MS Store still available for users although blocked by policy #24
Comments
|
Hi @denisbrodbeck . Thanks for your kind comments and I'm glad the project has helped! This has actually been a long-standing gripe of mine and I try and bring it up at every opportunity I get. What's even worse is that some CSP's work on Pro, but not on Business, which if your org has M365 Business Premium will be an auto-upgrade. Just because a business has <300 people doesn't mean they don't deserve the same level of endpoint controls. There is currently an additional complication that I noticed and flagged in April: In answer to your question, assuming those CSPs remain unavailable to the Pro/Business SKUs, there's really no other option you have without looking at native app controls in AppLocker/WDAC, or a third-party tool such as ThreatLocker. I hope you don't mind if I cite this the next opportunity I get to bring this issue up? Thanks |
|
@denisbrodbeck - regarding point 2, you should be able to use Winget to update any MS store App that is pre-installed. I use this fork of Romanitho's Winget-AutoUpdate: https://github.com/Weatherlights/Winget-AutoUpdate-Intune It has ADMX backed policies that you can upload to Intune to set config profiles, you can also deploy the program using the new app store option in Intune. |
Hey James, do you have a list of CSPs that work in Pro but not Business, and vice versa? Most of my endpoints use Bus Prem so they are on Win 11 Business, MS Store is blocked, Applocker prevents the install of any apps downloaded from apps.microsoft.com. That is crazy about the URL access but hopefully most people have Applocker/WDAC, those who don't could use Defender web content filtering, filtering on their third-party Internet Security software or go old school with the HOSTS file. |
|
I can tell you that a significant number of people are not using application control. I also tried to use MDE and it's not nearly as easy as you think. As for the CSP's that don't work on non-Ent SKU's, no, you'd have to validate against the CSP documentation, but the difficulty with that is even they're incorrect in places. For example desktop/lockscreen images say they work on Pro when they don't. |
Hi James,
thank you for this project, It has been the perfect intro into a solid intune deployment for my customers migrating to a cloud-only future.
I noticed, that the policy
Win - OIB - Microsoft Store - U - Configuration - v3.1.1"won't block the public MS store for Windows 11 Pro -- that setting is only for Windows Enterprise (source). Windows 11 Pro is probably the most used edition for smaller SMBs, so is there another way to achieve the desired output?Thanks for any insight
Denis
The text was updated successfully, but these errors were encountered: