Controlling Windows Store Applications When Using Windows 10 Pro
*This post originally appeared on the AppSense blog prior to the rebrand in January 2017, when AppSense, LANDESK, Shavlik, Wavelink, and HEAT Software merged under the new name Ivanti.
IT administrators who have rolled out Windows Pro for their organization are finding an unwelcome surprise from the Anniversary Update (build 1607).
The update no longer allows restricting of Windows 10 Store Apps to prevent users from installing third party apps using Group Policy. This capability is now only supported by Microsoft on Windows 10 Enterprise and Education editions.
In preventing this control of Windows 10 Store Apps, Microsoft is opening the door to more security issues since users can download apps which are not related to productivity, and very likely fall into the ‘Shadow IT’ category of uncontrolled devices and high-risk activity.
In order to completely prevent unwanted Windows Store Applications from being installed or executed in a Windows 10 Pro environment, Microsoft now suggest upgrading to the Enterprise edition, which obviously comes at an additional cost to organizations. This could stall Windows 10 Pro upgrade projects and result in migrations being postponed or even cancelled completely. Many small to medium sized businesses, which chose to take advantage of Microsoft’s free upgrade promotion to Windows 10 Pro, are not inclined to add this additional cost.
When using Windows 10 Pro, the following key policies are still displayed in the Group Policy Editor but contain a note stating they only apply successfully on certain Windows 10 editions
Turn off Microsoft consumer experiences
This setting disables specific third party Windows Store apps from being automatically installed and disables promotional links to other third party apps
Disable all apps from Windows Store
This setting disables the Windows Store completely and prevents all Windows Store Apps that were pre-installed or downloaded from running
Why would I need to control Windows Store Apps?
If users are able to download or run any type of Windows Store App onto their Windows 10 Pro desktop, the probability of introducing compatibility issues with operating system components and other corporate delivered applications is greatly heightened, which can lead to IT support headaches and user experience issues.
For example, on a Windows 10 Pro desktop, a user may now choose to run Microsoft Edge as their default Web browser as opposed to Internet Explorer, Google Chrome or another type of browser rolled out and supported by IT. Microsoft Edge’s known incompatibilities with many web pages and web apps will more than likely result in unnecessary IT helpdesk incidents being raised and user productivity being adversely affected.
Within educational establishments such as schools, colleges and universities, and amongst the millennial generation (those typically below 35 years old), users are now extremely tech savvy and it has become second nature to access applications and data via a host of different endpoint devices and platforms. Students will typically find ways to bypass campus IT security and install or run applications they are more familiar with or prefer using. This ability to bypass IT delivered services and use alternative sources is known as ‘Shadow IT’.
With many games freely available for download from the Windows Store, end-user productivity can be badly affected. The most popular free Windows Store Apps currently include the likes of Facebook, Messenger, Netflix, Amazon and Dropbox – non-productivity apps and apps that can potentially be used as shadow IT to bypass existing IT delivered technologies and security controls already in use within your organization. This could ultimately lead to regulatory compliance issues and security breaches.
When utilizing the Windows 10 Pro Anniversary Edition, the inability to prevent access to unauthorized applications from the Windows Store, especially with the ongoing proliferation of Ransomware and Malware attacks, could also introduce a huge security conundrum for those organizations that have already adopted Windows 10 Pro or were looking to roll this edition out in the near future.
Often, the most hazardous third-party Windows Store Apps do not explicitly contain Malware or Ransomware themselves (so as to pass initial Microsoft Windows Store security checks). Instead, once they are installed, they deliver their lethal payload via links to external executables, built-in app updates or in-app purchases.
With Microsoft AppLocker and Windows 10’s Group Policy security settings now only supported on Enterprise and Education editions, how do Windows 10 Pro customers go about securing the Windows App Store and preventing these types of applications from being installed or run?
Microsoft suggest it’s still possible, using Group Policy, to ‘filter’ which third party applications are displayed to end-users through “store suggestions”, but this still wouldn’t completely stop those applications from being accessed and installed on Windows 10 Pro endpoints.
So, step up to AppSense Application Manager. A marriage made in heaven.
How can AppSense Application Manager help?
AppSense Application Manager has the ability to easily control which Windows Store Apps are allowed to be run or installed based on simple, context-aware rules.
These rules can be based on Groups, Users, Devices, Processes or even custom rules to target specific scenarios as to when users should or shouldn’t be allowed access to specific Windows Store Apps.
Through simple whitelisting and/or blacklisting techniques, IT admins can now lock down Windows 10 Pro Store Apps within seconds, securing endpoints, eliminating shadow IT, preventing unlicensed software from being utilized and ensuring regulatory compliance.
In addition, AppSense Application Manager’s unique Trusted Ownership Checking capabilities mean that if an official Windows Store App does attempt to deliver a Malware or Ransomware payload via an update or in-app purchase, it is instantly prevented without the need for IT intervention.
How this works is if a standard user copies, downloads or attempts to install any unauthorized executable, they take ownership of that file (via NTFS permissions) and it’s instantly blocked because the user in question is not a Trusted Owner. This means IT admins don’t even need to know the name of the executable the user is attempting to install or run.
If the application is attempted to run directly from the Internet, an email attachment or from a non-local drive, it is also instantly denied.
Alternatively, if the application is installed, and hence owned, by a Trusted User, e.g. an Administrator or other Trusted Installer account, then the application is allowed to run by default for everyone, unless stated otherwise. This reduces the IT burden of maintaining complex whitelists and blacklists and frees up IT admins to concentrate on more urgent tasks, while maintaining the highest level of endpoint protection.
These capabilities help protect the Windows 10 Pro environment from unnecessary applications and content, thus improving user productivity and ongoing user experience. It also provides the deepest level of security for your Windows 10 Pro endpoints and ensures Malware and Ransomware, which may have already circumvented your installed anti-virus and perimeter security, is stopped dead in its tracks.
Lock Down Security with AppSense Application Manager
AppSense Application Manager ensures a consistently good user experience and helps improve end-user productivity and increased security for organizations that choose to adopt Windows 10 Pro.
It ensures IT departments can lock down Windows 10 Pro images and guarantee only IT delivered applications and Windows components are allowed to be accessed by users. This eliminates user introduced shadow IT, which may otherwise have been used without explicit organizational approval.
Endpoints are protected from malicious Windows Store Apps and other, unauthorized Win32 applications, improving security and compliance while eliminating the IT burden of maintaining complex whitelists and blacklists.
AppSense Application Manager avoids putting Windows 10 Pro roll-outs on hold due to concerns with security features being removed from the Anniversary Update edition.
For organizations still looking to upgrade to Windows 10, AppSense Application Manager eliminates the requirement to upgrade to the more expensive Enterprise edition – so as to make use of the built-in Windows Store controls – and instead allows IT to lock down Windows Store Apps and other Win32 apps in Windows 10 Pro, thus reducing both costs and complexity.
Organizations now have a compelling reason to celebrate the Windows 10 Pro Anniversary update - by utilizing it without fear of opening the door to new security risks.