Windows 10 Pro Edition Loses Group Policy Store-Blocking Capability

Microsoft has limited the ability of IT pros to control Windows Store access with the Windows 10 Pro edition, according to a report.

They can no longer block user access to the Windows Store using Group Policy controls, according to a story this week by veteran Microsoft reporter Mary Jo Foley, citing a Twitter post by SwiftOnSecurity. Apparently, IT pros once did have Group Policy control over Windows Store access with the Windows 10 Pro edition, but that capability ended last month.

The change in policy happened because Microsoft's initial release of Windows 10 (known as version "1511" for the November 2015 release) transitioned from a current branch release to a current branch for business release. Foley said the change was timed with that transition. That current branch for business transition happened on April 12.

It's not clear why a current branch for business milestone might trigger such a policy change. Foley described it as a "retroactive" move by Microsoft. However, Microsoft's Knowledge Base article on the topic indicates that the behavior happened "by design" for Windows 10 Pro version 1511. Only the Enterprise and Education editions of Windows 10 can block Windows Store access using Group Policy, according to that article.

Microsoft's TechNet article on the matter is a bit more nuanced. It notes that Microsoft's AppLocker solution can be used to block Windows Store access, and apparently that's true for the Windows 10 Pro edition as well. AppLocker is Microsoft's solution for imposing restriction policies on software applications.

Microsoft also recommends using AppLocker to block Windows Store access by Windows 10 Mobile users. Mobile device management tools also may work for the purpose, but that's an involved scenario, according to the TechNet article.

It would seem that blocking Windows Store access might be a concern for all businesses, large and small. The Windows Store seems designed more for consumer use. However, in Microsoft's conception, the ability to block access to it is dependent on using the Enterprise edition of Windows 10, or the use of AppLocker.

It's still possible for IT pros using the Windows 10 Pro edition to customize the Start Menu, which shows the Windows Store tile. Customizing the Start Menu is considered to be a "core experience" of Windows 10. However, removing the Windows Store menu icon wouldn't necessarily block end users from accessing the Windows Store and downloading programs.

Using Group Policy to remove Windows Store access when using the Windows 10 Enterprise edition doesn't automatically remove the Windows Store icon, according to this 4sysops article. It takes another separate step to accomplish that action. It's possible to uninstall the Windows Store app. It's also possible to exclude the Windows Store app from the very beginning by excluding it from the Windows 10 operating system image, the article explained.

Microsoft also has something called the Windows Store for Business. It's a feature for all editions of Windows 10 except for the Home edition. It lets organizations house their line-of-business apps in the Windows Store. IT pros have control over access to the Windows Store for Business because they have to set it up to enable user access.

Update: There's an alternative way to use Group Policy to block the Windows Store using Windows 10 Pro edition, as explained by Jeremy Moskowitz, a Group Policy Microsoft MVP and founder of PolicyPak Software. He explained the technique in this video. However, Microsoft typically changes the string involved, so IT pros making this modification may have to do it again. Microsoft MVP Susan Bradley kindly spotted this post.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

  • Most Microsoft Retail Locations To Shut Down

    Microsoft is pivoting its retail operations to focus more on online sales, a plan that would mean the closing of most physical Microsoft Store locations.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.