OpenIntuneBaseline icon indicating copy to clipboard operation
OpenIntuneBaseline copied to clipboard
verified publisher icon SkipToTheEndpoint

MS Store still available for users although blocked by policy

Open denisbrodbeck opened this issue 1 year ago • 4 comments

Hi James,

thank you for this project, It has been the perfect intro into a solid intune deployment for my customers migrating to a cloud-only future.

I noticed, that the policy Win - OIB - Microsoft Store - U - Configuration - v3.1.1" won't block the public MS store for Windows 11 Pro -- that setting is only for Windows Enterprise (source). Windows 11 Pro is probably the most used edition for smaller SMBs, so is there another way to achieve the desired output?

  • block public MS store
  • allow automatic updates of already (pre-)installed MS store Apps
  • limit user initiated app store download to MS private store (company portal)

Thanks for any insight Denis

denisbrodbeck avatar Jul 16 '24 19:07 denisbrodbeck

Hi @denisbrodbeck .

Thanks for your kind comments and I'm glad the project has helped!

This has actually been a long-standing gripe of mine and I try and bring it up at every opportunity I get. What's even worse is that some CSP's work on Pro, but not on Business, which if your org has M365 Business Premium will be an auto-upgrade. Just because a business has <300 people doesn't mean they don't deserve the same level of endpoint controls.

There is currently an additional complication that I noticed and flagged in April: https://x.com/SkipToEndpoint/status/1782521571774550064 Without Application Control in place such as AppLocker or WDAC, users can freely totally bypass those enterprise controls on the Store just by navigating to apps.microsoft.com.

In answer to your question, assuming those CSPs remain unavailable to the Pro/Business SKUs, there's really no other option you have without looking at native app controls in AppLocker/WDAC, or a third-party tool such as ThreatLocker.

I hope you don't mind if I cite this the next opportunity I get to bring this issue up?

Thanks James

SkipToTheEndpoint avatar Jul 25 '24 16:07 SkipToTheEndpoint

@denisbrodbeck - regarding point 2, you should be able to use Winget to update any MS store App that is pre-installed. I use this fork of Romanitho's Winget-AutoUpdate: https://github.com/Weatherlights/Winget-AutoUpdate-Intune

It has ADMX backed policies that you can upload to Intune to set config profiles, you can also deploy the program using the new app store option in Intune.

ak47uk avatar Jul 26 '24 07:07 ak47uk

Hi @denisbrodbeck .

Thanks for your kind comments and I'm glad the project has helped!

This has actually been a long-standing gripe of mine and I try and bring it up at every opportunity I get. What's even worse is that some CSP's work on Pro, but not on Business, which if your org has M365 Business Premium will be an auto-upgrade. Just because a business has <300 people doesn't mean they don't deserve the same level of endpoint controls.

There is currently an additional complication that I noticed and flagged in April: https://x.com/SkipToEndpoint/status/1782521571774550064 Without Application Control in place such as AppLocker or WDAC, users can freely totally bypass those enterprise controls on the Store just by navigating to apps.microsoft.com.

In answer to your question, assuming those CSPs remain unavailable to the Pro/Business SKUs, there's really no other option you have without looking at native app controls in AppLocker/WDAC, or a third-party tool such as ThreatLocker.

I hope you don't mind if I cite this the next opportunity I get to bring this issue up?

Thanks James

Hey James, do you have a list of CSPs that work in Pro but not Business, and vice versa? Most of my endpoints use Bus Prem so they are on Win 11 Business, MS Store is blocked, Applocker prevents the install of any apps downloaded from apps.microsoft.com.

That is crazy about the URL access but hopefully most people have Applocker/WDAC, those who don't could use Defender web content filtering, filtering on their third-party Internet Security software or go old school with the HOSTS file.

ak47uk avatar Jul 26 '24 08:07 ak47uk

I can tell you that a significant number of people are not using application control. I also tried to use MDE and it's not nearly as easy as you think.

As for the CSP's that don't work on non-Ent SKU's, no, you'd have to validate against the CSP documentation, but the difficulty with that is even they're incorrect in places. For example desktop/lockscreen images say they work on Pro when they don't.

SkipToTheEndpoint avatar Jul 26 '24 08:07 SkipToTheEndpoint