02: Manage, block and allow Windows Universal (UWP) applications

Want to block the Microsoft Store or Edge on your Windows Professional, Enterprise, or Professional machines? This video shows you how to do it, AND let users still download SOME items from the store as you see fit. You won’t need the Microsoft Store for Business… when you’re using this method to manage your Windows Universal applications.

Transcript:  Manage, block and allow Windows Universal (UWP) applications

Hi. This is Jeremy Moskowitz. In this video, I’m going to show you how you can finally manage your Windows universal applications by turning on and turning off the ones you need, including things like the “Microsoft Store” or Microsoft Edge. If you’ve ever been tasked with having to manage your Windows universal package applications, today is the day you’re going to get it handled.

First things first, I’m going to be using my “Group Policy Management Editor.” I have it linked over to my “Sales” team here. Now if you’re using PolicyPak Cloud or PolicyPak MDM, it’s the same basic idea. You’re going to use Least Privilege Manager, and you’re going to create a rule by selecting “Add.” This is what’s called a “New UWP Policy” rule.

I’m going to start off by just clobbering “All UWP apps,” all universal Windows applications. Now this will clobber everything except for things like “System Settings, Cortana, and Microsoft Edge.” Those are by default still going to run. What’s that I hear you cry? You still want to turn off Edge? No problem. I’m going to show you how to do that next. Let me go ahead and click “Deny execution” here, and we’re going to say “Any UWP app Denied.”

Let’s go right over here and just go to run GP Update (“gpupdate”). Ten seconds ago you saw that Edge was running and the store was running, not to mention all these other applications that would feel like they’re built into the box. It turns out they’re not just built into the box. They are technically considered Windows store applications, many of them, and we’re going to put the smackdown on all of those as well.

Let’s go ahead and test out the “Microsoft Store.” The store is now closed. That’s the first thing. Second, things like “Weather” or Calculator or “Calendar,” these things are also going to automatically be blocked. But like I said, something like Edge is going to continue working. Something like the “Settings” page is going to continue working.

Now if you want to also turn off Edge, you can certainly do that. There are a couple of ways you can do that. The first thing is that it’s good if you know a little bit of PowerShell. You don’t have to, but even if you just knew this, “Get-AppxPackage,” that one command in PowerShell, you could then find out all the package names that are on a machine.

For instance, one package is the “Microsoft.MicrosoftEdge” package. If you just knew that, or even if you just knew it was called Edge, that would still work. You can just right click, “Add” a “New UWP Policy” here. We’re going to select “Specific UWP apps” with the package name of Edge (“Microsoft.MicrosoftEdge”). What do you want to do with it? Let’s “Deny execution” just on this one package. Just “Deny Microsoft.MicrosoftEdge.”

Now what’s that? You don’t want to do this for everybody? You want to do it for certain people? That’s no problem. You can use “Item Level Targeting” to say that certain people will have this policy enabled, and other people will have this policy avoided.

For instance, if you’re in the “Security Group” or if you’re on a laptop (“Portable Computer”) or you’re coming in over a “Terminal Session” or whatever the story is, you can make some decisions about when this policy is going to fire off. I’m not going to do that. I’m going to say everybody’s going to get this. Kill the Microsoft Edge idea. Let’s go ahead and test that out. Let me go back over here and rerun GP Update (“gpupdate”).

Now Edge actually has a little trick up its sleeve. It actually continues to run in the background even when you close it. So this first time that we’re doing this, it may take two times for Edge to run in order for us to see it. But then after that, you’re never going to see it again. So there’s the first time. You can see that it was still running. Now that it’s closed, let’s rerun Edge. And that guy is now blocked. There you go. No more Edge.

Now let’s continue down the road with some other interesting ideas of things you may want to do. Like I said, all sorts of applications are now automatically blocked like “Skype” and “Weather” and other things like that. How would we get these back if that’s what we wanted to do?

Let’s take “Calculator” as our example here. Here’s “Calculator.” How do we bring Calculator back? Well, if you just knew the name, that would be good. If you wanted to find it here on the list, that would be okay too. If you’re feeling lazy and you don’t want to look for it here, no problem.

All you have to do is right click “Add” a “New UWP Policy.” We’re going to select “Specific UWP apps,” and I’m just going to type “*calc*” and go ahead and click “Next” and “Allow and log.” That’s it. I’m now allowing Calculator.

Again, if I wanted to be really specific, I could get the package name for Calculator which is in this list somewhere. But I’m kind of going fast for this video. As soon as GP Update (“gpupdate”) is done, before, ten seconds ago, Calculator wasn’t running. Now the doggy door for Calculator is opened back up. Let’s go ahead and see for ourselves if that’s true. Go click on “Calculator,” and there we go. We’re getting it to work.

Let’s going to one more advanced scenario here. Why don’t we reopen the “Microsoft Store,” let users download whatever they want? But nothing is going to run, unless we sanction it. As we know, the “Microsoft Store” is currently closed. But let’s go ahead and reopen it.

The fastest way to do that would be to “Add” a “New UWP Policy” here by “Specific UWP apps.” I’m going to call this “Package Name” “*store*” and I’m going to “Allow and log” that. So let that through. So now the store is open.

Let me go ahead and rerun GP Update (“gpupdate”) over here. Give this a second to kick in. Now let’s go ahead and rerun the “Microsoft Store.” And let’s say we only want stuff from Adobe. So if were to type “adobe” here, let’s do “Adobe Reader Touch.”

Let’s go ahead and “Get” it. Now when we try to get this, it starts to download. It’s going to permit the download for the user, and that’s great. But we know that we’ve blocked everything that is a Windows store application.

So now let’s go ahead and try to “Launch” it here. What do we get? We get blocked. So we’ve got the “Microsoft Store” open. We have new applications that users can download. But they won’t actually be able to run them until you sanction it.

Now there are a couple of ways that you can go forth and sanction it. One way is to do it just by name. If you wanted to just give it the name, like I said if you knew how to “Get-AppxPackage,” that would be fine. You can see that’s the AppxPackage. That would be fine.

But if you wanted to sanction everything from a publisher, what would you do? That’s fine. What I’m going to do is let me just get this list, and at the end of this list is the last package I just installed and the publisher. So I need to get that publisher ID here. That’s this. That’s the “Publisher” ID. So we’re going to grab this guy right here.

What I’m going to do is “Add” a “New UWP Policy.” I’m going to do, again, “Specific UWP apps.” And the “Publisher,” I’m going to jam that in there right there. There’s the “Publisher.” I’m saying anything from that publisher is cool to go. And I’m going to “Allow and log” it. Go ahead and click “Next.” “Allow apps from Adobe.” I don’t know why Adobe has a weird looking publisher, but that’s the way it works. So all Windows universal apps from Adobe are allowed here.

I’m going to go ahead and run GP Update (“gpupdate”) here. Ten seconds ago we saw that application from Adobe, that Reader Touch application, is not functioning. Now after GP Update (“gpupdate”) has done its thing and we’ve now said let publishers from Adobe work, now when we go to run “Adobe Reader Touch” it runs and you’re ready to go.

This would permit you to now download anything in the store by the same publisher as the user and it will work. You don’t have to keep calling the help desk. You’re just blessing that whole publisher. And that’s it. You’re ready to rock.

I know we covered a lot of territory in this video. Again, this is the Least Privilege Manager component, part of the PolicyPak suite that works for Group Policy, PolicyPak On-Prem, Group Policy Cloud, and MDM.

Hope this helps you out tremendously and looking forward to getting you started with PolicyPak real soon.

Thank you very much.

  • 624
  • 06-May-2020