In this post we will discuss how to block app installations from MS Store and an alternative way to install them using Intune.
When managing Windows devices in an enterprise, controlling where users install applications from is a key security and compliance measure. The Microsoft Store is a great source for apps, but unrestricted access can lead to unauthorized or unapproved apps being installed.
The best way to handle this? Block direct app installations from the Microsoft Store and allow only managed installations through the Company Portal. This ensures users can still get business-approved apps while keeping your environment secure.
Table of Contents
Benefits of blocking installation from Microsoft Store
Implementing a policy that blocks direct installations from the Microsoft Store while allowing installations only through Intune and the Company Portal provides several key benefits for IT administrators and organizations. First and foremost, it enhances security and compliance by ensuring that only approved, business-critical applications are installed on company-managed devices. By restricting access to the public Microsoft Store, you reduce the risk of shadow IT, where users install unapproved or potentially malicious applications that could introduce security vulnerabilities, data leakage risks, or software conflicts.
Additionally, this approach simplifies application management and support. Since all approved apps are deployed and maintained through Intune, IT teams have better visibility and control over the software landscape, making troubleshooting and updates more efficient. Users can still access the applications they need, but within a controlled, managed environment that aligns with company policies.
It’s important to note that while blocking the Microsoft Store prevents users from installing apps directly from it, they can still download and install applications from external sources, such as web browsers. However, this can be further restricted using tools like AppLocker or Windows Defender Application Control (WDAC), which allow IT admins to define strict rules about which applications are permitted to run. By combining Microsoft Store restrictions with additional application control policies, organizations can achieve a more comprehensive application security strategy, ensuring that only trusted software is installed on company devices.
Block direct app installations from the Microsoft Store
To block direct app installation from the Microsoft Store, we’ll use Intune to apply a policy that prevents users from installing apps directly from the Microsoft Store.
Below are presented the steps that we should follow to create the policy.
First we have to sign in to our Intune Portal and create a new configuration profile.
Let’s give a proper name to our profile.
Just a reminder here: The Microsoft Store does not natively support business accounts. It’s best to deploy the app via Intune and assign it only to the users who need access. More details here.
As a next step, we have to search for the Store settings in Settings picker and select the appropriate ones. The image below shows exactly what we should select.
Basically what we do here, is to turn off the store application completely. More details can be also found here.
After that we just apply the policy to the desired device or user group (based on the setting that we choose above).
Wait… I have a question here
At this point, you might be wondering how Store apps will update or how you can deploy them now that the Microsoft Store app is disabled.
Microsoft has addressed this as well as mentioned here.
By default, Microsoft Store applications continue to update automatically. Plus, even if you block access to the Microsoft Store app, devices managed by Microsoft Intune can still install apps sourced from the Microsoft Store.
Allow only installations via the Company Portal
Now that we have disabled the access to store app, we have to find a way to deploy store apps to our managed devices, or make them available for download from the end-user.
The way to do this is via Intune of course.
We have to open Intune Portal and create a new store app there like the following images.
For this example let’s choose Microsoft Copilot as the application that we want to deploy.
After selecting the application, change any desired descriptions, select if it will be deployed to system or user context and assign it as “Available for enrolled devices” to the desired user group (since we selected this option).
Let’s don’t forget here that the available assignments are only valid for User Groups, not device groups.
Choose to show the application as featured app in the Company Portal if it is an important app, or should be easily accessible by the end users.
Great! The application is ready! It’s time to see what the end-user experience looks like.
Are we forgetting something maybe?
It is imperative to mention here that even with the Microsoft Store app blocked, users can still access the web version of the Microsoft Store and download apps directly from there. To fully enforce application control, you can implement additional restrictions to block access to this site and prevent installations from external sources.
One effective method is using Microsoft Defender for Endpoint’s Web Content Filtering or Network Protection, which allows you to block specific URLs or entire categories of websites.
Additionally, you can leverage Microsoft Edge policies (or policies for other browsers via ADMX files) via Intune to prevent users from accessing the web store entirely.
Last but nor least, AppLocker or Windows Defender Application Control (WDAC) can also be utilized to prevent unauthorized apps from running, even if they are downloaded from the web.
By combining these measures, you can create a robust security framework that ensures users can only install apps through managed and approved channels.
End-user experience
Now let’s see the user experience before and after applying the above policies.
Before
Before we create the policies and apply them, the user can freely search the store and download whatever app he/she wants.
After
After the application of the policies, the user cannot access the MS Store and should use the company portal to install the desired applications.
Obviously here we could have added an image for the application shown in the Company Portal, but since it is a demonstration I skipped this part.
Conclusion
Managing application installations is a crucial part of maintaining security and compliance in a corporate environment. By blocking direct installations from the Microsoft Store and allowing only managed installations through the Company Portal, you ensure that users have access to only approved applications while keeping your devices secure.
With Intune, enforcing these policies is straightforward, and users still have a seamless way to install business-approved apps without needing full access to the public Microsoft Store. Plus, Microsoft Store apps will continue to update automatically, ensuring they stay current without manual intervention.
In a future post, I’ll explore an interesting way to control application installations more broadly using Intune and AppLocker—stay tuned!
References and Documentation
- Add Microsoft Store apps to Microsoft Intune
- Prevent access to the Microsoft Store app
- Configure access to the Microsoft Store app – Considerations
Other Interesting Posts