Block the Microsoft store via Intune (Windows 11)

Today’s post is all about blocking the Microsoft store via Intune on Windows 11. To me personally i don’t mind having the store app open but most customers, decision maker, IT Managers are more comfortable with blocking the store on their endpoints. Lets see how we can do this!

I’ve seen multiple blogs about this topic. For example Andrew Taylor his blog (Restricting Microsoft Store via Intune for Pro and Enterprise) which you can find here. As you can see in the comments there are many different results. It somehow depends on the environment and OS version. The latest method i tried worked perfectly, store apps where being installed, built-in apps did update and the store was blocked in the user environment.

The environment we used for this implementation makes use of several store apps. Which is the Company Portal and the Azure VPN Client. These come from the new (winget) store. It is important to have these applications on the device after enrolling or when doing a fresh start for example. Both Apps are assigned to device groups.

First, I’ve figured out what available Policy CSP settings would lead to the desired result. I’ve tested the following settings. These all did not lead to the required result. So we tried something else.

  • AllowStore – More info here.
  • AllowAppStoreAutoUpdate – More info here.
  • RequirePrivateStoreOnly – More info here.

The complete Policy CSP can be found here: ApplicationManagement Policy CSP – Windows Client Management | Microsoft Learn

What did work!?

Create the following policy:

  1. Navigate to https://intune.microsoft.com
  2. Go to Devices -> Configuration profiles
  3. Click Create -> New policy
  4. Platform: Windows 10 and later -> Profile type: Settings catalog -> Click Create
  5. Fill in a common name. For example: Windows – Microsoft Store – Block
  6. Click Next -> Click Add Settings
  7. Navigate to Administrative Templates\Windows Components\Store
  8. Select Turn off the Store application (User) and set Enabled
  9. Scope tags are optional
  10. Assignment: Pick All Users or a specific user group. Make sure to test this first with a small amount of users.
  11. Finally, Create the policy.

Once the policy is deployed to the device (User) it will be blocked. Simple and straight forward.

Optionally you can prevent users from pinning the store app to the taskbar. This will also remove the pinned Store from the taskbar!

  1. Navigate to https://intune.microsoft.com
  2. Go to Devices -> Configuration profiles
  3. Click Create -> New policy
  4. Platform: Windows 10 and later -> Profile type: Settings catalog -> Click Create
  5. Fill in a common name. For example: Windows – Microsoft Store – Unpin
  6. Click Next -> Click Add Settings
  7. Navigate to Administrative Templates\Start Menu and Taskbar
  8. Select Do not allow pinning Store app to the Taskbar (User) and set Enabled
  9. Scope tags are optional
  10. Assignment: Pick All Users or a specific user group. Make sure to test this first with a small amount of users.
  11. Finally, Create the policy.

Once the policy is deployed to the device (User) they cannot PIN the Store App to the taskbar anymore.

I hope this setting helps you to block access to the store. Keep in mind that this setting might not be available on every operating system version. Verify that the policy successfully deployed to the devices via Intune and the store is block eventually.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

eleven − nine =