The Windows 8 App store provides access to tens of thousands of paid and free apps. However, administrators may be concerned because standard employees who are not local administrators can use the Windows 8 app store to install new applications. This is a change from previous versions of Windows when a user would normally need to be a member of the local administrators group in order to install software on a workstation.
An app that a user installs from the Windows 8 App store might conflict and cause problems with an essential line of business application already on the workstation, thereby affecting productivity. In this post we will look at how to prevent this problem by disabling the Windows 8 App store in an Active Directory domain environment by using group policy.
How do I configure the group policy settings?
Create a new Group Policy called “disable Windows 8 app store” and then open it for editing. Within the editor navigate to the following location:
Computer Configuration => Policies => Administrative Templates => Windows Components => Store
Note that you’ll need to be editing the Group Policy on a Windows 8 computer or a server with the Windows 8 administrative template installed to see the “store” option. Under “store” you will see three options on the right pane; you should choose the option for “Turn off the Store application” and set it to “Enabled” as shown in the screen shot below:

Once the Group Policy is applied to a workstation, then a user will see the following message if they try to access the App store:

Note that disabling the App store will also disable the updating of any Apps that had already been installed from the App store. However, in an enterprise environment you would most likely have an alternative method and strategy for keeping applications updated (see below).
As with any Group Policy changes you’ll want to try out the above settings in a test environment before you deploy them to users’ workstations.
What about other software installation routes?
If, as well as disabling the Windows 8 app store, you also need to exert further control over what applications users can run on a workstation then you might benefit from Microsoft AppLocker which comes as part of the Windows 8 Enterprise edition. Here are some of our recent blog posts on how to get the most out of Microsoft AppLocker:
- Microsoft Applocker – Strategies for implementation:
- http://www.newsignature.com/blog/2013/01/03/microsoft-applocker-strategies-for-implementation/
- Extending AppLocker beyond the workstation:
- http://www.newsignature.com/blog/2013/01/09/extending-applocker-beyond-the-workstation/
What about software that I need to install as network administrator?
When you disable the Windows 8 App store it applies to all users of the computer, so you will need an alternative method for installing applications. For networks that are too small to use Microsoft System Center products, Microsoft has a very versatile and useful cloud-based service called Microsoft Intune. As well as providing excellent anti-malware protection to workstations and allowing you to generate inventories and reports, Microsoft Intune also always you to package software and deploy it to workstations. Because Intune is cloud-based, the workstations it manages do not need to always be attached to the corporate network to receive software that you allocate to them.
What if I have more questions?
New Signature has solid, in-depth experience with Microsoft Intune and with configuring Windows 8, so do please give us a call if you would like to discuss how we can help make the technology work for you.