BIO 12.05.01 ISO A.12.5.1

Intune: Disable Store-Originated Apps

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
🟒 Should-Have

πŸ’Ό Management Samenvatting

Disable Store-originated apps - blocks launching of apps installed from Microsoft Store (stricter than blocking Store access).

Aanbeveling
CONDITIONAL (high-security only)
Risico zonder
Low
Risk Score
3/10
Implementatie
7u (tech: 2u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11

Store app blocking layers: 'Turn off Store access': Users cannot BROWSE Store (maar existing Store apps still work), 'Disable Store-originated apps' (THIS control): Users cannot LAUNCH Store apps (apps grayed out, won't start), Strictest: Complete Store app blocking (existing + new). Use case: High-security environments (only Win32 apps via Intune allowed, zero UWP/Store apps). Defense in depth: Block Store access + block Store app launching = complete control.

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Disable Store apps: Policy: Disable all apps from Microsoft Store: Enabled, Effect: ALL Store-originated apps refuse to launch (grayed out in Start menu), Win32 apps: Unaffected (Intune-deployed .exe/.msi work normally), Existing Store apps: Non-functional (cannot launch).

Vereisten

  1. Windows 10/11
  2. Intune subscription
  3. High-security requirement
  4. App strategy: Win32 only (no UWP/Store apps)
  5. Testing: Verify no business-critical Store apps

Implementatie

Intune Settings Catalog: App Runtime β†’ Disable all apps from Microsoft Store: Enabled. Effect: Store apps cannot launch. Win32 apps via Intune: Work normally.

Compliance

BIO 12.05 (Application control), ISO 27001 A.12.5.1, DISA STIG.

Monitoring

Gebruik PowerShell-script disable-store-originated-apps-is-set-to-enabled.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script disable-store-originated-apps-is-set-to-enabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Intune Application Control: Disable Store Originated Apps .DESCRIPTION CIS - Store originated apps moeten disabled in enterprise. .NOTES Filename: disable-store-originated-apps-is-set-to-enabled.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore\DisableStoreApps|Expected: 1 #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore"; $RegName = "DisableStoreApps"; $ExpectedValue = 1 function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "disable-store-originated-apps.ps1"; PolicyName = "Disable Store Apps"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = $ExpectedValue; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v) { $r.CurrentValue = $v.$RegName; if ($r.CurrentValue -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Store apps disabled" }else { $r.Details += "Store apps enabled" } }else { $r.Details += "Niet geconfigureerd" } }else { $r.Details += "Niet geconfigureerd" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Store apps disabled" -ForegroundColor Green } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Low: Low: Store apps = limited risk (maar high-security = zero tolerance).

Management Samenvatting

Disable Store-originated apps (cannot launch). High-security environments. Win32 only. HIGH business impact (if Store apps used). Implementatie: 2-7 uur.