How to Block Microsoft Store Web Installer Using Entra Internet Access

First, you need to access the Microsoft Entra admin center and navigate to the Internet Access web content filtering section. This is where you'll create the primary blocking policy.

Open your browser and navigate to the Entra admin center:

https://entra.microsoft.com

Sign in with your Global Admin or Security Admin credentials. Once logged in, navigate to the Internet Access section:

1. Click Protection in the left navigation pane
2. Select Internet Access
3. Click Policies
4. Select Web content filtering

If this is your first time using Internet Access, you may need to enable the service. Click Enable Internet Access if prompted and wait for the service to initialize (typically 2-3 minutes).

Now you'll create a specific policy to block Microsoft Store web installer downloads. This policy will target the primary domains used by the Store web installer.

In the Web content filtering dashboard, create a new policy:

1. Click + New policy
2. Enter the policy name: Block Microsoft Store Web Installer
3. Add a description: Prevents users from downloading apps via apps.microsoft.com and get.microsoft.com
4. Set the policy state to Enabled

Configure the URL blocking rules by adding these specific domains:

*.apps.microsoft.com
*.get.microsoft.com
store.rg-adguard.net
*.microsoft.com/store/apps

For each URL pattern:

1. Click Add URL category
2. Select Custom category
3. Enter the URL pattern
4. Set the action to Block
5. Add a block message: Access to Microsoft Store web installer is blocked by your organization's security policy.

Next, you need to assign the policy to the appropriate users and devices. This step determines which users will have the Store web installer blocked.

In your newly created policy, configure the assignments:

1. Click the Assignments tab
2. Under Include, select one of these options:

For organization-wide blocking:

Include: All users
Exclude: IT Admin group (recommended)

For targeted deployment:

Include: Specific security groups
- Standard Users
- Kiosk Devices
- Shared Workstations

Configure device targeting:

1. Click Device conditions
2. Select Device compliance state
3. Choose Compliant devices only
4. Add device platform filter: Windows

Set up conditional access integration:

{
  "deviceFilter": {
    "mode": "include",
    "rule": "device.deviceOwnership -eq \"Company\""
  },
  "locations": {
    "includeLocations": ["All"],
    "excludeLocations": ["AllTrustedLocations"]
  }
}

While Entra Internet Access provides the primary blocking mechanism, you should also configure browser-specific policies through Intune to ensure comprehensive coverage, especially for Microsoft Edge.

Navigate to the Microsoft Intune admin center:

https://endpoint.microsoft.com

Create a new configuration profile:

1. Go to Devices > Configuration
2. Click Create > New policy
3. Platform: Windows 10 and later
4. Profile type: Settings catalog
5. Name: Edge - Block Store Web Installer URLs

Configure the Edge URL blocking settings:

1. Click Add settings
2. Search for: Microsoft Edge
3. Expand Microsoft Edge category
4. Select Block access to a list of URLs

Add the blocked URLs in the value field:

apps.microsoft.com/*
get.microsoft.com/*
store.rg-adguard.net/*
microsoft.com/store/apps/*

Configure additional Edge security settings:

1. Add Block external extensions (prevents Store extension installs)
2. Add Control where developer tools can be used > Set to Don't allow using the developer tools

To prevent users from running downloaded Store installers even if they bypass the web filtering, configure AppLocker rules through Intune to block execution of Store installer files.

In the Intune admin center, create an AppLocker policy:

1. Go to Endpoint security > Application control
2. Click Create policy
3. Platform: Windows 10 and later
4. Profile: App and browser isolation

Configure the AppLocker XML policy:

<AppLockerPolicy Version="1">
  <RuleCollection Type="Exe" EnforcementMode="Enabled">
    <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="Block Store Installers" Description="Block Microsoft Store web installer executables" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%TEMP%\*.appx" />
        <FilePathCondition Path="%TEMP%\*.msix" />
        <FilePathCondition Path="%DOWNLOADS%\*.appx" />
        <FilePathCondition Path="%DOWNLOADS%\*.msix" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="Allow System Files" Description="Allow system executables" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%SYSTEM32%\*" />
        <FilePathCondition Path="%PROGRAMFILES%\*" />
      </Conditions>
    </FilePathRule>
  </RuleCollection>
</AppLockerPolicy>

Alternative method using Settings Catalog:

1. Create new Settings Catalog policy
2. Search for AppLocker
3. Add Application Identity > Executable Rules
4. Configure deny rules for Store installer file types

Now you need to thoroughly test your blocking configuration to ensure it works as expected while not breaking legitimate functionality.

Perform these verification tests on a target device:

Test 1: Web Browser Blocking

1. Open Microsoft Edge
2. Navigate to: https://apps.microsoft.com
3. Expected result: Block page with your custom message
4. Try: https://get.microsoft.com
5. Expected result: Same block page

Test 2: Direct App Links

# Test these URLs in Edge:
https://apps.microsoft.com/detail/9NBLGGH4MSV6
https://www.microsoft.com/store/apps/9WZDNCRFJ3Q2
https://get.microsoft.com/installer/download/9NBLGGH4MSV6

Test 3: Verify Store App Updates Still Work

1. Open Microsoft Store app (Start > Microsoft Store)
2. Click your profile icon > Downloads and updates
3. Click Get updates
4. Verify updates download and install normally

Test 4: Check Policy Application Status

Run these PowerShell commands on the test device:

# Check Intune policy sync status
Get-MpComputerStatus | Select-Object AMEngineVersion, AMProductVersion

# Verify AppLocker policy
Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections

# Check Edge policy application
Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Edge" -Name URLBlocklist

After deployment, you need to establish ongoing monitoring to ensure the policies remain effective and don't cause unintended issues.

Set up monitoring in Entra Internet Access:

1. Go to Protection > Internet Access > Monitoring
2. Click Web content filtering logs
3. Configure log retention: 90 days
4. Enable alerts for policy violations

Create monitoring queries for blocked attempts:

// KQL query for Entra Internet Access logs
InternetAccessLogs
| where TimeGenerated > ago(7d)
| where Action == "Block"
| where DestinationUrl contains "apps.microsoft.com" or DestinationUrl contains "get.microsoft.com"
| summarize BlockCount = count() by UserPrincipalName, DestinationUrl
| order by BlockCount desc

Set up Intune compliance monitoring:

1. Navigate to Reports > Device compliance
2. Create custom report for AppLocker violations
3. Schedule weekly email reports to security team

Configure automated remediation:

# PowerShell script for automated policy health check
$PolicyName = "Block Microsoft Store Web Installer"
$Policy = Get-MgDeviceManagementDeviceConfiguration | Where-Object {$_.DisplayName -eq $PolicyName}

if ($Policy.State -ne "Enabled") {
    Write-Warning "Policy $PolicyName is not enabled!"
    # Send alert to security team
    Send-MailMessage -To "security@company.com" -Subject "Store Blocking Policy Alert" -Body "Policy requires attention"
}

Regular maintenance tasks:

• Monthly review of blocked URL patterns for new Store installer domains
• Quarterly testing of policy effectiveness
• Semi-annual review of user group assignments
• Annual policy documentation updates