Manage Client Access to the Windows Store
Applies To: Windows 8
Windows Store is available in Windows® 8. IT Administrators can control the availability and functionality of Windows Store to client computers based on the business policies of their enterprise environment. The following covers frequently asked questions by IT Pros about managing aspects of client access to the Windows Store in an enterprise environment.
Overview
What is a Windows app?
What is LOB?
What is sideloading? Does the Windows Store allow it?
Can I use Group Policy to control the Windows Store in my enterprise environment?
Are there any special considerations while configuring access permissions on system resources through Group Policy?
Are any Windows Store privacy settings controlled by Group Policy?
Windows Store Availability
Can I turn access to the Windows Store on or off?
Am I required to go through the Windows Store to deploy Windows apps?
What about devices that move between work and home? Is it possible to manage availability of the Windows Store on these devices?
Managing Apps
How much control does an IT Administrator have over the Windows apps that can be installed in their environment?
Do I have any control over which third-party apps can be installed from the Windows Store?
What about devices that move between work and home? Is it possible to manage apps and updates available from the Windows Store on these devices?
Managing Updates
Can I control which third-party app updates are available from the Windows Store?
Is it possible to configure the Windows Store to perform automatic updates?
Overview
What is a Windows app?
Windows apps are designed to be sleek, quick, and modern with groups of common tasks consolidated to speed up usage. The core concepts of a Windows app include good typography, large, eye-catching text, where the content is the main focus.
For more information about the concept of Windows apps, see What are Windows apps? on MSDN.
What is LOB?
LOB stands for line-of-business. Line-of-business apps require users to authenticate using corporate credentials, access internal information, or are designed specifically for internal use. For example, an expense report app provided by the IT department for employees.
What is sideloading? Does the Windows Store allow it?
Sideloading, which is available in both Windows 8 and Windows Server 2012, refers to installing apps directly to a device without going through the Windows Store. LOB apps do not need to be certified by Microsoft and cannot be installed through the Windows Store, but they must be signed with a certificate chained to a trusted root certificate. We recommend that IT administrators use the same technical certification that is done by the Windows Store on LOB apps.
For more information about sideloading, see How to Add and Remove Apps.
For more information about running the technical certification tests, see How to test your app with the Windows App Certification Kit.
Can I use Group Policy to control the Windows Store in my enterprise environment?
Yes. IT Administrators can use Group Policy to allow or prohibit their users from accessing the Windows Store, control the automatic download of updates for apps obtained from Windows Store, and allow or prevent the sideloading of apps.
Windows 8.1 and Windows Server 2012 R2 Group Policy settings for Windows Store
Windows 8.1 and Windows Server 2012 R2 allow you to automatically install app updates in addition to downloading them. The Turn off Automatic Download of updates and Win8 machines policy setting does not have any effect on computers that are running Windows 8.1 or Windows Server 2012 R2, and has been replaced with the following policy: Computer Configuration/Administrative Templates/Store/Turn off Automatic Download and install updates. If this policy setting is enabled, app automatic updates are turned off; if the policy setting is disabled, app automatic updates are turned on.
Customizing Windows Store usage with Group Policy settings in Windows 8.1 and Windows Server 2012 R2
You can apply combinations of Windows Store Group Policy settings in Windows 8.1 and Windows Server 2012 R2 to customize your enterprise’s Windows Store usage. The following table summarizes your options.
App automatic updates | |||
---|---|---|---|
Enable | Disable | ||
Windows Store access for new app purchases, manual app updates | Enable |
Disable this policy: Computer Configuration/Windows Components/Store/Turn off Automatic Download and Install of updates |
Enable this policy: Computer Configuration/Windows Components/Store/Turn off Automatic Download and Install of updates |
Disable |
Disable this policy: Computer Configuration/Windows Components/Store/Turn off Automatic Download and Install of updates
User Configuration/Windows Components/Store/Turn off the Store application |
Enable both of these policies: Computer Configuration/Windows Components/Store/Turn off Automatic Download and Install of updates
|
Windows 8 and Windows Server 2012 Group Policy settings for Windows Store
The following Group Policy settings that control access to Windows Store are available in Windows 8 and Windows Server 2012.
Group Policy Setting | Description |
---|---|
Computer Configuration/Administrative Templates/Store/Turn off the Store application |
Disables access to the Windows Store for the computer, and prevents the computer from accessing the Windows Store. |
User Configuration/Administrative Templates/Store/Turn off the Store application |
Disables access to the Windows Store for individual users, but enables the computer to connect to the Windows Store service to detect new updates. |
Windows Store cannot automatically install app updates in Windows 8 and Windows Server 2012; but by default, it automatically downloads updates, which can make manual installation of app updates faster. To turn off this behavior, enable the following policy setting: Computer Configuration/Administrative Templates/Store/Turn off Automatic Download of updates on Windows 8 machines.
Are there any special considerations while configuring access permissions on system resources through Group Policy?
Yes. Windows apps run with very limited user rights compared to their non-Windows 8 counterparts that run with standard user rights by default. Windows apps can access only those resources (files, folders, registry keys, and DCOM interfaces) to which they have been explicitly granted access. For example, if a new folder is created in C:\Personal Docs and files are copied into that folder, none of the Windows apps can access those files because the apps have not been granted explicit access. However, the access permissions (ACLs) on critical system resources such as the Windows\System32 folder contain a special rule (ACE) that grants all Windows apps the permissions necessary for any app to run.
The figure below highlights the default permissions on the Windows\System32 folder that grant read and execute permissions to all Windows apps:
The default permissions (ACLs) on system resources can be modified using different methods. For example:
The access and launch permissions on DCOM interfaces can be modified through the following Group Policy setting: Local Policies, Security Options, DCOM: Machine Access/Launch Restrictions in SDDL Syntax.
For more information, see DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax on TechNet.
Access permissions on file system and registry objects can be changed through Security Templates.
For more information, see Administer Security Policy Settings on TechNet.
While configuring the access permissions on any of these resources, it is important to identify which of these resources grants access to all Windows apps and ensure that the new effective permissions do not remove that access. When supplying the permissions in SDDL form, the security identifier (SID) for ALL APPLICATION PACKAGES is S-1-15-2-1.
Warning
Incorrectly configured access permissions will cause all Windows apps to fail.
An example of an SDDL representation of an ACE that grants generic read and run permissions all Windows apps is: (A;OICIIO;GXGR;;;AC);, where AC refers to ALL APPLICATION PACKAGES.
Are any Windows Store privacy settings controlled by Group Policy?
Yes. The following registry key controls Windows Store privacy settings:
<registryKey keyName="HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\AppHost">
<registryValue
name="EnableWebContentEvaluation"
value="0x00000001"
valueType="REG_DWORD"
/>
A value of 1 indicates that telemetry is enabled, and a value of 0 indicates that it is disabled.
Windows Store Availability
Can I turn access to the Windows Store on or off?
Yes. IT Administrators can turn access to the Windows Store on or off in the following ways:
For specific machines
For specific users and groups
Am I required to go through the Windows Store to deploy Windows apps?
We offer support for enterprises that want direct control over the deployment of LOB apps. Enterprises can choose to deploy LOB apps directly to the computers they manage without going through the Windows Store infrastructure.
What about devices that move between work and home? Is it possible to manage availability of the Windows Store on these devices?
No, an IT Administrator can only manage access to the Windows Store by using Group Policy settings deployed to a domain joined device.
Managing Apps
How much control does an IT Administrator have over the Windows apps that can be installed in their environment?
By default, the only Windows apps that can be installed on Windows 8 are ones that are installed from the Windows Store.
An IT Administrator can control access to which Windows apps can be installed by using App Locker. These policies can be enabled on apps from the Windows Store or LOB apps that have been sideloaded by the IT Administrator.
For more information about using App Locker to manage Windows apps, see the AppLocker Overview.
Do I have any control over which third-party apps can be installed from the Windows Store?
Yes. Using AppLocker, IT Administrators have complete control of which, if any, third-party apps can be installed from the Windows Store.
What about devices that move between work and home? Is it possible to manage apps and updates available from the Windows Store on these devices?
No, AppLocker is only available for managing domain joined machines.
Managing Updates
Can I control which third-party app updates are available from the Windows Store?
No, app updates from the Windows Store cannot be managed by the IT Administrator.
Is it possible to configure the Windows Store to perform automatic updates?
Yes, starting in Windows 8.1. In Windows 8, updates to apps from the Windows Store can be downloaded manually, but their installation must be initiated by the user.