Restrict Access to the Windows Store in Windows 8 and Server 2012

How can I manage user access to the Windows Store?

Users who want to purchase or download an app from the Windows Store must use a Microsoft account, i.e. an account that is linked to a Microsoft identity, such as [email protected]. By default, if a domain user tries to download or purchase an app, they are able to link a Microsoft account to their domain logon.

Fortunately, if your organization decides that you want to prevent users from downloading apps from the Windows Store, there is a Group Policy setting that allows you to disable it across all PCs in the domain. By default, Group Policy settings for the Windows Store don’t appear if you create a policy from Windows Server 2012.

The best way to create the policy is using the Remote Server Administration Tools (RSAT) from a Windows 8 machine that is joined to your domain, or to install the Desktop Experience components on Windows Server 2012, although this is not recommended unless you actually have some use for desktop features on your server.

Disable the Windows Store

To switch off the Windows Store, open the Group Policy Management Console (GPMC) on Windows 8 (with RSAT installed), using a domain account that has permission to create new Group Policy Objects (GPOs).

  • In the left pane of GPMC, expand your AD forest and domain.
  • Right-click the Group Policy Objects folder and select New from the menu.
  • In the New GPO dialog, name the GPO Disable Windows Store and click OK.
  • Click the Group Policy Objects folder in the left pane.
  • Right-click the new GPO in the right pane of GPMC and select Edit from the menu.
  • In the Group Policy Management Editor window, expand Computer Configuration > Policies > Administrative Templates > Windows Components and click Store.

Managing User Access to the Windows Store

  • In the right pane of the editor window, double-click Turn off the Store application.
  • In the Turn off the Store application dialog, click Enable and then OK.
  • Close the Group Policy Management Editor window.
  • In the left pane of GPMC, right-click your AD domain or an Organizational Unit, and select Link an Existing GPO here from the menu.
  • In the Select GPO dialog, choose the Disable Windows Store GPO and click OK.

Wait for Group Policy to update on the affected machines and you’ll see an access denied message when trying to access the Windows Store. Any apps already installed will remain in place but not be updated.