How to Update Default Apps and Limit Access to Windows Store

The goal of this is to provide a solution on how to update the default apps installed with Windows 8 and not allow other apps to get installed or used.
Some enterprises requires users to have limited ability to install application on their Windows computers. As an administrator the first reaction is to disable the Windows Store. However the Microsoft Windows 8 built in and other apps rely on the Windows Store for updates. With the Store disabled the user sees the following while opening up something like Bing News.

-There is a new version of the News available. Please choose Update to continue.

When the user selects the update Icon they get this message:

-Windows Store isn't available on this PC. Contact your system administrator for more information.

This solution will leverage AppLocker capabilities to prevent the users from being able to use Windows Store Apps, unless they have been allowed to do so. In Windows 8.0 the user does not need credentials to update the default apps but would need Microsoft Credentials to install other apps from the Windows Store.

Determine which apps need to be able to run. Do that by turning on auditing on a reference computer.

Step 1: Configure the Apps Rule collection to Audit Only

1. On the reference machine.

2. Open SECPOL.MSC, select Security Settings / Application Control Policies.

Note: You can also do this with a Group Policy, under the Computer Settings.

3. Select Configure rule Enforcement.

4. For the AppLocker Properties, check Configured Package app Rules and select Audit Only.

5. Select OK. 

6. Select Packaged app Rules, right click and select Automatically Generate Rules (you can also select Create Default Rules).

This wizard helps you create AppLocker rules for the multiple packaged apps in a single step. You can either analyze packaged apps installed on this computer or select a folder and let the wizard analyze the packaged app installers therein for rule creation.

7. Select the User or security group that the rule will apply to. (If your users are not Administrators consider using either the Power Users or Users local groups (use a common Domain Group if doing this with a group policy).

8. Rename the Name to identify this set of rules to something meaningful to you .

9. Select Next .

10. Leaving this grouped makes it so that apps like the calendar, messaging and mail apps have the same rule.

11. Select Next .

12. Select, Review the packaged apps that were analyzed, uncheck any apps you want to not allow run.
    (For this example I unchecked Skype as it is already installed).

13. Select OK, then select Create .

Step 2: Start the Application Identity Service

1. Run SERVICES.MSC (Consider doing this with a GPO).

2. Find the Application Identity service and open its properties.

3. Change the Startup type to Automatic and select OK .

4. Then start the Application Identity service .

Step 3: Update the policies on the reference computer

1. Run gpupdate /force from an administrative CMD prompt

This could take a few moments to be available if you are using a GPO to create the rules.

Step 4: open the AppLocker log and review

1. Open EVENTVWR.MSC, navigate to Application and Services Logs / Microsoft / Windows / AppLocker and then select Packaged app-Execution.

2. Launch the Photos app, or any other Default app. When an application is allowed to run the following event exist in the Packaged app-Execution log:

---

Log Name: Microsoft-Windows-AppLocker/Packaged app-Execution
Source: Microsoft-Windows-AppLocker
Date: 9/23/2013 10:18:04 AM
Event ID: 8020
Task Category: None
Level: Information
Keywords:
User: FAB\User
Computer: FAB-CL8-2.FABRIKAM.COM
Description:
microsoft.windowsphotos was allowed to run.

---

For this example Skype is already installed. When it is ran the following can be found in the log:

---

Log Name: Microsoft-Windows-AppLocker/Packaged app-Execution Source: Microsoft-Windows-AppLocker Date: 9/23/2013 10:33:15 AM Event ID: 8021 Task Category: None Level: Warning Keywords: User: FAB\USER Computer: FAB-CL8-2.FABRIKAM.COM Description: Microsoft.SkypeApp was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

This event is due to AppLocker still being set up to audit. Here is a good reference to figure out the meaning of all the possible events for this:

Using Event Viewer with AppLocker .

Test all of the Windows 8 apps and make sure the correct events are occurring.

Step 5: Enforce the rule

1. Open SECPOL.MSC, select Security Settings / Application Control Policies .

Note: Once again you can do this with a group policy .

2. Select Configure rule Enforcement. 

3. For the AppLocker Properties, check Configured Package app Rules and select Enforce Rule, then click OK.

4. Close SECPOL.MSC and open the Start Screen.

Step 6:Update the policies on the reference computer 

1. Run gpupdate /force from an administrative CMD prompt
   this could take a few moments to be available if you are using a GPO to create the rules.

Step 7 Test the Enforced Rules
Launch an app that was not allowed, I try to launch Skype I now received the following:
-This app has been blocked by your system administrator.

Go back to the Packaged app-Execution log and look for the following error.

Log Name: Microsoft-Windows-AppLocker/Packaged app-Execution Source: Microsoft-Windows-AppLocker Date: 9/23/2013 11:24:01 AM Event ID: 8022 Task Category: None Level: Error Keywords: User: FAB\USER Computer: FAB-CL8-2.FABRIKAM.COM Description: Microsoft.SkypeApp was prevented from running.

Now when a user launches a Windows 8 Default Store app like Bing Finance, a message to update occurs. It is now possible to update without the user being able to install anything else from the Windows Store and they will not be allow to run it.

To test this, try to install a new app (OneNote MX) from the Windows Store, with AppLocker configured following error occurs:
-Something happened and this app couldn’t be installed. Please try again. Error Code 0x80246007

Any app not listed with an allow rule fails to install as well. It does create an unusable tile in the start screen, if it is selected, the users gets the following
-This app can’t open
-Check the Windows Store for more info about OneNote

In the event viewer, in the Packaged app-Deployment logs the following error exist

Log Name: Microsoft-Windows-AppLocker/Packaged app-Deployment Source: Microsoft-Windows-AppLocker Date: 9/24/2013 10:16:34 AM Event ID: 8025 Task Category: None Level: Error Keywords: User: FAB\USER Computer: FAB-CL8-2.FABRIKAM.COM Description: Microsoft.Office.OneNote was prevented from running.

This solution is different than how we administer Windows Desktops, it does still require the use of the Windows Store; however a user does not need a Microsoft Account to update a Windows 8 Store app. If they want to install something out of the store that is not a default app they would need to set up a Microsoft Account and if they do not have a rule to allow the app they would not be able to install or run it thanks to AppLocker.
One last thing. As an administrator consider setting up an event forwarder to be alerted when users try to run unapproved apps. Below is the event to consider watching for and a link to the articles on how to do it.

---

Log Name: Microsoft-Windows-AppLocker/Packaged app-Execution Source: Microsoft-Windows-AppLocker Date: 9/24/2013 8:48:23 AM Event ID: 8022 Task Category: None Level: Error

Manage Subscriptions

Another option is customizing the error message with a link to a website so that a user could put in a request to unblock an app.

Display a Custom URL Message When Users Try to Run a Blocked Application

 

References :

• Automatically Generating Executable Rules from a Reference Computer
• Test an AppLocker Policy by Using Test-AppLockerPolicy
• Configure an AppLocker Policy for Audit Only
• Using Event Viewer with AppLocker
• AppLocker Policy Use Scenarios
• Using Auditing to Track Which Applications Are Used