This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 38%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIB%3C/text%3E%3C/svg%3E)
Hi,
What is the purpose of having different types of accounts if normal user can install .exe application from apps.microsoft.com?
How to administer Microsoft OS if you have done this?
This is a huge security issue because normal users can install games, kali linux, social media etc.
How did we come to this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 17%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZH%3C/text%3E%3C/svg%3E)
Hello,
Thank you for posting in Q&A forum.
If you want to prohibit standard users from installing applications through group policies, you can try these steps, provided that your system can invoke group policies (there are no group policies in the Home Edition)
I hope the information above is helpful.
Best regards
Zunhui
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 32%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
How is this a security issue? Users have always been able to install applications on their own accounts unless you block them from installing apps via GP. For years a user has been able to install per-user applications without admin privileges.
A per-user app runs in the context of the user and therefore has no more privileges to the system then the user normally would have. For example any user can install the per-user instance of Chrome or per-user instance of Azure Data Studio. This is no different than the user downloading a ZIP file with an EXE inside it and then running the EXE. The EXE has no rights that the user couldn't already do and therefore is not a security vulnerability.
Apps downloaded from the MS Store are even more locked down. In general they run in a sandbox and only have the rights that are granted to them by the user, who themselves are limited by their user account rights. Again, not a security vulnerability at all.
From a vulnerability point of view, a user doing something manually, such as creating a file or replacing something on their desktop, or a program doing it for them has the same security risks.
As Zunhui Han mentioned, if you don't want user to be able to install anything and/or only run apps that you approve then there are GP policies for that. Additionally you can configure Windows to only allow apps to be installed via the MS Store using the Apps \ Advanced app settings UI.
To disable access to the store follow the instructions given here. Note that this is an extreme step and will potentially prevent users from being able to use even apps that ship with Windows that are provided by the MS Store. Of course they can still install apps using other means so you'd also need to block installers. But if the app doesn't need an installer then nothing short of a whitelist of apps would work around that.
"Additionally you can configure Windows to only allow apps to be installed via the MS Store using the Apps \ Advanced app settings UI."
This actually works through GPO and with 1 more GPO can disable installing from store, without removing it but will probably block store apps update.
For standard user the default should be that he can't install directly from store or website and there should be GPO option to allow 1 or both options.
Anyway, thanks for this solution
Turn off the Store application doesn't work for Windows Pro(OEM/Retail) with on-prem AD and the only way to disable it is:
And to completely disable install from apps.microsoft.com you can use gpo like you said configuring Windows Defender SmartScreen/Explorer/Configure App Install Control.
I already have so much problems with removing store(applied by gpo in 2020) and now getting it back for standard users because there is no MS fix repair that runs without admin rights(sometimes it works with local administrator account but most of the times not)
Problematical is vclibs and Permission rights for WindowsApps folders and subfolders and its painfull to address all different kind of errors
That GPO is not working with .exe application from apps.microsoft.com which are store apps.
Installing kali linux on machine that has enabled "Windows Subsystem for Linux" is security issue.
Standard users installing games, linux, social media apps is security issue no matter if pc is used in business or at home.
What's the point of standard user in Windows Pro edition if it doesn't mean a thing? Standard users that can install something that you don't want them install is possible.
Removing MS Store doesn't help, getting back MS Store for standard user is painfull and easiest way is to give the user local admin rights untill it's back.
Microsoft standard apps calc, notepad, snipping tools etc. stops working after upgrade when MS Store is been removed.
I fell sorry for you guys that have to work for these new M$ management, hope you'll resist this kind of politics someday
I've finally found a way to get back store that was removed for standard users with GPO:
GPO to disallow user to open store and install from apps.microsoft.com:
And if you have errors with opening store Apps and nothing helps:
