Windows 10 Pro Edition Loses Group Policy Store-Blocking Capability
Microsoft has limited the ability of IT pros to control Windows Store access with the Windows 10 Pro edition, according to a report.
They can no longer block user access to the Windows Store using Group Policy controls, according to a story this week by veteran Microsoft reporter Mary Jo Foley, citing a Twitter post by SwiftOnSecurity. Apparently, IT pros once did have Group Policy control over Windows Store access with the Windows 10 Pro edition, but that capability ended last month.
The change in policy happened because Microsoft's initial release of Windows 10 (known as version "1511" for the November 2015 release) transitioned from a current branch release to a current branch for business release. Foley said the change was timed with that transition. That current branch for business transition happened on April 12.
It's not clear why a current branch for business milestone might trigger such a policy change. Foley described it as a "retroactive" move by Microsoft. However, Microsoft's Knowledge Base article on the topic indicates that the behavior happened "by design" for Windows 10 Pro version 1511. Only the Enterprise and Education editions of Windows 10 can block Windows Store access using Group Policy, according to that article.
Microsoft's TechNet article on the matter is a bit more nuanced. It notes that Microsoft's AppLocker solution can be used to block Windows Store access, and apparently that's true for the Windows 10 Pro edition as well. AppLocker is Microsoft's solution for imposing restriction policies on software applications.
Microsoft also recommends using AppLocker to block Windows Store access by Windows 10 Mobile users. Mobile device management tools also may work for the purpose, but that's an involved scenario, according to the TechNet article.
It would seem that blocking Windows Store access might be a concern for all businesses, large and small. The Windows Store seems designed more for consumer use. However, in Microsoft's conception, the ability to block access to it is dependent on using the Enterprise edition of Windows 10, or the use of AppLocker.
It's still possible for IT pros using the Windows 10 Pro edition to customize the Start Menu, which shows the Windows Store tile. Customizing the Start Menu is considered to be a "core experience" of Windows 10. However, removing the Windows Store menu icon wouldn't necessarily block end users from accessing the Windows Store and downloading programs.
Using Group Policy to remove Windows Store access when using the Windows 10 Enterprise edition doesn't automatically remove the Windows Store icon, according to this 4sysops article. It takes another separate step to accomplish that action. It's possible to uninstall the Windows Store app. It's also possible to exclude the Windows Store app from the very beginning by excluding it from the Windows 10 operating system image, the article explained.
Microsoft also has something called the Windows Store for Business. It's a feature for all editions of Windows 10 except for the Home edition. It lets organizations house their line-of-business apps in the Windows Store. IT pros have control over access to the Windows Store for Business because they have to set it up to enable user access.
Update: There's an alternative way to use Group Policy to block the Windows Store using Windows 10 Pro edition, as explained by Jeremy Moskowitz, a Group Policy Microsoft MVP and founder of PolicyPak Software. He explained the technique in this video. However, Microsoft typically changes the string involved, so IT pros making this modification may have to do it again. Microsoft MVP Susan Bradley kindly spotted this post.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.