The private store is a feature of Microsoft Store for Business that you can configure during your sign up process. The private store allows your users to view and download Windows 10 apps that your administrator has added to it. Your organization’s private store is displayed as a tab within the Microsoft Store and is usually named after your company or organization. While the private store sounds like a great idea for businesses that need to quickly and easily provision line-of-business (LoB) apps to their employees and contractors, it does have some limitations. For example, as Microsoft indicates only apps that have online licenses can be added to your private store. In addition, if your organization is using Windows Server Update Services (WSUS) to manage the distribution of software updates to your managed PCs, it’s a bit tricky to get your private store to play nice with Windows Update and with the WSUS servers you have deployed in your environment.
So tricky in fact that a colleague in the IT profession who works as the administrator for a midsized company with several hundred seats had to spend a fair amount of time figuring out how to make this work. He even tried opening a ticket with Microsoft Support on this matter, but unfortunately, they were unable to help so they ended up refunding his support ticket through the Enterprise Agreement his company has with Microsoft. So to help other Windows administrators who might be facing a similar challenge, I decided to share a few tips I’ve gleaned from him on how to implement this scenario so that everything works properly — more or less.
The network this colleague administers uses WSUS, and he needed to allow the users access their company store (private store) but not allow them access to the larger Microsoft Store or allow upgrades to new versions of Windows. To start off, he took away from users the ability to use the Windows Update GUI on their Windows 10 PCs. In the Group Policy Management Console (GPMC) he updated the WSUS policy for his company’s PCs in Group Policy under both User Configuration and Computer Configuration by enabling the following policy setting:
Administrative Templates/Windows Components/Windows Update/Remove access to use all Windows Update Settings
Within the above policy setting is an option called “Configure notifications” and he set that to “1 – Show restart required notifications,” which shows notifications about restarts that are required to complete an installation.
He then enabled the following policy under Computer Configuration for PCs used by staff that traveled in the field:
Administrative Templates/Windows Components/Windows Update/Do not allow update deferral policies to cause scans against Windows Update
The reason he configured this setting is so that staff in the field wouldn’t get updates from WU or have Windows 10 upgraded to a newer version when they were out of touch with the company’s WSUS server. Enabling this policy prevents update deferral policies from causing scans against Windows Update. Disabling it or leaving it not configured means the Windows Update client may initiate automatic scans against Windows Update while update deferral policies are enabled.
Afterward, he also decided it was a good idea to implement this policy even for in-house staff that didn’t go on the road. He explained this by telling me, “Previously, because people were upgrading to new versions of Windows 10 before we were ready to support them, we had turned off user and computer access to Windows Update entirely. But it turns out that installing anything from the Microsoft Store (or a private store) requires access to Windows update, so I had to turn on again to provide access to it.”
As a final step in the process, to allow staff at his company to access their company store, he enabled the following two policy settings under both User Configuration and Computer Configuration:
Administrative Templates/Windows Components/Store/Turn off the offer to update to the latest version of Windows
Administrative Templates/Windows Components/Store/Only display the private store within the Windows Store app
The first of the above two policies enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. And if you disable or do not configure this setting the Store application will offer updates to the latest version of Windows.
The second policy setting denies access to the retail catalog in the Windows Store app but displays the private store. If you enable this setting, users will not be able to view the retail catalog in the Windows Store app, but they will be able to view apps in the private store. And if you disable or don´t configure this setting, users can access the retail catalog in the Windows Store app.
As a side effect to configuring the above two policies, this seemed to deny staff at his company the ability to do Windows Updates that are approved in WSUS before the deadline. This concerned him a bit, and he commented to me by saying, “Not sure yet how I feel about that. But I always set the deadline on WSUS for Saturdays at 06:00, so if they leave their machines on over the weekend, they pick up the updates by Monday.”
That seemed like an acceptable workaround to me, I replied. I also told him I appreciated him sharing with me what he had learned from this situation as navigating the ins and outs of Group Policy can be challenging for many of us who administer Active Directory environments. The Administrative Templates/Windows Components/Store/ policy itself has more than two dozen different policy settings spread between Computer Configuration and User Configuration, so figuring out which policies to configure to achieve the specific business need you have for your environment is often a game of trial and error. If you’re reading this article and you have any further suggestions or insights into configuring policy for similar scenarios, feel free to use the commenting feature below to share your thoughts with other readers.
Featured image: Shutterstock
Good Article.Is there any improvement in the way we manage Private store app update and windows update.I want to enable Private store update but users are getting pop up saying your machine is not up date and able to check for updates manually and install.If we disable the check for updates feature will it affect any scanning and installing updates configured to WSUS