Lilys Dad

.. But the Microsoft Store is still accessible.

You implement the Group Policy to block access to the Microsoft Store via the installed app, but your users can still go and access the Microsoft Web Store…

As an enterprise, we all want to be able to control what applications are installed and to limit the various install locations that can be used. The obvious choice here is to block access to the Microsoft app store via Intune or Group Policy. You then go one step further and block access to the Office store to control the addins that can be used with M365 Apps for Enterprise (aka Office).

Imagine our shock when we have one of our users post about how to get Microsoft Powertoys installed using the Microsoft Web Store… Our first reaction – really??!?

After a chat with a few Microsoft bods, yup its been a thing since late 2024.

So any user can access the Microsoft Store online, and download any application from there. Now, if it app requires admin privilages then this will get blocked if you have removed admin rights from the device, otherwise yup its installing. So we tested with Spotify and yup it downloaded and installed, Microsoft’s answer to control the wild west of applications?

Use AppLocker or App Control for Business to whitelist/blacklist those applications. I’ll hold judgement as its been a while since I last looked at those features and they were pretty awful from a sysadmin / administration point of view.

Of course, there are other alternatives for application control such as Sophos, Tanium, CrowdStrike plugin Airlock and then there is ThreatLocker.

So thats another project into the order books for 2025! Happy days.

I’ll add some more posts on our journey.