18.10.65.1 (L2) Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'

Information

This setting configures the launch of all apps from the Microsoft Store that came pre-installed or were downloaded.

The recommended state for this setting is: Disabled

Note: This policy setting only applies to Windows 10 Enterprise and Windows 10 Education editions.

Note #2: The name of this setting and the Enabled/Disabled values are incorrectly worded - logically, the title implies that configuring it to Enabled will disable all apps from the Microsoft Store, and configuring it to Disabled will enable all apps from the Microsoft Store. The opposite is true (and is consistent with the GPME help text). This is a logical wording mistake by Microsoft in the Administrative Template.

The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled :

Computer Configuration\Policies\Administrative Templates\Windows Components\Store\Disable all apps from Microsoft Store

Note: This Group Policy path is provided by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).

Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named

Disable all apps from Windows Store

, but it was renamed starting with the Windows 10 Release 1803 Administrative Templates.

Impact:

All apps from the Microsoft Store that came pre-installed or were downloaded are prevented from launching. Existing Microsoft Store apps will not be updated. Microsoft Store is disabled.

See Also

https://workbench.cisecurity.org/benchmarks/17129

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7(5), 800-53|CM-10, CSCv7|9.2

Plugin: Windows

Control ID: ceb2bd82d276e7011818eb79bf788160636e5e7b678d6c03161fda65c3d5a7d7