From 4c1e8b10d41effc6552ab71155d0bc0de5203d74 Mon Sep 17 00:00:00 2001 From: Justinha Date: Wed, 25 Jan 2017 16:19:37 -0800 Subject: [PATCH 01/10] fixed formatting of *Session --- ...o-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index 032e04c1ad..c3595ae774 100644 --- a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -22,8 +22,8 @@ Credential Manager is a place where credentials in the OS are can be stored for For VPN, the VPN stack saves its credential as the session default. For WiFi, EAP does it. -The credentials are put in Credential Manager as a "`*Session`" credential. -A "`*Session`" credential implies that it is valid for the current user session. +The credentials are put in Credential Manager as a "\*Session" credential. +A "\*Session" credential implies that it is valid for the current user session. The credentials are also cleaned up when the WiFi or VPN connection is disconnected. When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it. From 4e9aa2b7d886b3e8c5f0aeb1670c25fec7d7890b Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Wed, 25 Jan 2017 17:29:19 -0800 Subject: [PATCH 02/10] Fixed fmt for Notes and an Important --- ...w-to-configure-security-policy-settings.md | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/windows/keep-secure/how-to-configure-security-policy-settings.md b/windows/keep-secure/how-to-configure-security-policy-settings.md index 6a307acac3..2731ce37e8 100644 --- a/windows/keep-secure/how-to-configure-security-policy-settings.md +++ b/windows/keep-secure/how-to-configure-security-policy-settings.md @@ -31,9 +31,9 @@ When a local setting is inaccessible, it indicates that a GPO currently controls 3. When you find the policy setting in the details pane, double-click the security policy that you want to modify. 4. Modify the security policy setting, and then click **OK**. - **Note**   - - Some security policy settings require that the device be restarted before the setting takes effect. - - Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + > [!NOTE] + > - Some security policy settings require that the device be restarted before the setting takes effect. + > - Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.   ## To configure a security policy setting using the Local Group Policy Editor console @@ -48,11 +48,13 @@ You must have the appropriate permissions to install and use the Microsoft Manag 4. In the details pane, double-click the security policy setting that you want to modify. - >**Note:**  If this security policy has not yet been defined, select the **Define these policy settings** check box. + > [!NOTE] + > If this security policy has not yet been defined, select the **Define these policy settings** check box.   5. Modify the security policy setting, and then click **OK**. ->**Note:**  If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console. +> [!NOTE] +> If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console.   ## To configure a setting for a domain controller @@ -65,13 +67,15 @@ The following procedure describes how to configure a security policy setting for - Click **Local Policies** to edit the **Audit Policy**, a **User Rights Assignment**, or **Security Options**. 3. In the details pane, double-click the security policy that you want to modify. - >**Note**  If this security policy has not yet been defined, select the **Define these policy settings** check box. + + > [!NOTE] + > If this security policy has not yet been defined, select the **Define these policy settings** check box.   4. Modify the security policy setting, and then click **OK**. -**Important**   -- Always test a newly created policy in a test organizational unit before you apply it to your network. -- When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings. +> [!IMPORTANT]   +> - Always test a newly created policy in a test organizational unit before you apply it to your network. +> - When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings.   ## Related topics From d896b9f10749df38a4ecc28335042c2751289893 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 26 Jan 2017 09:08:16 -0800 Subject: [PATCH 03/10] adding localizationpriority YAML metadata tag --- windows/deploy/index.md | 1 + windows/index.md | 1 + windows/keep-secure/index.md | 1 + windows/manage/index.md | 1 + windows/plan/index.md | 1 + 5 files changed, 5 insertions(+) diff --git a/windows/deploy/index.md b/windows/deploy/index.md index 6beda342c0..b2d4ab858c 100644 --- a/windows/deploy/index.md +++ b/windows/deploy/index.md @@ -5,6 +5,7 @@ ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +localizationpriority: high author: greg-lindsay --- diff --git a/windows/index.md b/windows/index.md index d5e7f92b8a..31050c6bd6 100644 --- a/windows/index.md +++ b/windows/index.md @@ -3,6 +3,7 @@ title: Windows 10 and Windows 10 Mobile (Windows 10) description: This library provides the core content that IT pros need to evaluate, plan, deploy, and manage devices running Windows 10 or Windows 10 Mobile. ms.assetid: 345A4B4E-BC1B-4F5C-9E90-58E647D11C60 ms.prod: w10 +localizationpriority: high author: brianlic-msft --- diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md index 1307bc7110..aee90f46a5 100644 --- a/windows/keep-secure/index.md +++ b/windows/keep-secure/index.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +localizationpriority: high author: brianlic-msft --- # Keep Windows 10 secure diff --git a/windows/manage/index.md b/windows/manage/index.md index e9e8ac3329..73e961d01d 100644 --- a/windows/manage/index.md +++ b/windows/manage/index.md @@ -7,6 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security +localizationpriority: high author: jdeckerMS --- diff --git a/windows/plan/index.md b/windows/plan/index.md index 8dd569303a..dfa19e4252 100644 --- a/windows/plan/index.md +++ b/windows/plan/index.md @@ -6,6 +6,7 @@ keywords: deploy, upgrade, update, configure ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library +localizationpriority: high author: TrudyHa --- From dee6c25a34ced005369590a3a3d882340b7d4235 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 26 Jan 2017 09:24:49 -0800 Subject: [PATCH 04/10] Removed text per product team --- windows/keep-secure/using-owa-with-wip.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/keep-secure/using-owa-with-wip.md b/windows/keep-secure/using-owa-with-wip.md index f4046b30a6..f99f10fb6f 100644 --- a/windows/keep-secure/using-owa-with-wip.md +++ b/windows/keep-secure/using-owa-with-wip.md @@ -23,7 +23,6 @@ Because Outlook Web Access (OWA) can be used both personally and as part of your |-------|-------------| |Disable OWA. Employees can only use Microsoft Outlook 2016 or the Office 365 Mail app. | Disabled. | |Don't configure outlook.office.com in any of your networking settings. |All mailboxes are automatically marked as personal. This means employees attempting to copy work content into OWA receive prompts and that files downloaded from OWA aren't automatically protected as corporate data. | -|Do all of the following:
  • Create a domain (such as mail.contoso.com, redirecting to outlook.office.com) that can be used by your employees to access work email.
  • Add the new domain to the Enterprise Cloud Resources network element in your WIP policy.
  • Add the following URLs to the Neutral Resources network element in your WIP policy:
    • outlook.office365.com
    • outlook.office.com
    • outlook-sdf.office.com
    • attachment.outlook.office.net
|Inbox content accessed through the new domain is automatically marked as corporate data, while content accessed through personal email is automatically marked as personal. | |Add outlook.office.com to the Enterprise Cloud Resources network element in your WIP policy. |All mailboxes are automatically marked as corporate. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data. | >[!NOTE] From 4cc3c38eda4eb9bdc1eaca77b607ff7766b853c4 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 26 Jan 2017 09:26:53 -0800 Subject: [PATCH 05/10] Fixing incorrect formatting --- windows/keep-secure/create-wip-policy-using-sccm.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index 350d5e1f54..49801ae337 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -436,11 +436,11 @@ There are no default locations included with WIP, you must add each of your netw ![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-sccm-optsettings.png) - - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option. + - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option. - - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option. + - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option. - - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option. + - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option. 5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. From 437d9e3c5a5a7ce1324e479a905ee21b2639530a Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 26 Jan 2017 10:26:21 -0800 Subject: [PATCH 06/10] urgent URL update --- ...re-arcsight-windows-defender-advanced-threat-protection.md | 4 ++-- ...gure-splunk-windows-defender-advanced-threat-protection.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md index a682992574..a5cd3f4bf4 100644 --- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -79,8 +79,8 @@ The following steps assume that you have completed all the required steps in [Be Type in the name of the client property file. It must match the client property file. Events URL - Depending on the location of your datacenter, select either the EU or the US URL:

**For EU**: https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME -
**For US:** https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME + Depending on the location of your datacenter, select either the EU or the US URL:

**For EU**: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME +
**For US:** https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME Authentication Type OAuth 2 diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md index ee6c76e9b7..8dc36252d3 100644 --- a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md @@ -56,7 +56,7 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler Endpoint URL - Depending on the location of your datacenter, select either the EU or the US URL:

**For EU**: https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts
**For US:** https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts + Depending on the location of your datacenter, select either the EU or the US URL:

**For EU**: https://wdatp-alertexporter-eu.windows.com/api/alerts
**For US:** https://wdatp-alertexporter-us.windows.com/api/alerts From 30c6007a1eb06278ab7a0281a095881578259434 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 26 Jan 2017 11:38:56 -0800 Subject: [PATCH 07/10] minor typo fixed --- windows/deploy/windows-10-poc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deploy/windows-10-poc.md b/windows/deploy/windows-10-poc.md index d2d418cbda..30bfed2bcc 100644 --- a/windows/deploy/windows-10-poc.md +++ b/windows/deploy/windows-10-poc.md @@ -865,7 +865,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer. 22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section. - >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all use accounts, or only other specific accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing. + >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing. 23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services. 24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands: From 407d708748db2addeb4f48b71aa34540acc18308 Mon Sep 17 00:00:00 2001 From: Justinha Date: Thu, 26 Jan 2017 12:00:21 -0800 Subject: [PATCH 08/10] added Failure event for 4774 --- windows/keep-secure/TOC.md | 2 +- windows/keep-secure/event-4774.md | 9 ++++----- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 7662302c08..d687114889 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -197,7 +197,7 @@ ###### [Monitor claim types](monitor-claim-types.md) ##### [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) ###### [Audit Credential Validation](audit-credential-validation.md) -####### [Event 4774 S: An account was mapped for logon.](event-4774.md) +####### [Event 4774 S, F: An account was mapped for logon.](event-4774.md) ####### [Event 4775 F: An account could not be mapped for logon.](event-4775.md) ####### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](event-4776.md) ####### [Event 4777 F: The domain controller failed to validate the credentials for an account.](event-4777.md) diff --git a/windows/keep-secure/event-4774.md b/windows/keep-secure/event-4774.md index 2b626f9576..5d919fd37b 100644 --- a/windows/keep-secure/event-4774.md +++ b/windows/keep-secure/event-4774.md @@ -1,6 +1,6 @@ --- title: 4774(S) An account was mapped for logon. (Windows 10) -description: Describes security event 4774(S) An account was mapped for logon. +description: Describes security event 4774(S, F) An account was mapped for logon. ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy @@ -8,14 +8,13 @@ ms.sitesec: library author: Mir0sh --- -# 4774(S): An account was mapped for logon. +# 4774(S, F): An account was mapped for logon. **Applies to** - Windows 10 - Windows Server 2016 - -It appears that this event never occurs. +Success events do not appear to occur. Failure event [has been reported](http://forum.ultimatewindowssecurity.com/Topic7313-282-1.aspx). ***Subcategory:*** [Audit Credential Validation](audit-credential-validation.md) @@ -23,7 +22,7 @@ It appears that this event never occurs. *An account was mapped for logon.* -*Authentication Package:%1* +*Authentication Package:Schannel* *Account UPN:%2* From beaaaf877bed833c0d056644222d890bbbd22742 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 26 Jan 2017 12:11:18 -0800 Subject: [PATCH 09/10] changed guest service enable step --- windows/deploy/windows-10-poc.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/windows/deploy/windows-10-poc.md b/windows/deploy/windows-10-poc.md index 30bfed2bcc..74b8d0f352 100644 --- a/windows/deploy/windows-10-poc.md +++ b/windows/deploy/windows-10-poc.md @@ -844,17 +844,16 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to ![ISE](images/ISE.png) 19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host. -20. In the (lower) terminal input window, type the following command to copy the script to PC1 using integration services: +20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1: 
+    Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
     Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1"  –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host
- >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not installed, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service. You can also try running the following command from an elevated Windows PowerShell prompt on the Hyper-V host: - - 
Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
+ >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service. - If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file. + If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file. 21. On PC1, type the following commands at an elevated Windows PowerShell prompt: From 8842dcf99a5ad35c25a16f2ab3c690087d95e936 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 26 Jan 2017 13:47:41 -0800 Subject: [PATCH 10/10] updates for applies to --- .../stop-employees-from-using-the-windows-store.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/windows/manage/stop-employees-from-using-the-windows-store.md b/windows/manage/stop-employees-from-using-the-windows-store.md index 8f2d26753c..d09e5ae2be 100644 --- a/windows/manage/stop-employees-from-using-the-windows-store.md +++ b/windows/manage/stop-employees-from-using-the-windows-store.md @@ -29,8 +29,8 @@ You can use these tools to configure access to Windows Store: AppLocker or Group ## Block Windows Store using AppLocker +Applies to: Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile -Applies to: Windows 10 Enterprise, Windows 10 Mobile AppLocker provides policy-based access control management for applications. You can block access to Windows Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Windows Store app as the packaged app that you want to block from client computers. @@ -59,7 +59,10 @@ For more information on AppLocker, see [What is AppLocker?](../keep-secure/what- ## Block Windows Store using Group Policy -Applies to: Windows 10 Enterprise, version 1511 +Applies to: Windows 10 Enterprise, version 1511, Windows 10 Education + +> [!Note] +> Not supported on Windows 10 Pro. You can also use Group Policy to manage access to Windows Store. @@ -89,7 +92,7 @@ When your MDM tool supports Windows Store for Business, the MDM can use these CS For more information, see [Configure an MDM provider](configure-mdm-provider-windows-store-for-business.md). ## Show private store only using Group Policy -Applies to Windows 10 Enterprise, version 1607. +Applies to Windows 10 Enterprise, version 1607, Windows 10 Education If you're using Windows Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Windows Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.