Public store apps can still be installed although only private store is allowed

%3CLINGO-SUB%20id%3D%22lingo-sub-252678%22%20slang%3D%22en-US%22%3EPublic%20store%20apps%20can%20still%20be%20installed%20although%20only%20private%20store%20is%20allowed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-252678%22%20slang%3D%22en-US%22%3E%3CP%3EOn%20Windows%201803%20we%20are%20blocking%20the%20public%20store%20by%20only%20allowing%20the%20private%20store%20in%20the%20windows%20store%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20works%20perfectly%2C%20until%20one%20point.%3C%2FP%3E%3CP%3EIf%20you%20go%20to%20%22myLibrary%22%20in%20the%20store%20app%2C%20you%20don't%20see%20additional%20apps%2C%20and%20only%20the%20private%20store%20apps.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBUT%3A%20when%20another%20microsoft%20account%20is%20added%20to%20the%20client%2C%20for%20the%20mail%20for%20example%2C%20and%20you%20click%20on%20the%20drop%20down%20menu%2C%20you%20suddenly%20have%20access%20to%20all%20apps%20you%20installed%20with%20that%20microsoft%20account%20on%20other%20devices%2C%20and%20you%20are%20able%20to%20install%20them...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%2C%20my%20question%3A%20How%20to%20block%20access%20to%20those%20apps%20as%20well%3F%3C%2FP%3E%3CP%3EIs%20this%20by%20design%20this%20is%20possible%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20we%20also%20noticed%2C%20even%20without%20adding%20anything%2C%20by%20default%20Candy%20Crush%20and%20Twitter%20are%20available%20in%20%22MyLibrary%22....%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-268061%22%20slang%3D%22en-US%22%3ERe%3A%20Public%20store%20apps%20can%20still%20be%20installed%20although%20only%20private%20store%20is%20allowed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-268061%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Grant%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20you%20reply%2C%20but%20we%20are%20blocking%20users%20from%20adding%20private%20Microsoft%20Accounts.%20The%20problem%20is%2C%20they%20can%20still%20add%20the%20account%20to%20for%20example%20the%20Mail%20app%20on%20windows%2010.%20From%20that%20moment%2C%20the%20user%20has%20access%20to%20install%20all%20apps%20he%20installed%20with%20his%20personal%20microsoft%20account%2C%20even%20if%20the%20only%20the%20private%20store%20is%20open.%20This%20is%20since%20the%201803%20release%2C%20since%20this%20build%20now%20has%20the%20%22my%20library%22%20navigation%20option%20in%20the%20store%20app.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-267749%22%20slang%3D%22en-US%22%3ERe%3A%20Public%20store%20apps%20can%20still%20be%20installed%20although%20only%20private%20store%20is%20allowed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-267749%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20generally%20recommend%20blocking%20users%20from%20adding%20Microsoft%20accounts%20in%20addition%20to%20enabling%20the%20Private%20store%20restriction%2C%20due%20to%20the%20exact%20reasons%20you've%20mentioned.%20I%20imagine%20there%20are%20some%20scenarios%20where%20it's%20not%20possible%20to%20block%20users%20from%20adding%20microsoft%20account's%2C%20but%20if%20you%20can%20do%20it%20than%20it%20can%20make%20life%20easier.%20There's%20a%20handy%20policy%20in%20the%20Policy%20CSP%20specifically%20for%20this%20called%20%22%3CSTRONG%3EAllowMicrosoftAccountConnection%22%3C%2FSTRONG%3E%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fpolicy-csp-accounts%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPolicy%20CSP%20-%20Accounts%3C%2FA%3E)%2C%20but%20I%20imagine%20there's%20a%20group%20policy%20equivalent%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-255033%22%20slang%3D%22en-US%22%3ERe%3A%20Public%20store%20apps%20can%20still%20be%20installed%20although%20only%20private%20store%20is%20allowed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-255033%22%20slang%3D%22en-US%22%3E%3CP%3EToday%2C%20it%20seems%20like%20the%20above%20scenario%26nbsp%3Bis%20a%20%22bit%22%20fixed...%20But%2C%20you%20still%20see%20the%20apps%2C%20but%20you%20can't%20install%20them%20anymore.%3C%2FP%3E%3CP%3EHowever....%3C%2FP%3E%3CP%3EIf%20you%20go%20to%20store.microsoft.com%2C%20search%20for%20an%20app%20you%20had%20installed%20with%20another%20account%20which%20is%20added%20on%20your%20machine%2C%20you%20still%20can%20install%20it...%20BAM%20WHAT%20%3AD%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20I%20can%20still%20install%20a%20Network%20Port%20scanner%2C%20Kali%20Linux%2C%20Metaploit%20within%20a%20corporate%20environment%20where%20only%20the%20PrivateStore%20should%20be%20allowed...%20Seem%20a%20security%20flaw%20to%20me...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1511754%22%20slang%3D%22en-US%22%3ERe%3A%20Public%20store%20apps%20can%20still%20be%20installed%20although%20only%20private%20store%20is%20allowed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1511754%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20wondering%20if%20you%20found%20any%20answers%20to%20your%20initial%20question%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F155477%22%20target%3D%22_blank%22%3E%40Matthias%20Vandenberghe%3C%2FA%3E%26nbsp%3B%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20trying%20to%20figure%20out%20if%20this%20is%20happening%20on%20our%20machines%20too%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

On Windows 1803 we are blocking the public store by only allowing the private store in the windows store app.

 

This works perfectly, until one point.

If you go to "myLibrary" in the store app, you don't see additional apps, and only the private store apps.

 

BUT: when another microsoft account is added to the client, for the mail for example, and you click on the drop down menu, you suddenly have access to all apps you installed with that microsoft account on other devices, and you are able to install them...

 

Now, my question: How to block access to those apps as well?

Is this by design this is possible?

 

What we also noticed, even without adding anything, by default Candy Crush and Twitter are available in "MyLibrary"....

4 Replies

Today, it seems like the above scenario is a "bit" fixed... But, you still see the apps, but you can't install them anymore.

However....

If you go to store.microsoft.com, search for an app you had installed with another account which is added on your machine, you still can install it... BAM WHAT :D

 

Now I can still install a Network Port scanner, Kali Linux, Metaploit within a corporate environment where only the PrivateStore should be allowed... Seem a security flaw to me...

I would generally recommend blocking users from adding Microsoft accounts in addition to enabling the Private store restriction, due to the exact reasons you've mentioned. I imagine there are some scenarios where it's not possible to block users from adding microsoft account's, but if you can do it than it can make life easier. There's a handy policy in the Policy CSP specifically for this called "AllowMicrosoftAccountConnection" (Policy CSP - Accounts), but I imagine there's a group policy equivalent as well.

Hi Grant,

 

Thanks for you reply, but we are blocking users from adding private Microsoft Accounts. The problem is, they can still add the account to for example the Mail app on windows 10. From that moment, the user has access to install all apps he installed with his personal microsoft account, even if the only the private store is open. This is since the 1803 release, since this build now has the "my library" navigation option in the store app.

Just wondering if you found any answers to your initial question @Matthias Vandenberghe  ?

 

I'm trying to figure out if this is happening on our machines too