The Microsoft store for business is being replaced by the new store which is integrated with Microsoft Intune. How are you managing your devices right now?
How are companies curating the Windows Store?
We spend a lot of resources ensuring that only approved software is installed on computers. The Windows Store For Business allowed for controlled way to curate what was shown in the Store. Now that it's gone, we have to turn it off completely or create AppLocker rules to Whitelist every install. How is everyone else handling random software installations?
Using AppLocker is not ideal for these reasons.
- Customers see the whole store, select an app they want only then find out it's blocked. The Store for business showed only apps that were approved resulting in a better experience.
- AppLocker rules are primarily made by scanning existing packages to white list them. This means we have to configure a separate policy for the one computer with an unrestricted store which also has access to Group Policy to create new rules. Installing appx packages on a server just to make a rule is not ideal. Even using Endpoint.Microsoft.com you first have to make the rule in GP then export it to Intune. Our firewall rules block access to group policy RSAT tools from workstations as part of recommended security policy.
I suspect that this functionality isn't being overlooked, it's more that Microsoft wants everyone to have unrestricted access to the Store so is not providing controls.
We currently have the Store disabled altogether, but we are finding more apps that are only published to it. MS recently required all Office add-ons to be put into the O365 Store so I wouldn't be surprised if they are putting pressure on vendors to use Store distribution only.
2 answers
Sort by: Most helpful
-
-
Pavel yannara Mirochnitchenko 12,691 Reputation points MVP
2023-07-03T06:22:57.0433333+00:00 First, never uninstall Store app from Windows Clients.
You should limit users ability to not be able to install software from Store, but same time distribute needed apps from Intune New Store integration.
Other random app installation will require admin rights, so don't give admin rights to users. Also applocker is useless if your user have admin rights.