Tech Community Live: Windows edition
Jun 05 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community

Enable Microsoft Store Auto Update Apps through Group Policy

Copper Contributor

Dear Community

 

PC fleet: Approx 1.000 - Windows 10 and 11

Microsoft Environment: On Premise primary - however Intune is being configured at the moment

Access to downloading apps through MS Store (Not MS Store for Business): No

MS Store for Business configured: No

 

Our company have a policy which do not allow Microsoft Store download to be available (it can open the store but not download). This is configured with Group Policy (the same policy which Disable Windows Update as we use WSUS for this). However we do have a Test Group Policy where we can assign a PC to and it gets access to MS Store (updating and downloading).

 

But I am looking for a better configuration for this. The MS Store should automatic download all updates to the Apps which is a part of Windows, like Calendar, Sticky Notes and etc. - but the user should not be able to download any others apps.

 

Is this possible with Group Policy? If it is, how?

 

Thanks!

 

/J.T.

8 Replies
Unfortunately, you have limit management capability when it comes to Microsoft Store.
You won't be able to manage update and manage or control applications.
However, you may file a feedback in the Feedback Hub app or upvote existing ones.
Thanks for your reply.

Okay I see. So there is no way to manage both updates of apps which are installed and block downloading new apps?

What is best practice when it comes to the MS Store? We want the standard modern apps which is being installed in WIN 10 and 11 to be updated all the time and at the same time we want to block users from downloading new apps.

Thanks.
Update will be done automatically , so when they connect to internet they get the latest update but you couldn't manage it. The only option you have is to disable access to Microsoft Store. You could use AppLocker to restrict applications, for example you may create allow list and deny other applications or allow all and deny the one you want to restrict, depending on your requirements.
Have a a look at:
https://learn.microsoft.com/en-us/windows/configuration/stop-employees-from-using-microsoft-store

Hi @IT-supporter007!

Your question was answered during the May 23rd episode of Unpacking Endpoint Management. Please see the panel's answer at around 35:15. You can also catch future episodes of Unpacking Endpoint Management at https://aka.ms/UEM.

@Char_Cheesman I just stumbled upon this post as I am wanting to accomplish the same as OP. The question was asked in your linked video but it wasn't answered. Did Aria provide a follow-up?

Reza answered correctly above. Currently we still have limited controls available for Store. You can find some of the configurations available here: https://learn.microsoft.com/en-us/windows/configuration/stop-employees-from-using-microsoft-store

@Aria Carley 

When can we expect a fix for this? As someone responsibility for vulnerability management, not being able to update UWP apps without proper controls is making it difficult to keep up with remediation.

I've followed the guidance on this URL as well as here (https://learn.microsoft.com/en-us/mem/intune/apps/store-apps-microsoft#what-you-need-to-know) and I do not see that native UWP apps are updating automatically. Do we know if there's a restriction on when those updates might occur like if we have Active Hours set via an Update Ring? If these policy settings do allow for updates, but they're not running, is there a method in which to invoke them that we could push with a Remediation Script?