Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, March 16, 2016 1:24 PM | 1 vote
We use WSUS to provide windows updates, and prevent clients from going direct to Microsoft via the policy setting that disables that (DisableWindowsUpdateAccess is the registry key it sets). In part this is to ensure that our Win10 installs never upgrade to newer builds via windows update, but only do so through our own mechanism where we can use a customised image to upgrade them, and have wrapper scripts to automate the process and preserve settings that don't otherwise survive the process.
We're also disabling the store by default, but had intended allowing a small number of users the option of turning it back on again. Disabling it is done by setting the RemoveWindowsStore registry key, and we had intended then providing a way for particular users to get rid of that key on their device.
This works up to a point, but it appears that disabling direct windows update access to Microsoft also has effects on the store, and makes it unusable.
Can someone confirm that this is in fact the case, and offer any suggestions as to possible workarounds for a subset of users to have windows store access on machines that update via WSUS?
(I suspect there aren't any, and the answer to the above is simply "do not use the store".)
All replies (7)
Thursday, March 17, 2016 4:12 PM | 1 vote
Hi,
As I know, WSUS can get and approve Store app update, but it's only for computer group, not for user groups.
You can create an OU and put the users you wouldn't like to block the store app update, then linking the GP settings of DisableWindowsUpdateAccess to the domain excluding this OU.
http://www.tecmint.com/creating-organizational-units-and-enableing-group-policy-in-zentyal/
Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Monday, March 21, 2016 4:27 PM | 1 vote
This isn't the kind of environment where I get to choose what OU a user goes in. Users are created, moved and deleted within AD via automated processes, so manual changes like that would not be a good idea.
In any event, that appears to be a way of defining a subset of users who are allowed to bypass our WSUS servers and go direct to microsoft for updates. But, we don't want to make any exceptions to that, we just wanted a subset of users to be able to access the store.
Even if they access the store, we will want to ensure, absolutely, that they do not obtain upgrades to later builds direct from Microsoft.
So the question, really, is: Is it possible to use the store while DisableWindowsUpdateAccess is set?
Wednesday, March 30, 2016 6:10 AM | 1 vote
This isn't the kind of environment where I get to choose what OU a user goes in. Users are created, moved and deleted within AD via automated processes, so manual changes like that would not be a good idea.
In any event, that appears to be a way of defining a subset of users who are allowed to bypass our WSUS servers and go direct to microsoft for updates. But, we don't want to make any exceptions to that, we just wanted a subset of users to be able to access the store.
Even if they access the store, we will want to ensure, absolutely, that they do not obtain upgrades to later builds direct from Microsoft.
So the question, really, is: Is it possible to use the store while DisableWindowsUpdateAccess is set?
In my experience, this policy will not block user to use Windows Store.
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Wednesday, March 30, 2016 9:24 AM | 1 vote
This wasn't a hypothetical question - we were trying to work out why the store doesn't work.
I have a machine here running CBB 10586, joined to our domain, logged on as my domain account. I re-enable the store and reboot. I go into the store, pick a free app, and am asked to sign in to the store with my Microsoft account. I do so. I click again to download the free app (the solitaire collection in this case), and get:
Try that again
Something went wrong
The error code is 0x80248014, in case you need it.
This is a fresh install, the store has not been used on this PC before. You can retry and reboot as much as you like and the above error remains the same.
I delete the DisableWindowsUpdateAccess key, reboot and try again. On going back into the store, all now works, and the solitaire collection downloads and installs without errors.
This points pretty strongly at the DisableWindowsUpdateAccess key as preventing the store from working. If there are other factors, we haven't found them. And that key must be set on our production machines. Unsetting it on a scratch machine that I'm going to wipe and reinstall anyway is fine for testing, but not on a production system.
So, any suggestions for how the store might be made to work even with that key set?
Anything we could do at our WSUS servers?
Sunday, May 15, 2016 12:56 PM
Same problem here!
Monday, June 20, 2016 9:07 PM
Hello,
I had the same issue on my test domain. After reviewing my own WSUS settings, I notice I have enable the option "do not connect to any Windows Update Internet location", thinking it was only focusing on Windows Update Agent. As I'm french, I don't read at the notice before meeting problems :) Reading at it, I suddently realize that will also block access to the Windows Store... Gaps, could avoid it if I had a little though before acting :)
For those who want to block the internet access for update anyway like here, I'll suggest to create a separate GPO which will modify the settings and filter it on a group object. Applying then the GPO after the "standard" one will make the deal.
Enjoy!
Tuesday, April 16, 2019 8:15 AM
Sir you are a genius. That one little setting has fixed over a week of stressful googling for answers to why can't we get MS Store to work.