How to block Windows Store or any other application with GPO

Last updated: Nov 5, 2024

As a responsible system administrator in a company, you don't want to let your users install or run any unauthorized programs on their computers (yes, they are often poorly educated about security). The Windows Store is an open door to this type of behavior, so it may be worthwhile to prevent it from running on the company's computers.

And that's exactly what I'm going to talk about in the following article (how lucky you are…). In fact, this method can be used to block any application you want.

We will see how to do this using Software Restriction Policies (Windows 10 only) or with Application Control Policies/AppLocker (available on both Windows 10 and Windows 11).

Creating the Group Policy Object

From our Active Directory server we will create a new GPO.

Open Group Policy Manager console:

Launch Group Policy Management Console from Run window

Create a new GPO and link it to OU where you have your computers objects:

Create a new GPO from Group Policy Management

Give a name to the new GPO:

Using (SRP) Software Restriction Prolicies (Windows 10)

Edit the GPO:

Go to “Computer Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies”. Do a Right click and click to New Software Restriction Policies:

Add a New Software Restriction Policies from Group Policy Management Console

Then from “Software Restriction Policies > Additional Rules”:

Add a new path rule from New Software Restriction Policies

Add “%programfiles%\WindowsApps\Microsoft.WindowsStore*” inside Path and select «Disallowed” in Security level:

New Path Rule Windows in Software Restriction Policies GPO

Using AppLocker (Windows 11)

In the latest edition of Windows 11, Microsoft has completely disabled Software Restriction Policies functionality. In fact, it has been deprecated starting with Windows 10 build 1803. We can still prevent users from launching specific applications using AppLocker, which is the evolution of Software Restriction Policies.

Enable Application Identity service

AppLocker works with the Application Identity service, so we need this service to be running to make it work. GPO can be used to force this service to run.

To do so, we will force the service to run by editing “Computer Configuration > Policies > Windows Settings > Security Settings > System Services” from the same GPO:

Screenshot showing the Group Policy Management Editor with Application Identity under System Services selected. The context menu option 'Properties' is highlighted. An arrow points to the Application Identity Properties dialog, where 'Define this policy setting' is checked and 'Automatic' is selected for the service startup mode. The OK button is highlighted.

XML rules file

To create our rules, we need to connect to a Windows 11 computer in order to create default rules which will be imported later into our GPO.

Open the local policy manager:

Screenshot of the Windows Run dialog box with 'gpedit.msc' typed in, indicating administrative privileges will be used to open the Group Policy Editor.

Go to “Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Packaged app Rules. Right-click on Packaged app Rules” and select Automatically Generate Rules…

Screenshot of the Local Group Policy Editor in Windows, showing the AppLocker settings under Computer Configuration. The context menu for Packaged app Rules is open with options to Create New Rule, Automatically Generate Rules, Create Default Rules, View, Export List, and Help.

Leave the default values and click Next:

Screenshot of the Automatically Generate Packaged app Rules wizard.

Uncheck the box "Reduce the number of rules" and click Next:

Screenshot of the Automatically Generate Packaged app Rules wizard. Rule preference step.

After the analysis is complete, click Create to populate the rules:

Screenshot of the Automatically Generate Packaged app Rules wizard. Review rules step.

Once the rules have been created, export the AppLocker policy to an XML file and copy it to the Active Directory server:

Screenshot showing the Local Group Policy Editor with AppLocker settings selected and the context menu option 'Export Policy' highlighted. An arrow points to the file save dialog on the right side of the screen, where the policy is being saved as 'applocker.xml' to the Desktop.

The problem with the raw exported file is that it specifies a specific version for each application:

However, we want the rules to match all possible versions, that is, to have the following configuration:

To avoid manually modifying the hundreds of rules, you can generate a new modified xml file with the following PowerShell command:

PS C:\> $(Get-Content .\AppLocker.xml -Raw -Encoding UTF8) -replace ".*BinaryVersionRange LowSection.*",'          <BinaryVersionRange LowSection="*" HighSection="*" />' | Out-File -FilePath .\AppLocker_modifie.xml

Or you can download my modified xml file here: AppLocker.xml.

Block WindowsApp

Edit the previously created GPO:

Go to “Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies”. Right-click on AppLocker and select Import Policy… to add the previously generated XML file:

Screenshot showing the Group Policy Management Editor with AppLocker settings selected and the context menu option 'Import Policy' highlighted. An arrow points to the file open dialog on the right, where 'applocker.xml' is selected, and another arrow points to a confirmation dialog asking 'Do you want to import the policy now?' with the 'Yes' button highlighted.

Once imported, go to Packaged app Rules and edit the Microsoft.WindowsStore rule (note that you can block any Windows App listed, such as games, Xbox, and Zune etc…):

Screenshot showing the Group Policy Management Editor with Packaged app Rules under AppLocker selected. A specific rule for 'Microsoft.WindowsStore' is highlighted, and an arrow points to the context menu where 'Properties' is selected.

Select Deny and then go to the Publisher tab:

Screenshot of the Allow Properties dialog in the Group Policy Management Editor. The dialog shows properties for 'Microsoft.WindowsStore' with the Action set to 'Deny'. The dialog includes fields for Name, Description, User or group, and buttons for OK, Cancel, and Apply.

In the Publisher tab, replace the version with * and select And above. Finally, click OK:

Screenshot of the Deny Properties dialog in the Group Policy Management Editor. The dialog is for 'Microsoft.WindowsStore' with fields for Publisher, Package name, and Package version. The Package version is set to '*' with 'And above' selected. Buttons for OK, Cancel, and Apply are at the bottom.

Finally, check the Configured box and select Enforce rules to enable the Lock:

Screenshot showing the Group Policy Management Editor with AppLocker under Application Control Policies selected and the context menu option 'Properties' highlighted. An arrow points to the AppLocker Properties dialog where 'Configured' is checked for Packaged app Rules and 'Enforce rules' is selected. The OK button is highlighted.

Block Any OtherApp

⚠️Note: Even if the application to be blocked is not a Windows Apps, you will need to import (via the xml file) and activate the Packaged app Rules as explained above. Otherwise, you might experience malfunctions when activating the AppLocker's Executable Rules. This means you won't be able to run the Windows Start menu or any application that depends on WindowsApps. The other option is to create an editor rule that authorizes all Microsoft applications.⚠️

As an example, we'll look at how to block the Chrome Browser, aka the mole.

First, Create Default Rules to avoid blocking everything:

Screenshot showing the Group Policy Management Editor with Executable Rules under AppLocker selected and the context menu option 'Create Default Rules' highlighted.

Then, Create New Rule…:

Screenshot showing the Group Policy Management Editor with Executable Rules under AppLocker selected and the context menu option 'Create New Rule' highlighted. The default rules for executable files are displayed in the right pane.

Click Next on the first window:

Screenshot of the 'Create Executable Rules' wizard in the AppLocker section of the Group Policy Management Editor. The 'Before You Begin' page is shown with instructions to install applications, back up existing rules, and review AppLocker documentation before proceeding. The 'Next' button is highlighted.

Select Deny for the action to use:

Screenshot of the 'Create Executable Rules' wizard in the AppLocker section of the Group Policy Management Editor. The 'Permissions' page is shown with the action set to 'Deny' for everyone. The 'Next' button is highlighted.

Here, we can choose between different types of conditions to specify the application to be blocked. The path method is quite easy to bypass, while the hash method can be cumbersome to manage if the application to be blocked evolves frequently or if several versions cohabit. Publisher is the most precise and flexible method:

Screenshot of the 'Create Executable Rules' wizard in the AppLocker section of the Group Policy Management Editor. The 'Conditions' page is shown with the 'Publisher' option selected, indicating the rule will be created based on the software publisher. The 'Next' button is highlighted.

Click Browse to specify the Executable of the application we want to block:

Screenshot of the 'Create Executable Rules' wizard in the AppLocker section of the Group Policy Management Editor. The 'Publisher' page is shown with a prompt to browse for a reference file. An arrow points to the file open dialog where 'chrome.exe' is selected and the 'Open' button is highlighted.

Move the cursor up to the file name to match all versions of the software:

We don't need to add exceptions, so just click Next:

Screenshot of the 'Create Executable Rules' wizard in the AppLocker section of the Group Policy Management Editor. The 'Exceptions' page is shown with no exceptions added. The primary condition is for 'chrome.exe' in 'Google Chrome' from 'Google LLC'. The 'Next' button is highlighted.

Last step, click to Create:

Screenshot of the 'Create Executable Rules' wizard in the AppLocker section of the Group Policy Management Editor. The 'Name and Description' page is shown with the name field filled with 'CHROME.EXE, in GOOGLE CHROME, from O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US'. The 'Create' button is highlighted.

Finally, check the Configured box and select Enforce rules to enable the Lock:

Debug, Unblock a Legitimate Application

Depending on the configuration and the applications used, you may find yourself in situations where legitimate applications are blocked. For example, if the application is executed in folders outside of ProgramFiles. Here we will see how to unblock this kind of situation.

Trace Blocked Applications

From the computer where an application is blocked, open the Windows Event Viewer:

From the event log, go to the Applications and Services Logs > Microsoft > AppLocker folder and browse the various logs to get information about the blocked application:

All that remains here is to add a rule allowing the application.

Allow All Executables Inside a Folder

Even if it is not recommended, you may need to allow all executables inside a folder.

Here, we want to allow the execution of all executables inside the folder C:\ALLOWED_EXE\. To do this, our rule should look like this. Note the presence of the character «*» which allows matching the exe files in the folder and its subfolders. Without this, only the exe files in the specified folder would have been allowed:

Open Windows Store

Once the strategy has been implemented, users will see this window appears in case they try to run Windows Store:

Computing

Music

Misc