If you’re managing a fleet of computers in a business, you may not want users being able to access everything in the Microsoft Store. Having users a few clicks away from installing ‘Slotomainia’ or ‘Ninja World’ might not be what you want readily available on a business computer. You may also not want other services that can contribute to data leakage, or shadow IT type solutions that users decide to adopt.
As long as you are running Windows 10 Enterprise or Education, you could completely disable the Microsoft Store functionality by either using Applocker to maintain a whitelist of allowed packaged apps, or using Group Policy to enable the “Turn off Store application” under Computer Configuration > Administrative Templates > Windows Components.
AppLocker has been with us for quite some time now reaching back all the way to good old Windows 7. Although it is not the best solution from a technical point of view (there’s Windows Defender Application Control including TPM-enforced policy signing) it is still a good way to build a quick solution to stop users from installing software. Feb 13, 2019 AppLocker, free and safe download. AppLocker latest version: Prevent access to programs of your choice.
For Windows 10 Pro and Home users, this won’t work so you’ll have to try other methods such as uninstalling Windows Store on each PC with the PowerShell command Get-AppxPackage *windowsstore* | Remove-AppxPackage
Disabling the Microsoft Store entirelybut you may find that there is a requirement to use a few of the Microsoft Store apps by your users. For this option (again just for Enterprise and Education, and you’ll need Office 365 or Azure AD), you can instead have a Private Store. This is enabled again in Group Policy, using the setting “Only display the private store within the Microsoft Store app” again under Computer Configuration > Administrative Templates > Windows Components.
The Microsoft Store will look pretty bare at this stage (I see the 5 apps in the screenshot below by default), so you’ll want to add or remove some apps. This is done online, Enterprise customers go to https://businessstore.microsoft.com and education customers go to https://educationstore.microsoft.com. You’ll need to sign in with an account that’s an Azure AD or Office 365 Global Administrator, but can then grant access to others.
To add an app, under ‘Shop for my group’ you can search or click through options to find the app you’re after – I’ve chosen Microsoft To-Do for this example. Going onto the app’s page will give you a button that says ‘Get the app’. Once you click that, you’ll see the message “Microsoft To-Do has been purchased and added to your inventory.” After you’ve done that, go to the “Manage” tab and then the “Products and Services” option on the right hand side. Find the app, click the ellipsis (…) and choose “Add to private store”
You will finally see a message saying that the app has been added to your store, but may take up to 36 hours* to show.
There’s also the option to assign an app to a user, this is only needed if it’s a licensed or paid for app that you want to give only to certain users – you may have bought 10 copies of a particular Windows Store app and need to control who has access to it.
It’s worth having a look through the other options on this page as you can control settings such as letting users make purchases, what your organisation will be called in the Microsoft Store app and if you get invoices for the store via email.
Overall the Private Microsoft Store is rather easy to set up, lets you give users self-service access to apps that you allow, and gives you an easy way of letting someone install a Microsoft Store app in the future without having to enable the entire store.
*Update 2nd August 2018
There’s been a great improvement to the 36 hour wait, it’s now within 15 minutes! More details here
Applocker Windows 10 Pro Gpo
AppLocker on Windows 10 is an often-underrated security layer that addresses what is now coming to the forefront of enterprise security – threats from ransomware and other malware. First introduced with Windows 7/Server 2008 R2 as an update from the Software Restriction Policies feature (XP/2003), it allows non-admins to be restricted to a certain set of applications.
How Can AppLocker Protect Networks from Ransomware Attacks?
AppLocker can be used to predefine what types of apps can be run by which users. Specifically, it controls apps such as executable .exe and .com files, .js, .ps1, .vbs, .cmd, and .bat scripts, .msi and .msp Windows Installer files and DLL files like .dll and .ocx.
When the threat of unwanted software is high, AppLocker can be used to reduce that threat to a great degree.
Specific to ransomware, the job of AppLocker is to prevent software from a non-admin’s writable workspace from being executed. And the reason that’s required is that the Windows file system, NTFS, grants read/write permission to all non-admin users, and some “authenticated users” (also non-admins) even get read/write permissions to %WinDir%/Temp.
While AppLocker doesn’t change NTFS permissions; what it does is to prevent non-admins from saving files to an executable location. In doing this, AppLocker reduces the surface area for potential malware attacks, including ransomware.
Earlier this month, the United States Computer Emergency Readiness Team, or US-CERT, issued Alert (TA17-163A), which recommends application whitelisting (AWL) in order to “detect and prevent attempted execution of malware uploaded by adversaries.”
The alert specifically mentions AWL tools such as AppLocker to implement application or application directory whitelisting.
One important thing to remember is that the default rules in AppLocker are only the starting point. To be truly effective, admins need to know which folders non-admins have both execute and write permissions on.
This is why the initial planning stage for rolling out AppLocker delivery is critical. New applications will naturally create new folders and files, and admins have to be on top of these changes.
One way to do this is by creating scripts to read non-admin system folders to identify which locations they have execution capabilities in. The rule set in AppLocker should necessarily depend on on where these writable and executable folders are. There are also other tools created by independent security researchers that you can use, such as AppLocker Bypass Checker. You can also use accesschk from Windows Sysinternals to find user-writable folders.
The point is, the tools are there, but they need to be used effectively.
AppLocker is merely one layer in a series that protects your systems, but it is a critical one that needs to be addressed sooner rather than later. Too many admins merely use the default rules and assume that everything is taken care of, and that’s where the real danger lies.
Windows 10 may be far more resilient to attacks from ransomware and malware, but assuming that Microsoft is going to do all the work is possibly the biggest mistake a SysAdmin can make.
Applocker Windows 10 Professional
Note: Windows 10 is not the only version where AppLocker can be configured and enforced, but other versions may have some restrictions. Please see the table below, and the additional resource link below that:
| Version | Can be configured | Can be enforced | Available rules | Notes |
|---|---|---|---|---|
| Windows 10 | Yes | Yes | Packaged apps Executable Windows Installer Script DLL | You can use the AppLocker CSP to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. |
| Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 | Yes | Yes | Packaged apps Executable Windows Installer Script DLL | |
| Windows 8.1 | Yes | Yes | Packaged apps Executable Windows Installer Script DLL | Only the Enterprise edition supports AppLocker |
| Windows RT 8.1 | No | No | N/A | |
| Windows 8 Pro | No | No | N/A | |
| Windows 8 Enterprise | Yes | Yes | Packaged apps Executable Windows Installer Script DLL | |
| Windows RT | No | No | N/A | |
| Windows Server 2008 R2 Standard | Yes | Yes | Executable Windows Installer Script DLL | Packaged app rules will not be enforced. |
| Windows Server 2008 R2 Enterprise | Yes | Yes | Executable Windows Installer Script DLL | Packaged app rules will not be enforced. |
| Windows Server 2008 R2 Datacenter | Yes | Yes | Executable Windows Installer Script DLL | Packaged app rules will not be enforced. |
| Windows Server 2008 R2 for Itanium-Based Systems | Yes | Yes | Executable Windows Installer Script DLL | Packaged app rules will not be enforced. |
| Windows 7 Ultimate | Yes | Yes | Executable Windows Installer Script DLL | Packaged app rules will not be enforced. |
| Windows 7 Enterprise | Yes | Yes | Executable Windows Installer Script DLL | Packaged app rules will not be enforced. |
| Windows 7 Professional | Yes | No | Executable Windows Installer Script DLL | No AppLocker rules are enforced. |
Additional Resource: Requirements to Use AppLocker
Windows 10 Block Application
Thanks for visiting! Would you do us a favor? If you think it’s worth a few seconds, please like ourFacebook pageand follow us onTwitter. It would mean a lot to us. Thank you.
Applocker Windows 10 Pro Activation
Applocker Windows 10 Pro Activator
Sources: 1 | 2 | 3