How to block Microsoft Store access using a GPO

Organizations block Microsoft Store to stop users from installing apps that could be security risks, use too much bandwidth, or break software rules. Without a policy, users can install apps not seen by the IT team, leading to compliance issues and more security threats. This guide explains three GPO-based ways to block Store access for Windows Pro, Enterprise, and Education. It includes verification steps, troubleshooting tips, and common overlooked bypass methods.

Which method applies to your environment?

The right approach depends on the Windows edition in your domain. The built-in GPO policy for blocking the Store is not enforced on Windows Pro. Microsoft documents this as by-design behavior in KB3135657. Applying it to Pro machines and expecting it to work is the most common mistake with this configuration.

If your environment has a mix of editions in the same OU, create separate GPOs with security group filtering to ensure the correct method reaches each machine type.

Prerequisites

• Domain Administrator privileges to create and link GPOs
• The Group Policy Management Console (GPMC) installed, available via Remote Server Administration Tools (RSAT) on Windows 10 and Windows 11, or installed by default on Windows Server with the Group Policy Management feature
• Confirmation of which Windows edition is running on your target machines; run winver or check Settings > System > About
• A test OU with representative machines to validate before deploying domain-wide

What blocking the Store does not prevent

Two gaps apply regardless of which method you use.

Background app updates can continue: Blocking Store access prevents users from browsing and installing new apps, but it does not stop the Store service from running update checks and applying updates to already installed apps in the background. If you need to prevent app updates entirely, use AppLocker to block WinStore.App.exe and the Store background service, or manage app update policies through Intune directly.

Windows Package Manager (winget) can bypass Store UI restrictions: winget is a command-line package manager built into Windows 11 and available on Windows 10 through the App Installer package. Users with access to Command Prompt or PowerShell can install Store-sourced packages via winget install without opening the Store UI. To close this gap, either restrict Command Prompt and PowerShell access for standard users or use AppLocker to block winget.exe at %programfiles%\WindowsApps\Microsoft.DesktopAppInstaller*.

How to verify the policy applied

Check 1: Confirm the GPO is in the applied list

On a target machine, run the following from an elevated Command Prompt:

Your GPO name should appear under Applied Group Policy Objects. If it does not, check the OU membership of the machine and confirm the GPO is linked to the correct container.

Check 2: Confirm the Store is blocked

Open Microsoft Store on the target machine.

• For Method 1 (Enterprise or Education), the Store should display the blocked access message immediately.
• For Method 2 (Pro SRP), the Store window should open briefly and then close with a system administrator restriction message.
• For Method 3 (AppLocker), the Store should fail to launch entirely.

Check 3: Confirm the SRP rule is applied (Method 2 only)

On a target Pro machine, open an elevated Command Prompt and run:

A result of 0x20000 confirms the SRP is active with a default security level of Unrestricted, with your disallowed path rule applied on top.

Check 4: Confirm the AppLocker service is running (Method 3 only)

Both Status and StartType should return Running and Automatic, respectively. If the service is stopped, AppLocker rules are not being enforced regardless of what the GPO shows.

Troubleshooting common issues

1. The Turn off the Store application policy is enabled, but the Store still opens

This machine is running Windows Pro. The policy is ignored by design on Pro editions, as documented in Microsoft KB3135657. Switch to Method 2 (Software Restriction Policies) for Pro machines, or use security group filtering to ensure Method 1 only reaches Enterprise and Education machines.

2. The SRP path rule is applied, but the Store opens normally

The most common cause is that gpupdate /force applied the policy but the machine has not rebooted. Reboot and test again. If the Store still opens after a reboot, confirm that the path is entered exactly as %programfiles%\WindowsApps\Microsoft.WindowsStore* with no trailing slash or additional characters. A second possible cause is a conflicting rule with Allow precedence. Check Additional Rules for any Allow rules that match the same path.

3. AppLocker rules are not being enforced

Confirm that the Application Identity service is running with Get-Service AppIDSvc. If it is stopped, the GPO setting from step one of Method 3 has not applied or was overridden. Run gpupdate /force, then start the service manually with Start-Service AppIDSvc to test whether rules are enforced when the service is active. If rules enforce with the service running manually but not after reboot, the startup type setting in the GPO is being overridden by another policy.

4. The Store is blocked, but users are installing apps via winget

See the winget bypass section above. Block winget.exe through AppLocker or restrict Command Prompt and PowerShell access for standard users using Computer Configuration > Policies > Administrative Templates > System > Don't run specified Windows applications.

Frequently asked questions

1. How do I block specific Microsoft Store apps rather than the entire Store?

Use AppLocker Packaged App Rules (Method 3) with a Deny rule that targets a specific publisher and app name rather than just the publisher. In step six of Method 3, instead of selecting the Store itself as the reference app, select the specific app you want to block from the installed packages list, then set the rule scope to match on Publisher and Package name. This leaves the Store accessible but prevents that specific app from launching.

2. How do I block Microsoft Store on a non-domain machine?

On a stand-alone machine, open the Local Group Policy Editor by pressing Win + R and typing gpedit.msc. The same paths apply: Administrative Templates for Enterprise and Education, and Software Restriction Policies for Pro. Note that gpedit.msc is not available on Windows Home edition.

Go beyond the GPMC with ADManager Plus

Confirming that your Store-blocking GPO applied to every machine in scope and that no competing policy re-enabled access on a subset of machines takes time to track across a large domain. ManageEngine ADManager Plus provides a centralized GPO management console where you can handle that follow-up work without opening the GPMC on individual servers.

• Bulk GPO linking: Link your Store-blocking GPO to multiple OUs simultaneously rather than repeating each link manually in the GPMC. This is useful when separate GPOs need to reach Enterprise and Pro machines in different containers.
• Link order management: Adjust GPO precedence from the web console when a competing policy is re-enabling Store access, so the intended configuration wins without opening the GPMC on each domain controller.
• On-demand policy refresh: Push an immediate GPO refresh to selected computers without logging in to each machine individually. This is useful for confirming that the Store policy has propagated after adjusting a link or scope.
• Application visibility: Run GPO reports to confirm that your Store-blocking policies are configured consistently across all GPOs in the domain, and verify that the correct settings applied to specific machines after deployment.
• Delegation oversight: Scope GPO refresh and reporting tasks to help desk technicians through role-based delegation, so staff can investigate GPO application issues without needing Domain Admin rights or RSAT installed on their workstations.