Detections
Analytics

18.9.72.1 Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This setting configures the launch of all apps from the Microsoft Store that came pre-installed or were downloaded.

The recommended state for this setting is: Disabled.

Note: This policy setting only applies to Windows 10 Enterprise and Windows 10 Education editions.

Note #2: The name of this setting and the Enabled/Disabled values are incorrectly worded - logically, the title implies that configuring it to Enabled will disable all apps from the Microsoft Store, and configuring it to Disabled will enable all apps from the Microsoft Store. The opposite is true (and is consistent with the GPME help text). This is a logical wording mistake by Microsoft in the Administrative Template.

Rationale:

The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software.

Impact:

All apps from the Microsoft Store that came pre-installed or were downloaded are prevented from launching. Existing Microsoft Store apps will not be updated. Microsoft Store is disabled.

Solution

To establish the recommended configuration, set the following Device Configuration Policy to 'Disabled':

To access the Device Configuration Policy from the Intune Home page:

Click Devices

Click Configuration profiles

Click Create profile

Select the platform (Windows 10 and later)

Select the profile (Custom)

Click Create

Enter a Name

Click Next

Configure the following Setting

Name: <Enter name>
Description: <Enter Description>
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/DisableStoreOriginatedApps
Data type: Integer
Value: 1

Select OK

Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)

Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.

Default Value:

Enabled. (Microsoft Store apps are permitted to be launched and updated. Microsoft Store is enabled.)

See Also

https://workbench.cisecurity.org/files/3358

Item Details

References: CSCv7|9.2

Plugin: Windows

Control ID: afffa9b4fe342628de6bdb47f61693ec13ca57f3ecc05bd31d35e0eaba3ff55a