MicrosoftThiesend You can use AppLocker to only allow the Store apps you want. You don't need the Enterprise edition of Windows to get AppLocker anymore. I've been doing this fairly successfully for years.
Watch out for the https://rcmtech.wordpress.com/2023/05/15/microsoft-store-integration-with-applocker/ though.
Also, Microsoft don't consistently sign stuff, and AppLocker wildcards are not great for modern apps, so allowing things like e.g. language packs can be a bit of a pain.
You also need to watch out if you're using Conditional Access Policies in Entra and wanting to use the Store - see https://rcmtech.wordpress.com/2022/11/15/managing-the-microsoft-store-and-apps-with-applocker/ on that too.
Tip: Use Windows Event Forwarding (or your existing SIEM) to collect the AppLocker event logs from endpoints and monitor them regularly for things getting blocked that you don't want to be blocked (e.g. language packs).
