Close

July 20, 2016

Windows Store User Experience in the Enterprise in Windows 10

Business Store in Windows 10 Enterprise 1607

Chicken Little seems to be working overtime when it comes to the Windows Store in Windows 10. I’ve read and heard many different thoughts and approaches to the Store in Windows 10, but I believe that the Store and Universal apps should be embraced. It would; however, be nice to have more control over user interaction with the Store and in-box Univeral apps.

There are a number of the in-box Universal apps that I would consider to be useful, at least if you’re deploying Current Branch / Current Branch for Business. These include Edge, Calculator, Photos, Weather, News and perhaps even Sticky Notes (in 1607). Some organisations would find the growing list of 3rd party apps including Twitter and Facebook (think marketing) useful for deployment.

While it remains to be seen how many line-of-business applications that will embrace the Universal app platform, deploying and updating Universal apps is far simpler than traditional Win32 apps – roaming preferences notwithstanding.

Managing the Windows Store without Disabling It

If you’re looking to embrace or at least maintaining some of the in-box Universal apps, there are a number of steps you should be taking:

With these components in place, the following scenarios are enabled:

  • Users logging with their cloud credentials (credentials in the cloud or synchronised from Active Directory) onto Azure AD joined Windows 10 PCs are enabled for single sign-on to the Store and other apps that leverage Azure AD or Office 365 services. Azure AD join is a great use case for greenfield deployments, but be certain of current and future PC management requirements – the case for Active Directory joined PCs is still valid.
  • Users on Windows 10 stand-alone (typically personal devices) or Active Directory domain member PCs (without Azure AD sync or Azure AD Premium) can manually add their work credentials to their PC and sign into the Store.
  • Windows 10 domain members with AD Connect/ADFS and Azure AD Premium are single signed-on into the Store (and other apps that Azure AD or Office 365 services) once Workplace Join is configured.

The last scenario is ideal for most organisations extending their environments into Azure AD and should be completed as a part of your Windows 10 deployment. A couple of articles are great references for this setup:

Microsoft has recently stated the Enterprise Mobility Suite is the fastest growing product in their history and I think access to Azure AD Premium in EMS could be a large part of that growth.

In any of the 3 scenarios above and the Business Store enabled, users can install apps on their devices from the list of apps that IT has subscribed to:

Windows Store for Business in Windows 10 1511

Windows Store for Business in Windows 10 1511

Showing Only the Business Store

Now that the Business Store is enabled and available on user devices, we can start to take some control over what users see in the Store. By default, this will be the Business Store as well as the public links as seen in the screenshot above. To disable the public links we can enable the RequirePrivateStoreOnly policy.

This is actually an MDM policy that’s not available in Group Policy, so unless you managing devices with an MDM solution, you’ll need to configure this with a direct Registry edit via PowerShell, as below, or other means such as Group Policy Preferences.

This results in a curated view only of the Store, which could look something like this:

Windows Store showing the Private Store only, in Windows 10 Pro 1511

Windows Store showing the Private Store only, in Windows 10 Pro 1511

So without resorting hacking our Windows 10 image or AppLocker or Windows Firewall controls on the Store, IT now has some control over what users see and which applications can be added to their PCs.

Bypassing the Business Store

It’s not all roses though – users can still directly access applications from the public Store via direct links to those apps. Direct links are available from a couple of places – suggestions shown by default on the Start menu and on the web. If you want to control the app suggestions on the Start menu, PCs will need to be running Windows 10 Enterprise or Education editions.

To see bypassing the Business Store, search the web for an example app, e.g. the Windows 10 Facebook app. A user can click on the ‘Get the app’ button on that page which will launch the Store:

Facebook for Windows 10

Facebook for Windows 10

A user can click on ‘Free’ button. If the user can add a Microsoft account to Windows, they can install the app. To prevent that, you’ll want to block Microsoft accounts.

Windows 10 1607 Changes the Store Behaviour

Along with the changes to the Group Policy that hides the Store in Windows 10 1511, now restricted to Enterprise or Education editions only; 1607 will also restrict the ability to hide the public links in the Store also to Enterprise and Education.

Shown here is the Windows Store on the same PC, running Windows 10 Pro upgraded from 1511 to 1607. With the policy still in place, the public links are shown again:

Windows Store with the Private Store enabled in Windows 10 Pro 1607

Windows Store with the Private Store enabled in Windows 10 Pro 1607

With Windows 10 Enterprise or Education editions, I can maintain full control over the consumer user experiences in Windows. Organisations running Windows 10 Pro will not be able to implement these controls.

Conclusion

With Windows 10, Microsoft is changing the user experience in big ways and pushing organisations towards subscription options for tighter control over the user experience. Regardless, I believe that IT should, and will eventually be forced to, embrace the new Windows world. Organisations without Software Assurance won’t be able to maintain the control they’ve been used to.

Finally, here’s a couple of articles that I found useful when setting up Workplace Join with Azure AD: