Export (0) Print
Expand All
184 out of 247 rated this helpful - Rate this topic

Manage Client Access to the Windows Store

Published: February 29, 2012

Updated: March 24, 2014

Applies To: Windows 8

Windows Store is available in Windows® 8. IT Administrators can control the availability and functionality of Windows Store to client computers based on the business policies of their enterprise environment. The following covers frequently asked questions by IT Pros about managing aspects of client access to the Windows Store in an enterprise environment.

Windows apps are designed to be sleek, quick, and modern with groups of common tasks consolidated to speed up usage. The core concepts of a Windows app include good typography, large, eye-catching text, where the content is the main focus.

For more information about the concept of Windows apps, see What are Windows apps? on MSDN.

LOB stands for line-of-business. Line-of-business apps require users to authenticate using corporate credentials, access internal information, or are designed specifically for internal use. For example, an expense report app provided by the IT department for employees.

Sideloading, which is available in both Windows 8 and Windows Server 2012, refers to installing apps directly to a device without going through the Windows Store. LOB apps do not need to be certified by Microsoft and cannot be installed through the Windows Store, but they must be signed with a certificate chained to a trusted root certificate. We recommend that IT administrators use the same technical certification that is done by the Windows Store on LOB apps.

For more information about sideloading, see How to Add and Remove Apps.

For more information about running the technical certification tests, see How to test your app with the Windows App Certification Kit.

Yes. IT Administrators can use Group Policy to allow or prohibit their users from accessing the Windows Store, control the automatic download of updates for apps obtained from Windows Store, and allow or prevent the sideloading of apps.

Windows 8.1 and Windows Server 2012 R2 allow you to automatically install app updates in addition to downloading them. The Turn off Automatic Download of updates and Win8 machines policy setting does not have any effect on computers that are running Windows 8.1 or Windows Server 2012 R2, and has been replaced with the following policy: Computer Configuration/Administrative Templates/Store/Turn off Automatic Download and install updates. If this policy setting is enabled, app automatic updates are turned off; if the policy setting is disabled, app automatic updates are turned on.

You can apply combinations of Windows Store Group Policy settings in Windows 8.1 and Windows Server 2012 R2 to customize your enterprise’s Windows Store usage. The following table summarizes your options.

 

  App automatic updates
 

Enable

Disable

Windows Store access for new app purchases, manual app updates

Enable

Disable this policy:

Computer Configuration/Windows Components/Store/Turn off Automatic Download and Install of updates

Enable this policy:

Computer Configuration/Windows Components/Store/Turn off Automatic Download and Install of updates

Disable

Disable this policy:

Computer Configuration/Windows Components/Store/Turn off Automatic Download and Install of updates

Enable this policy (for all users):

User Configuration/Windows Components/Store/Turn off the Store application

Enable both of these policies:

Computer Configuration/Windows Components/Store/Turn off Automatic Download and Install of updates

Enable this policy:

Computer Configuration/Windows Components/Store/Turn off the Store application

The following Group Policy settings that control access to Windows Store are available in Windows 8 and Windows Server 2012.

 

Group Policy Setting Description

Computer Configuration/Administrative Templates/Store/Turn off the Store application

Disables access to the Windows Store for the computer, and prevents the computer from accessing the Windows Store.

User Configuration/Administrative Templates/Store/Turn off the Store application

Disables access to the Windows Store for individual users, but enables the computer to connect to the Windows Store service to detect new updates.

Windows Store cannot automatically install app updates in Windows 8 and Windows Server 2012; but by default, it automatically downloads updates, which can make manual installation of app updates faster. To turn off this behavior, enable the following policy setting: Computer Configuration/Administrative Templates/Store/Turn off Automatic Download of updates on Windows 8 machines.

Yes. Windows apps run with very limited user rights compared to their non-Windows 8 counterparts that run with standard user rights by default. Windows apps can access only those resources (files, folders, registry keys, and DCOM interfaces) to which they have been explicitly granted access. For example, if a new folder is created in C:\Personal Docs and files are copied into that folder, none of the Windows apps can access those files because the apps have not been granted explicit access. However, the access permissions (ACLs) on critical system resources such as the Windows\System32 folder contain a special rule (ACE) that grants all Windows apps the permissions necessary for any app to run.

The figure below highlights the default permissions on the Windows\System32 folder that grant read and execute permissions to all Windows apps:

Default permissions for all application packages

The default permissions (ACLs) on system resources can be modified using different methods. For example:

While configuring the access permissions on any of these resources, it is important to identify which of these resources grants access to all Windows apps and ensure that the new effective permissions do not remove that access. When supplying the permissions in SDDL form, the security identifier (SID) for ALL APPLICATION PACKAGES is S-1-15-2-1.

WarningWarning
Incorrectly configured access permissions will cause all Windows apps to fail.

An example of an SDDL representation of an ACE that grants generic read and run permissions all Windows apps is: (A;OICIIO;GXGR;;;AC);, where AC refers to ALL APPLICATION PACKAGES.

Yes. The following registry key controls Windows Store privacy settings:

<registryKey keyName="HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\AppHost">
      <registryValue
          name="EnableWebContentEvaluation"
          value="0x00000001"
          valueType="REG_DWORD"
          />

Telemetry settings UI

A value of 1 indicates that telemetry is enabled, and a value of 0 indicates that it is disabled.

Yes. IT Administrators can turn access to the Windows Store on or off in the following ways:

  • For specific machines

  • For specific users and groups

We offer support for enterprises that want direct control over the deployment of LOB apps. Enterprises can choose to deploy LOB apps directly to the computers they manage without going through the Windows Store infrastructure.

No, an IT Administrator can only manage access to the Windows Store by using Group Policy settings deployed to a domain joined device.

By default, the only Windows apps that can be installed on Windows 8 are ones that are installed from the Windows Store.

An IT Administrator can control access to which Windows apps can be installed by using App Locker. These policies can be enabled on apps from the Windows Store or LOB apps that have been sideloaded by the IT Administrator.

For more information about using App Locker to manage Windows apps, see the AppLocker Overview.

Yes. Using AppLocker, IT Administrators have complete control of which, if any, third-party apps can be installed from the Windows Store.

No, app updates from the Windows Store cannot be managed by the IT Administrator.

Yes, starting in Windows 8.1. In Windows 8, updates to apps from the Windows Store can be downloaded manually, but their installation must be initiated by the user.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.