This post is an update on my previous article Managing the Microsoft Store and Apps with AppLocker. Go and read that one first :-)
About mid-May 2023 Store version 22303.1401.5.0 was released, and it now has an interesting new AppLocker integartion capability. Sadly it’s been botched in this initial release, but beggars can’t be choosers.
Store version
To find the store version (at the moment):
- Either right-click the Store on the Start Menu and choose App settings, or
- In the Store app itself, click on the user icon to the top right then click Settings
To get the new (broken) functionality you need to be on version 22303.1401.5.0.
What’s better
Before this Store version you could use AppLocker Packaged app Rules to block the installation of apps from the Microsoft Store, but the Store was completely oblivious to this. It’d happily let you try and install any app you chose, but then fail with a not-helpful “something went wrong” type message when it tried to install it. The whole thing was not very nice, as users had no idea if an app had been approved or not. Additionally, the not-really-installed app would keep generating AppLocker event 8025 in the Microsoft-Windows-AppLocker/Packaged app-Deployment event log saying that it was prevented from running.
Now, however, you get a nice pink bar at the top of the app’s page in the Store saying:
This app has been blocked due to Company Policy.
What’s worse
The problem is that you may well find that all apps are blocked! Even ones that you have an AppLocker rule to allow! Less than ideal.
By default, when you use the Group Policy Management Console (GPMC) to create a new AppLocker Packaged app Rule you have probably been using the option to Use an installed packaged app as a reference. This is pretty easy to use, and by default selects the option to say that the currently installed version of the app, or higher, can be installed and used.
The problem is that in this initial implementation of the AppLocker-aware Store, Microsoft have botched the version checking. All apps get checked in AppLocker with a version of 0.0.0.0 instead of whatever version is currently available in the Store. Thus – probably – all apps you’ve previously allowed with AppLocker at version >0.0.0.0 will be blocked.
How to fix this
With any luck Microsoft will fix this soon, but in the meantime the only option you have, assuming you want to keep using AppLocker (and what other choice do you have…) is to edit all your AppLocker rules for packaged apps and change the version number to 0.0.0.0 or higher. You can also use * or higher, but you need to delete the text for the existing version completely before the GPMC will let you type the * into the version box.
You could probably help the fix along the way by upvoting my Feedback Hub item on this issue.