Today’s post is all about blocking the Microsoft store via Intune on Windows 11. To me personally i don’t mind having the store app open but most customers, decision maker, IT Managers are more comfortable with blocking the store on their endpoints. Lets see how we can do this!
I’ve seen multiple blogs about this topic. For example Andrew Taylor his blog (Restricting Microsoft Store via Intune for Pro and Enterprise) which you can find here. As you can see in the comments there are many different results. It somehow depends on the environment and OS version. The latest method i tried worked perfectly, store apps where being installed, built-in apps did update and the store was blocked in the user environment.
The environment we used for this implementation makes use of several store apps. Which is the Company Portal and the Azure VPN Client. These come from the new (winget) store. It is important to have these applications on the device after enrolling or when doing a fresh start for example. Both Apps are assigned to device groups.

First, I’ve figured out what available Policy CSP settings would lead to the desired result. I’ve tested the following settings. These all did not lead to the required result. So we tried something else.
- AllowStore – More info here.
- AllowAppStoreAutoUpdate – More info here.
- RequirePrivateStoreOnly – More info here.
The complete Policy CSP can be found here: ApplicationManagement Policy CSP – Windows Client Management | Microsoft Learn
What did work!?
Create the following policy:
- Navigate to https://intune.microsoft.com
- Go to Devices -> Configuration profiles
- Click Create -> New policy
- Platform: Windows 10 and later -> Profile type: Settings catalog -> Click Create
- Fill in a common name. For example: Windows – Microsoft Store – Block
- Click Next -> Click Add Settings
- Navigate to Administrative Templates\Windows Components\Store
- Select Turn off the Store application (User) and set Enabled
- Scope tags are optional
- Assignment: Pick All Users or a specific user group. Make sure to test this first with a small amount of users.
- Finally, Create the policy.
Once the policy is deployed to the device (User) it will be blocked. Simple and straight forward.

Optionally you can prevent users from pinning the store app to the taskbar. This will also remove the pinned Store from the taskbar!
- Navigate to https://intune.microsoft.com
- Go to Devices -> Configuration profiles
- Click Create -> New policy
- Platform: Windows 10 and later -> Profile type: Settings catalog -> Click Create
- Fill in a common name. For example: Windows – Microsoft Store – Unpin
- Click Next -> Click Add Settings
- Navigate to Administrative Templates\Start Menu and Taskbar
- Select Do not allow pinning Store app to the Taskbar (User) and set Enabled
- Scope tags are optional
- Assignment: Pick All Users or a specific user group. Make sure to test this first with a small amount of users.
- Finally, Create the policy.
Once the policy is deployed to the device (User) they cannot PIN the Store App to the taskbar anymore.

I hope this setting helps you to block access to the store. Keep in mind that this setting might not be available on every operating system version. Verify that the policy successfully deployed to the devices via Intune and the store is block eventually.
Nice Article, but I have q trick question: Does these changes works with Windows 11 Professional?
Thank you,
I’ve seen it working with BP and Enterprise. Not tested Pro.
It works only for enterprise and education not for Pro. WTF!
Any solution to block on pro devices as well?
Try this: https://andrewstaylor.com/2023/07/24/restricting-microsoft-store-via-intune-for-pro-and-enterprise/
Thank you. Is there any option to blocked installed Store Apps, for example user installed Whatsapp before we blocked Microsoft Store can we block these apps?
If you have Defender for Cloud Apps you can unsanction Whatsapp. That might help..
do you know if even with this policy applied, it seem that whatspps is till able to be downloaded and install by user?
Might be installed via a different method? If the store is blocked it can’t be done via the store app for sure. Have you tried via the browser in the store? If you have Defender for Cloud Apps you might unsanction whatsapp there.
Store App Deployment
Could you please confirm what combination is working? Deploy Azure VPN Client – Install behaviour System or User? Assignment to Device Group or User Group?
Policy Deployment by selecting “Store app to the Taskbar (User)” and assign policy to the User group or Device group?
Hi Sam,
That’s up to you.. If every device needs the VPN client i would suggest System. Had no issues with this in the past. Also, no issues with user in the past. Can’t remember if their are functional differences.
if the ms store is blocked, apps still can download and install from here. https://apps.microsoft.com/detail/9ntxr16hnw1t?hl=en-us&gl=US
do you have the same behavior
Hi Jeff,
That is true. You can still download and install it in the user’s profile. You should use WDAC/Applocker to prevent installations like this. Simple method would be a block indicator in Defender for Endpoint but that won’t prevent users from installing the applications if they have the setup files.
I tried the policy and it did block store app. However if you go to apps.microsoft.com and download and double click, it will install the store app
Hi Jeff,
That is true. You can still download and install it in the user’s profile. You should use WDAC/Applocker to prevent installations like this. Simple method would be a block indicator in Defender for Endpoint but that won’t prevent users from installing the applications if they have the setup files.
You can download but non install. For example you download NEtflix and when you try to install it it still on Download screen. Probably cause of we don’t give to users administrative access
Apologies for the necro posting.
While the above does block the store app, it does not block somebody going to say https://apps.microsoft.com/detail/9nksqgp7f2nh?hl=en-us&gl=GB clicking the Download button and then running the downloaded .exe (original filename StoreInstaller.exe) which then installs WhatsApp from the store.
This is on W11 Enterprise and “Block Non Admin User Install” is also set, but still the store can install the app…