locked
W2016 TP5 - Disabling Store app for RDSH users. RRS feed

  • Question

  • I tried to disable Store app through GPO, but it has no effect.

    Gpresult says that User Details/Policies/Administrative Templates/Windows Components/Store/Turn Off the store application is enabled.

    Yet the store App is still there and running in the user Start Menu.


    I tried also the GPO : User configuration\ Start Menu and TaskBarShow Windows Store apps on the taskbar: Disabled

    The Windows Store app icon is still there....


      

    • Edited by lolix2 Friday, July 8, 2016 1:41 PM
    Friday, July 8, 2016 7:40 AM

All replies

  • Hi,

    Thanks for your post.

    If so, I suggest you run GPresult /h C:\gpresult.html and post it to us for further research.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 11, 2016 9:09 AM
  • I don't see any option to upload a file here (except pasting the entire file in here).

    A screen capture is too heavy for that forum. So, please believe my initial post :  gpresult says that both GPO have been applied but the Store icon is still here and running like charm.

    Monday, July 11, 2016 9:34 AM
  • Note that my goal is to prevent regular user from installing apps on a *server*.

    This is absolutely flabbergasting that a regular user can write, by way of Windows Store installer If I get it correctly,  in C:\Program Files\WindowsApps !

    How can I be sure that the Windows Store installer won't update some core Windows dlls, .Net xx or whatever related to html5 support in c:\windows ? This is not fair.

    Playing the role of a regular user, I've been allowed to instal Candycrush. The folder C:\Program Files\WindowsApps\king.com.CandyCrushJellySaga_1.20.5.0_x86__kgqvnymyfvs32 is full of dlls. This is a security risk.

    My W2008 Software Restriction Policy was "disallowed" (everything) and a few exceptions. C:\program files among them. This will be a bit more tedious to add all c:\Program files\xxx except c:\Program files\WindowsApps. Hopefully there will be no "Windows Store Special" to circumvent this GPO  and allowing the App to run anyway.

    • Edited by lolix2 Monday, July 11, 2016 2:49 PM
    Monday, July 11, 2016 2:28 PM
  • Hi,

    Note that my goal is to prevent regular user from installing apps on a *server*.

    >>>The regular user cannot install applications on the server if the user is not a member of the local administrators group.

    If a user wants to install applications on server, the user need local administrative permission.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 15, 2016 8:43 AM
  • Hi,

    That was what I believed also.... Until W2016 and Store Apps (maybe W2012 as well. I stayed away from it).

    Using a regular user account I could install some apps from the store. Those apps are (apparently) not available to all users though.

    Monday, July 18, 2016 8:42 AM
  • Hi,

    Try to configure AppLocker to block it.

    To block Windows Store using AppLocker

    1. Type secpol in the search bar to find and start AppLocker.

    2. In the console tree of the snap-in, click Application Control Policies, click AppLocker, and then click Packaged app Rules.

    3. On the Action menu, or by right-clicking on Packaged app Rules, click Create New Rule.

    4. On Before You Begin, click Next.

    5. On Permissions, select the action (allow or deny) and the user or group that the rule should apply to, and then click Next.

    6. On Publisher, you can select Use an installed app package as a reference, and then click Select.

    7. On Select applications, find and click Store under Applications column, and then click OK. Click Next.

    8. Optional: On Exceptions, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click Next.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 21, 2016 6:53 AM
  • Hi, this sounds great... ! but fails miserably. ;-(

    (And... well... this is not great at all that an "Application" is not considered as "Software" and that there is a need for a specific section beside "Software restriction policy")

    Anyway, this is not working on W2016 TP5.

    I tried to denied everything by creating a new "Deny" rule applying to Publisher (*), Package name (*), Package version (*) and applying to regular users.

    I deleted my test profile (regular user),  and logged again. And, guess what, I'm still allowed to run the Store app and install some app.

    Anyway, Thanks for the information on that new policy that should do the job in the final release, hopefully.

    Best regards

    • Edited by lolix2 Thursday, July 21, 2016 10:32 AM
    Thursday, July 21, 2016 8:22 AM