Managing Client Access to the Windows Store
Published: February 29, 2012
Updated: August 22, 2012
Applies To: Windows 8
Windows Store is available in Windows® 8. IT Administrators can control the availability and functionality of Windows Store to client computers based on the business policies of their enterprise environment. The following covers frequently asked questions by IT Pros about managing aspects of client access to the Windows Store in an enterprise environment.
What is a Windows app?
What is LOB?
What is sideloading? Does the Windows Store allow it?
Can I use Group Policy to control the Windows Store in my enterprise environment?
Are there any special considerations while configuring access permissions on system resources through Group Policy?
Are any Windows Store privacy settings controlled by Group Policy?
How much control does an IT Administrator have over the Windows apps that can be installed in their environment?
Do I have any control over which third-party apps can be installed from the Windows Store?
What about devices that move between work and home? Is it possible to manage apps and updates available from the Windows Store on these devices?
Windows apps are designed to be sleek, quick, and modern with groups of common tasks consolidated to speed up usage. The core concepts of a Windows app include good typography, large, eye-catching text, where the content is the main focus.
For more information about the concept of Windows apps, see What are Windows apps? on MSDN.
LOB stands for line-of-business. Line-of-business apps require users to authenticate using corporate credentials, access internal information, or are designed specifically for internal use. For example, an expense report app provided by the IT department for employees.
Sideloading, which is available in both Windows 8 and Windows Server 2012, refers to installing apps directly to a device without going through the Windows Store. LOB apps do not need to be certified by Microsoft and cannot be installed through the Windows Store, but they must be signed with a certificate chained to a trusted root certificate. We recommend that IT administrators use the same technical certification that is done by the Windows Store on LOB apps.
For more information about sideloading, see How to Add and Remove Apps.
For more information about running the technical certification tests, see How to test your app with the Windows App Certification Kit.
Yes. IT Administrators can use group policy to allow or prohibit their users from accessing the Windows Store, affect the auto download of updates of apps acquired from the Windows Store, and manage the abilities of sideloading app installations.
Yes. Windows apps run with very limited user rights compared to their non-Windows 8 counterparts that run with standard user rights by default. Windows apps can access only those resources (files, folders, registry keys, and DCOM interfaces) to which they have been explicitly granted access. For example, if a new folder is created in C:\Personal Docs and files are copied into that folder, none of the Windows apps can access those files because the apps have not been granted explicit access. However, the access permissions (ACLs) on critical system resources such as the Windows\System32 folder contain a special rule (ACE) that grants all Windows apps the permissions necessary for any app to run.
The figure below highlights the default permissions on the Windows\System32 folder that grant read and execute permissions to all Windows apps:
The default permissions (ACLs) on system resources can be modified using different methods. For example:
The access and launch permissions on DCOM interfaces can be modified through the following Group Policy setting: Local Policies, Security Options, DCOM: Machine Access/Launch Restrictions in SDDL Syntax.
For more information, see DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax on TechNet.
Access permissions on file system and registry objects can be changed through Security Templates.
For more information, see Administer Security Policy Settings on TechNet.
While configuring the access permissions on any of these resources, it is important to identify which of these resources grants access to all Windows apps and ensure that the new effective permissions do not remove that access. When supplying the permissions in SDDL form, the security identifier (SID) for ALL APPLICATION PACKAGES is S-1-15-2-1.
|Incorrectly configured access permissions will cause all Windows apps to fail.|
An example of an SDDL representation of an ACE that grants generic read and run permissions all Windows apps is: (A;OICIIO;GXGR;;;AC);, where AC refers to ALL APPLICATION PACKAGES.
Yes. The following registry key controls Windows Store privacy settings:
<registryKey keyName="HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\AppHost"> <registryValue name="EnableWebContentEvaluation" value="0x00000001" valueType="REG_DWORD" />
A value of 1 indicates that telemetry is enabled, and a value of 0 indicates that it is disabled.
Yes. IT Administrators can turn access to the Windows Store on or off in the following ways:
For specific machines
For specific users and groups
We offer support for enterprises that want direct control over the deployment of LOB apps. Enterprises can choose to deploy LOB apps directly to the computers they manage without going through the Windows Store infrastructure.
No, an IT Administrator can only manage access to the Windows Store by using Group Policy settings deployed to a domain joined device.
By default, the only Windows apps that can be installed on Windows 8 are ones that are installed from the Windows Store.
An IT Administrator can control access to which Windows apps can be installed by using App Locker. These policies can be enabled on apps from the Windows Store or LOB apps that have been sideloaded by the IT Administrator.
For more information about using App Locker to manage Windows apps, see the AppLocker Overview.
Yes. Using AppLocker, IT Administrators have complete control of which, if any, third-party apps can be installed from the Windows Store.
No, AppLocker is only available for managing domain joined machines.
No, app updates from the Windows Store cannot be managed by the IT Administrator.
No. All updates to apps that come from the Windows Store must be initiated by the user.
Yes, IT administrator can configure the ability of the Windows Store to auto download (but not install) available updates by using Group Policy.