How to block Windows Store or any other application with GPO
Last updated: Jul 6, 2024
As a responsible system administrator in a company, you don't want to let your users install or run any unauthorized programs on their computers (yes, they are often poorly educated about security). The Windows Store is an open door to this type of behavior, so it may be worthwhile to prevent it from running on the company's computers.
And that's exactly what I'm going to talk about in the following article (how lucky you are…). In fact, this method can be used to block any application you want.
We will see how to do this using Software Restriction Policies (Windows 10 only) or with Application Control Policies/AppLocker (available on both Windows 10 and Windows 11).
Creating the Group Policy Object
From our Active Directory server we will create a new GPO.
Open Group Policy Manager console:
Create a new GPO and link it to OU where you have your computers objects:
Give a name to the new GPO:
Using (SRP) Software Restriction Prolicies (Windows 10)
Edit the GPO:
Go to “Computer Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies”. Do a Right click and click to New Software Restriction Policies:
Then from “Software Restriction Policies > Additional Rules”:
Add “%programfiles%\WindowsApps\Microsoft.WindowsStore*” inside Path and select «Disallowed” in Security level:
Using AppLocker (Windows 11)
In the latest edition of Windows 11, Microsoft has completely disabled Software Restriction Policies functionality. In fact, it has been deprecated starting with Windows 10 build 1803. We can still prevent users from launching specific applications using AppLocker, which is the evolution of Software Restriction Policies.
XML rules file
To create our rules, we need to connect to a Windows 11 computer in order to create default rules which will be imported later into our GPO.
Open the local policy manager:
Go to “Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Packaged app Rules. Right-click on Packaged app Rules” and select Automatically Generate Rules…
Leave the default values and click Next:
Uncheck the box "Reduce the number of rules" and click Next:
After the analysis is complete, click Create to populate the rules:
Once the rules have been created, export the AppLocker policy to an XML file and copy it to the Active Directory server:
The problem with the raw exported file is that it specifies a specific version for each application:
However, we want the rules to match all possible versions, that is, to have the following configuration:
To avoid manually modifying the hundreds of rules, you can generate a new modified xml file with the following PowerShell command:
Or you can download my modified xml file here: AppLocker.xml.
Block WindowsApp
Edit the previously created GPO:
Go to “Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies”. Right-click on AppLocker and select Import Policy… to add the previously generated XML file:
Once imported, go to Packaged app Rules and edit the Microsoft.WindowsStore rule (note that you can block any Windows App listed, such as games, Xbox, and Zune etc…):
Select Deny and then go to the Publisher tab:
In the Publisher tab, replace the version with * and select And above. Finally, click OK:
AppLocker works with the Application Identity service, so we need this service to be running to make it work. To do so, we will force the service to run by editing “Computer Configuration > Policies > Windows Settings > Security Settings > System Services” from the same GPO:
Finally, check the Configured box and select Enforce rules to enable the Lock:
Block Any OtherApp
⚠️Note: Even if the application to be blocked is not a Windows Apps, you will need to import (via the xml file) and activate the Packaged app Rules as explained above. Otherwise, you might experience malfunctions when activating the AppLocker's Executable Rules. This means you won't be able to run the Windows Start menu or any application that depends on WindowsApps. The other option is to create an editor rule that authorizes all Microsoft applications.⚠️
As an example, we'll look at how to block the Chrome Browser, aka the mole.
First, Create Default Rules to avoid blocking everything:
Then, Create New Rule…:
Click Next on the first window:
Select Deny for the action to use:
Here, we can choose between different types of conditions to specify the application to be blocked. The path method is quite easy to bypass, while the hash method can be cumbersome to manage if the application to be blocked evolves frequently or if several versions cohabit. Publisher is the most precise and flexible method:
Click Browse to specify the Executable of the application we want to block:
Move the cursor up to the file name to match all versions of the software:
We don't need to add exceptions, so just click Next:
Last step, click to Create:
Finally, check the Configured box and select Enforce rules to enable the Lock:
Debug, Unblock a Legitimate Application
Depending on the configuration and the applications used, you may find yourself in situations where legitimate applications are blocked. For example, if the application is executed in folders outside of ProgramFiles. Here we will see how to unblock this kind of situation.
Trace Blocked Applications
From the computer where an application is blocked, open the Windows Event Viewer:
From the event log, go to the Applications and Services Logs > Microsoft > AppLocker folder and browse the various logs to get information about the blocked application:
All that remains here is to add a rule allowing the application.
Allow All Executables Inside a Folder
Even if it is not recommended, you may need to allow all executables inside a folder.
Here, we want to allow the execution of all executables inside the folder C:\ALLOWED_EXE\. To do this, our rule should look like this. Note the presence of the character «*» which allows matching the exe files in the folder and its subfolders. Without this, only the exe files in the specified folder would have been allowed:
Open Windows Store
Once the strategy has been implemented, users will see this window appears in case they try to run Windows Store: