store, but admins maintain some level of control over the available apps.

The first time you launch the Store app and log in using an Azure AD account, unregistered computers will be registered automatically. Devices can also be registered in Azure AD with other methods such as Group Policy, Azure AD Join, and Intune.

It is important to note that when working with Intune, devices are always registered in Azure AD (The setting “Users may register their devices with Azure AD” is turned on for all users and cannot be changed.)

Devices managed with Intune are always registered in Azure AD

This is can be helpful because users can log in with their Azure AD accounts on any computer running Windows 10 1511 or later without the need to prepare the device for Azure AD.

I have been asked a couple of times if this new Group Policy setting also allows us to restrict the Edge extensions users can install.

No, this setting does not affect Edge extensions. Users can still install all extensions that are available in the public store. In the screenshot below, you can see that only the tab for the private store is avaiable but all Edge extensions are available.

Microsoft Edge extensions in the store

No comments:

Powered by Blogger.