If you want to stop users from installing apps from the Microsoft Store and apps.microsoft.com, while still letting built-in Store apps like Photos, Paint, and Snipping Tool run and update automatically in the background, this post will show you how I pulled it off using AppLocker deployed through a Custom OMA-URI policy in Microsoft Intune.
Read more: Blocking the Microsoft Store (App) with AppLockerWhy AppLocker instead of the built-in Store policy?
Intune’s Settings Catalog includes a setting called “Turn off the Store application”, which sets the RemoveWindowsStore registry key.
While this blocks the Store, it also prevents automatic background updates for preinstalled Store apps like Photos, Paint, and Snipping Tool — which is not what we want.
AppLocker gives more granular control: it will block the store app itself while allowing all other installed store apps to run and update normally.
Prerequisites
- Windows 11 managed devices enrolled in Intune (tested on 25H2 enterprise)
- The Application Identity service (
AppIDSvc) must be running on target devices (verify withGet-Service -Name AppIDSvc)
Create a Custom Configuration Profile in Intune
Go to Microsoft Intune admin center → intune.microsoft.com
Navigate to Devices → Configuration → Create → New Policy
Set the following:
- Platform: Windows 10 and later
- Profile type: Templates
- Select: Custom
Click Create
Give the profile a name, for example: AppLocker - Block Microsoft Store and enter a description.
Click Next.
Add the OMA-URI Setting
Under Configuration settings, click Add
Fill in the following:
| Field | Value |
|---|---|
| Name | Block Microsoft Store – AppLocker |
| Description | Blocks the Microsoft Store app while allowing all other Store apps |
| OMA-URI | ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/StoreBlock/StoreApps/Policy |
| Data type | String |
Save the XML below in an .xml file and browse to the file and select it.
<RuleCollection Type="Appx" EnforcementMode="Enabled">
<FilePublisherRule Id="b9e18c21-ff8f-43cf-b9fc-db40eed693ba"
Name="Allow all Store apps except Windows Store"
Description="Staat alles toe, behalve de Store zelf"
UserOrGroupSid="S-1-1-0"
Action="Allow">
<!-- De brede toestemming -->
<Conditions>
<FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
<!-- De harde uitzondering ingebouwd in de Allow-regel -->
<Exceptions>
<FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="Microsoft.WindowsStore"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Exceptions>
</FilePublisherRule>
</RuleCollection>
Click Save and Next.
Assign the Policy
Under Assignments, select the device group(s) you want to target
It is recommended to first assign to a test group containing only a few devices
Click Next, Next and then Create
Test the Result
After syncing the device (either via Intune portal or by going to Settings → Accounts → Access work or school → Sync), verify the policy has been applied by starting the Microsoft Store app.
Test 1 — Store is blocked: Open the Microsoft Store app. You should see the message:
Test 2 — Other Store apps still work and will update: Open Photos, Paint, and Snipping Tool. These should open without any issues and are the newest versions.
How it works
The AppLocker rule collection contains two rules:
It allows everyone (S-1-1-0 = “Everyone”) to run any Store app from any publisher, any product, any binary — the wildcards on PublisherName, ProductName, and BinaryName make it as broad as possible.
But there is one explicit exception carved out: the Microsoft Store app itself (Microsoft.WindowsStore, signed by Microsoft Corporation). That exception blocks users from launching the Store, regardless of the broad Allow above.
Because RemoveWindowsStore is not set, the Store engine continues to run in the background, allowing automatic updates for preinstalled apps to download and install silently — without user intervention.
If you also want to block access to apps.microsoft.com this artikel has got a good solution by using broswer block url policy settings.
Blocking Store App Downloads on Windows 11 – The Browser Trick – headsinthecloud.blog
I added the block URL for apps.mirosoft.com for chrome, Edge and Firefox and it works great:
The only downside of this blocking policy is that when signing into the Edge browser with your personal account (if allowed), it doesn’t apply these policy settings, so apps.microsoft.com is still allowed to be visited. If you want to prevent this than blocking personal accounts from signing in managed broswers would be a good idea I guess.
Or use a remediation script in Intune to add this to change the Hosts file:
Detection script:
$hosts = Get-Content "C:\Windows\System32\drivers\etc\hosts"
if ($hosts | Select-String "apps.microsoft.com") {
exit 0
} else {
exit 1
}
Remediation script:
# Remediate - add apps.microsoft.com to hosts
$hostsPath = "C:\Windows\System32\drivers\etc\hosts"
$entry = "0.0.0.0 apps.microsoft.com"
Add-Content -Path $hostsPath -Value $entry
Published on iamsysadmin.eu — Remy | Endpoint Management @ Radboud University