deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update Microsoft Store link and fix formatting in Remote Credential Guard

Browse Source
This commit is contained in:
Paolo Matarazzo 2024-03-12 15:27:56 -04:00
parent 1c105c3096
commit eb0d32226b
4 changed files with 58 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
windows/configuration/store/index.md Normal file
View File

@ -0,0 +1,56 @@
---
title: Configure access to the Microsoft Store
description: Learn how to configure access to the Microsoft Store.
ms.topic: how-to
ms.date: 03/12/2024
---
# Configure access to the Microsoft Store
Microsoft Store is a digital distribution platform that provides a way for the users to install applications on Windows devices. Organizations that manage Windows devices can configure access to Microsoft Store for devices in their organization. For some organizations, business policies require blocking access to Microsoft Store.
This article describes how to configure access to the Microsoft Store app in your organization.
## Prevent access to the Microsoft Store
You can use configuration service provider (CSP) or group policy (GPO) settings to configure access to Microsoft Store. The CSP configuration is available to Windows Enterprise and Education editions only.
[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
[!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)]
| Category | Setting name | Value |
|--|--|--|
| **Administrative Templates > Windows Components > Store** | Turn off the Store application| Select **Enabled**|
[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)]
Alternatively, you can configure devices using a [custom policy][INT-3] with the [Policy CSP][CSP-2].
| Setting |
|--|
|- **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/RemoveWindowsStore_2`<br>- **Data type:** string<br>- **Value:** `<enabled/>`|
#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)
[!INCLUDE [gpo-settings-1](../../../includes/configure/gpo-settings-1.md)]
| Group policy path | Group policy setting | Value |
| - | - | - |
| **Computer Configuration\Administrative Templates\Windows Components\Store** | Turn off the Store application| **Enabled**|
[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)]
---
## User experience
When you prevent access to the Microsoft Store, users can't access the Store app. Here's a screenshot of the Store app when access is blocked:
<!--links-->
[CSP-2]: /windows/client-management/mdm/policy-csp-admx-credssp
[INT-3]: /mem/intune/configuration/settings-catalog

107
windows/configuration/store/stop-employees-from-using-microsoft-store.md
View File

@ -1,107 +0,0 @@
---
title: Configure access to Microsoft Store
description: Learn how to configure access to Microsoft Store for client computers and mobile devices in your organization.
ms.topic: conceptual
ms.date: 11/29/2022
---
# Configure access to Microsoft Store
IT pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store.
> [!IMPORTANT]
> All executable code including Microsoft Store applications should have an update and maintenance plan. Organizations that use Microsoft Store applications should ensure that the applications can be updated through the Microsoft Store over the internet, through the [Private Store](/microsoft-store/distribute-apps-from-your-private-store), or [distributed offline](/microsoft-store/distribute-offline-apps) to keep the applications up to date.
## Options to configure access to Microsoft Store
You can use either AppLocker or Group Policy to configure access to Microsoft Store. For Windows 10, configuring access to Microsoft Store is only supported on Windows 10 Enterprise edition.
## Block Microsoft Store using AppLocker
Applies to: Windows 10 Enterprise, Windows 10 Education
AppLocker provides policy-based access control management for applications. You can block access to Microsoft Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Microsoft Store app as the packaged app that you want to block from client computers.
For more information on AppLocker, see [What is AppLocker?](/windows/device-security/applocker/what-is-applocker) For more information on creating an AppLocker rule for app packages, see [Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps).
**To block Microsoft Store using AppLocker:**
1. Enter **`secpol`** in the search bar to find and start AppLocker.
1. In the console tree of the snap-in, select **Application Control Policies**, select **AppLocker**, and then select **Packaged app Rules**.
1. On the **Action** menu, or by right-clicking on **Packaged app Rules**, select **Create New Rule**.
1. On **Before You Begin**, select **Next**.
1. On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**.
1. On **Publisher**, you can select **Use an installed app package as a reference**, and then select **Select**.
1. On **Select applications**, find and select **Store** under **Applications** column, and then select **OK**. Select **Next**.
[Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps) has more information on reference options and setting the scope on packaged app rules.
1. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. Conditions allow you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**.
## Block Microsoft Store using configuration service provider
Applies to: Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education
If you have Windows 10 devices in your organization that are managed using a mobile device management (MDM) system, such as Microsoft Intune, you can block access to Microsoft Store app using the following configuration service providers (CSPs):
- [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider)
- [AppLocker CSP](/windows/client-management/mdm/applocker-csp)
For more information, see [Configure an MDM provider](/microsoft-store/configure-mdm-provider-microsoft-store-for-business).
For more information on the rules available via AppLocker on the different supported operating systems, see [Operating system requirements](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker#operating-system-requirements).
> [!IMPORTANT]
> If you block access to the Store using CSP, you need to also configure [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate) to enable in-box store apps to update while still blocking access to the store.
## Block Microsoft Store using Group Policy
Applies to: Windows 10 Enterprise, Windows 10 Education
> [!NOTE]
> Not supported on Windows 10 Pro, starting with version 151. For more info, see [Knowledge Base article #3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store).
You can also use Group Policy to manage access to Microsoft Store.
**To block Microsoft Store using Group Policy:**
1. Enter **`gpedit`** in the search bar to find and start Group Policy Editor.
1. In the console tree of the snap-in, select **Computer Configuration**, select **Administrative Templates**, select **Windows Components**, and then select **Store**.
1. In the Setting pane, select **Turn off the Store application**, and then select **Edit policy setting**.
1. On the **Turn off the Store application** setting page, select **Enabled**, and then select **OK**.
> [!IMPORTANT]
> When you enable the policy to **Turn off the Store application**, it turns off app updates from the Microsoft Store. To allow store apps to update, disable the policy to **Turn off automatic download and install of Updates**. This policy is found under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store**. This configuration allows in-box store apps to update while still blocking access to the store.
## Show private store only using Group Policy
Applies to Windows 10 Enterprise, Windows 10 Education
If you're using Microsoft Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.
**To show private store only in Microsoft Store app:**
1. Enter **`gpedit`** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor.
1. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then select **Store**.
1. Right-click **Only display the private store within the Microsoft Store app** in the right pane, and select **Edit**.
The **Only display the private store within the Microsoft Store app** policy settings will open.
1. On the **Only display the private store within the Microsoft Store app** setting page, select **Enabled**, and then select **OK**.
## Related articles
[Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store)
[Manage access to private store](/microsoft-store/manage-access-to-private-store)

2
windows/configuration/toc.yml
View File

@ -14,7 +14,7 @@ items:
- name: Microsoft Store - name: Microsoft Store
items: items:
- name: Configure access to the Microsoft Store - name: Configure access to the Microsoft Store
href: store/stop-employees-from-using-microsoft-store.md href: store/index.md
- name: Find the AUMID of an installed app - name: Find the AUMID of an installed app
href: store/find-aumid.md href: store/find-aumid.md
- name: Manage Microsoft Store tips, "fun facts", and suggestions - name: Manage Microsoft Store tips, "fun facts", and suggestions

2
windows/security/identity-protection/remote-credential-guard.md
View File

@ -169,7 +169,7 @@ Alternatively, you can configure devices using a [custom policy][INT-3] with the
| Setting | | Setting |
|--| |--|
|- **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/RestrictedRemoteAdministration`<br>- **Data type:** string<br>- **Value:** `<enabled/><data id=\"RestrictedRemoteAdministrationDrop\" value=\"2\"/>`<br><br>Possible values for `RestrictedRemoteAdministrationDrop` are:<br>- `0`: Disabled<br>- `1`: Require Restricted Admin<br>- `2`: Require Remote Credential Guard<br>- `3`: Restrict credential delegation | |- **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/RestrictedRemoteAdministration`<br>- **Data type:** string<br>- **Value:** `<enabled/><data id="RestrictedRemoteAdministrationDrop" value="2"/>`<br><br>Possible values for `RestrictedRemoteAdministrationDrop` are:<br>- `0`: Disabled<br>- `1`: Require Restricted Admin<br>- `2`: Require Remote Credential Guard<br>- `3`: Restrict credential delegation |
#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo) #### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)