Skip to content
Naked Security Naked Security

Microsoft says no more blocking Windows Store on Pro edition

You're going to have to get the Enterprise or Education edition if you really want to block employees from downloading apps.

Want to block your employees from downloading software from the Windows Store?

No problem! Just pony up for the pricier versions of Windows 10 and you’ll be good to go.

That’s right, the plain old vanilla professional version of the operating system no longer allows Windows Store blockage.

Stop me if you’ve heard this one before: That’s no flaw. It’s a feature!

Microsoft said that the lack of support for Windows 10 Pro users to block the Windows Store is designed into version 1511.

The only users now allowed to block access to the app store are users of the Enterprise or Education editions.

From a statement Microsoft sent to the BBC:

Windows 10 Enterprise is our offering that provides IT pros with the most granular control over company devices.

Windows 10 Pro offers a subset of those capabilities and is recommended for small and mid-size businesses looking for some management controls, but not the full suite necessary for IT pros at larger enterprises.

Well, that’s unfortunate. Looks like Microsoft has decided that the small fry are no longer worthy of blocking employees from downloading software that could gum up whatever other software they’re running. Nor do they get to stop productivity drainage as employees play Flappy Bird or Swing Copters or whatever addictive game is current.

Then too, some of those small to mid-size businesses might have wanted to block company Windows phones from picking up malware, dodgy websites, adware and other potentially unwanted apps.

We hear about malware in Google’s Play store or Apple’s iTunes, but Microsoft has a few app skeletons in its own closet.

Back in 2014, it was scampering to sweep out the store, which had become littered with scam apps deceptively labeled with logos and names of legitimate apps.

What to do?

If you can’t block ’em, you can always try educating employees about ’em.

John Harrison, owner of Harrison IT services, told the BBC that the change could cause problems for small businesses that they’ll have to try to educate themselves out of:

Users like to change settings or try to install software by themselves. If they don’t know what they’re doing or don’t have the appropriate experience, they can cause all kinds of issues.

You are going to have to educate staff, tell them not to use the Windows Store unless it really is relevant to the business.

11 Comments

I’m waiting for third party software to fill the gap Microsoft has left.

Will Sophos do this?

Can’t you just block store’s IP the router? (and do the same with built-in spying software)

MS keeps pushing it’s customers away. Fortunately it’s getting easier to leave them every year.

Does this also mean that you won’t be able to block Microsoft user accounts on Windows 10 Pro anymore? What a bait and switch if they are going to roll out Windows 10 Pro for free, then say “Oh, sorry. You can’t have that feature anymore unless you pay up..”

What other “Sorry, want this feature… then pay up” surprises are in store?

We’ll see, but I’m doing it on all Pro 10’s now (30 of them, my test base)…will assume that MS updates will work a work that resets the Group Edit Policy and the Registry. The group I’m testing is supposed to have no Social Media access either regarding workplace supplied devices.
Why am I not shocked (frustrated yes) at this present MS generation of programers and their leadership?
We knew it was all about the $$…but why leave a hole for vulnerabilities…or why not offer a tiered version of Windows Pro?

The easiest way to block them is to put the IP in the hosts list and address it as 127.0.0.1.
How are they going to stop anyone from doing that either on the PC or on a firewall?

The should also remove Active Directory integration and convert all local user accounts administrators and make it all Enterprise only feature.

The app store is delivered via the MS cloud and thus is unfortunately resilient against IP or DNS blocking. But you can do other things. Prevent account sign in and linking with domain account – all this is in GPO (I have no idea how long for though), remove the windows store app using powershell. I think it stinks that MS did this – smaller organisations don’t always have the expertise to deal with the headache that this will cause. And I find it even more irritating that so many articles report this on the web, yet they don’t offer the basic advice for us to deal with it. But I do find it hilarious that all those that took up the ‘free’ Windows 10 upgrade are now finding out ‘why’ MS gave it for free. And I hope that Sophos will enhance their ‘application blocking’ to prevent this, like they did with the GWX – thanks for that :D
I see no use of the Windows Store for my organisation

Want to try an interesting experiment? Use Winreducer and remove Windows Store, then install Windows on a VM. As soon as you boot up you suddenly find yourself incapable of going online. Well it turns out Windows Store is not just a feature, its practically part of the Windows networking.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?