
Microsoft no longer allows admins to block Windows Store access in Win10 Pro - walterbell
http://www.zdnet.com/article/microsoft-no-longer-allows-administrators-to-block-windows-store-access-in-windows-10-pro/
======
Someone1234
If Microsoft wants SMBs to use Enterprise then make the Enterprise edition
more easily available to SMBs, don't try to force them to move to it by making
petty little changes to make their life more difficult.

I can go on the Google Apps website right now and buy myself seats with a few
clicks and a few minutes. If I want to buy Windows Enterprise licenses it will
take weeks, cost an unclear amount (at the onset), and I'll have to
talk/negotiate with pointless sales drones.

I worked for a startup, under 20 machines, I tried to buy then Windows 7
Enterprise. Microsoft's partners were super unhelpful, disinterested in a
small account, refused to provide clear pricing, and I was getting upsold even
before we got the basics squared away ("I'll just add on 20 CALs, a Windows
Server license, and let's talk exchange!"). Ultimately we just gave up, and
used Windows 7 Home(!) for three years.

People want to give Microsoft money, but Microsoft is intent on making the
entire thing as painful as possible and their licensing as obtuse as possible.
Office 365 Business gets a lot of shit, but it is a dream come true for
startups, you pay one cost, and one user gets their Office license key, email,
and some cloud storage taken care of.

Where is the Windows version of Office 365? Why can't I just pay a per user
fee and get one Windows Enterprise key, the CAL, and Azure-based AD?

Time is money, and Microsoft likes to waste a lot of time. I'd prefer to spend
a few dollars more a year and have a simple streamline process of licensing,
than spend weeks being jerked around just to maybe get a few bucks off of a
fake price anyway.

~~~
jrcii
I lived through the exact same disaster. I spent HOURS on the phone trying to
acquire a license for Windows 7 Enterprise, I needed it for Hyper-V.
Microsoft's main number, dead-end IVR system. Tried the Microsoft Store, they
routed me to the dead-end IVR system. 50 or so minutes after my initial
attempt I got some person that could barely speak English from India routing
me to a voicemail, a couple of times Microsoft's phone system plain hung up on
me after having me on hold for 20+ minutes.

Eventually I got some person at a Microsoft Store felt bad about the whole
thing and took 2 days to get a number for a rep a CDW who could get me the
price. That rep didn't have the price, but took my information after a 15
minute call and promised to get it to me. When she did days later, she
couldn't give me a final price because she forgot I needed a user CAL and a
remote access CAL. When I went to make the final purchase, she said oh,
actually we can't do it because Microsoft won't sell the Windows 7 license
anymore only Windows 10.

The whole process made me feel like I was losing my mind.

~~~
hackuser
Unfortunately, that is common with many large companies, including Microsoft.
I've practically begged them to take my money but sometimes nobody seems to
know how to do it.

~~~
criddell
In the past I've heard that if you need an XP license and Microsoft won't sell
one, installed a pirated version of XP and then let it do it's genuine windows
check, which will fail. Right after it fails, you are given a way to actually
pay for a license. I'm guessing this no longer works, but it did for a while.

~~~
emoore84
And even they have not supporting Windows XP now. I have used Windows 7, 8 and
Windows 10. But still loves XP.

Nobody knows what Microsoft wants to do, they have Acquired Nokia but nothing
goes well.

------
camperman
I always snigger at the formula of Microsoft's public statements. You just
know that in the first paragraph it will claim - disingenuously - to be doing
the exact opposite of whatever it's accused of. And sure enough the very first
sentence is:

"Microsoft is focused on helping enterprises manage their environment while
giving people choice in the apps and devices they use to be productive across
work and life."

You can take this sentence, and without knowing any other details at all,
figure out that the company is somehow preventing enterprises from managing
their environments properly or restricting app and device choice or both.

~~~
CaptSpify
I find this true of most company taglines. "We have the highest rated customer
service" = We have shitty customer service.

I think the people who write this stuff are usually presented with "Here's the
bad parts of our reputation. Make sure your blurb fixes that"

~~~
tokensimian
Probably something like, "we took a survey. Here's what our customers /
prospects said is important to them."

If a company has poor customer service, byzantine purchase process, etc., that
stuff will crop up.

Then again, so will all the standard things -- trust, etc.

------
drglitch
Microsoft enterprise/SMB sales process (via channel partners) is a laughable
disaster.

Recent task: Run a Windows Server VM on Azure, with 4 remote desktop users
connecting in.

Result: almost a MONTH of back and fourth with THREE different MSPs since none
of them knew details of proper licensing. In fact, even Azure support did not
know licensing terms and said just to contact the MSPs, who in turn advised we
contact Azure support. In the end, after a couple of days of googling and
reading obscure MSDN entries, we THINK we got the right licensing approach.

Oh, and total cost difference between different MSPs on even such a small
order was over 40%.

Sadly, its currently a classic example of "please take my money" and the
company doing everything in their power not to. Until microsoft clears up
their licensing terms and makes pricing transparent, they will be hated.

~~~
rjbwork
I'm slightly confused...you think the multiple users RDPing into it will cause
an increase in cost if you go 100% legit? The price of the windows OS is
priced into the Azure hosting costs. Windows vms are a bit more expensive than
linux ones for this reason.

~~~
taspeotis
Remote Desktop on Azure is a bit of a licensing nightmare. See this [1] old
blog post:

> Effective January 1, 2014, Volume Licensing customers who have active
> Software Assurance on their RDS User CALs are entitled to RDS CAL Extended
> Rights, which allow use of their RDS User CAL with Software Assurance
> against a Windows Server running on Windows Azure

Licensing costs for Remote Desktop Services (not Azure RemoteApp) is not
built-in to the virtual machine pricing.

[1]
[https://blogs.msdn.microsoft.com/luispanzano/2013/07/15/remo...](https://blogs.msdn.microsoft.com/luispanzano/2013/07/15/remote-
desktop-services-are-now-allowed-on-windows-azure/)

~~~
rjbwork
So... does that mean you can't RDP into your machine to do administrative
stuff?

EDIT: Oh i see, ONLY administrative stuff if you need more than 2 users.

~~~
taspeotis
The admin. connections are free of licensing restrictions, anything beyond
that is a PITA (on Azure).

------
GigabyteCoin
And this particular sysadmin-for-my-family will no longer allow windows to be
installed on any of our computers whenever they are in need of a reinstall.

Windows is becoming more and more like Facebook. Too many users changed a
setting you don't agree with? Just block access to that setting or call it
something else to confuse enough people to the point that the numbers are
"good enough" for management.

Almost every time I visit my parents, my mother's Windows 10 laptop has
reverted at least one of the changes I have made.

I used to keep a copy of Windows available via dualboot on all of my laptops,
just in case I needed to print something in a remote location where whichever
flavor of linux I was using didn't support. Not anymore. Linux Mint serves
that requirement just fine.

~~~
cm2187
One thing that windows 10 absolutely hates users changing is firewall rules. I
regularly see my custom rules disappearing. This is _unacceptable_.

~~~
manigandham
The windows firewall is also tied into pretty much everything in the system,
disabling that service messes with lots of stuff, like installing fonts:

[http://superuser.com/questions/957907/unable-to-install-
font...](http://superuser.com/questions/957907/unable-to-install-fonts-on-
windows-10)

~~~
userbinator
That sort of completely insane dependency deserves a specially enunciated
_WTF!?!?_

I would not be surprised if somehow installing or opening a font was tied into
some sort of telemetry system (or maybe DRM-ish licensing crap) that requires
Internet access in some way or another. Unbelievably scary and deeply
disturbing.

------
FuriouslyAdrift
We are tied to Microsoft due to a multi-million dollar ERP. I have frozen at
Win 8.1 (software assurance contract). I love server and maybe once Server
2016 is out this Fall/Winter, I can circle back around but the 2 Win10
machines we have (one is mine) tripped every security protocol we have (we do
some stuff for foreign and local defense contractors). Thi sis the enterprise
edition. In the end, I block a few thousand domains and entire netblocks
within and without our networks which completely breaks Cortana, Store, etc.
along with just about every Microsoft website. It's a pain. I'll be moving
back to DragonflyBSD ASAP on my desktop and running VM's whenever I need to
hop into Windows.

~~~
CyberDildonics
You should put something out saying what you've blocked, I'm sure many other
people want to do the same thing.

I don't know when I'll be able to get off of windows, but I do know that my
next computer won't run it on the bare metal. I plan on getting a CPU with
good virtualization (non 'k') and only ever running windows inside a VM.
Things had already gone too far about 5 revelations ago.

~~~
Namidairo
The Intel CPU's with unlocked multi's have had VT-D for a couple iterations
now. They're still useless if you have zero plans to overclock. (Even more so
now they don't even come with stock coolers anymore.)

------
hackuser
I want devices that I, the owner, control, whether I'm a small business or
enterprise or individual. This is important for many reasons, from security to
freedom-to-tinker to using the device I own in the way I want.

It was once an accepted standard in IT. Now, can anyone name a current
handheld or desktop system that provides end-user control?

If you don't think security, including privacy, is important, consider what a
U.S. president with fascistic tendancies would do with all this access to
citizen's devices and data (and how many companies would risk their
enterprises when he leaned on them?).

~~~
794CD01
Most things that were "once an accepted standard in IT" are horribly insecure.
The end user wanting a system he/she controls is very much one of them.

Microsoft taking away control from users, especially when it came to forcing
them to take updates, is probably the biggest change they could possibly have
made to improve the overall security of the internet.

~~~
unprepare
are you under the impression that automatic security updates is what people
dislike about windows 10?

Its mostly the:

telemetry

openended ToS

poor upgrade/reinstall behavior resulting in lost licenses

overly complicated licensing structure (with articles like this showing the
professional license feature set degrading over time)

forced integration of unrelated products (cortana, bing)

integration of advertising into the OS (lockscreen and wallpapers)

lessening control enterprises have over their systems

~~~
mynameisvlad
Full disclosure: I work at Microsoft but outside of Windows.

> poor upgrade/reinstall behavior resulting in lost licenses

I have never experienced this. If you bought Windows 10 straight up (or your
computer came with one) then you have a product key you can use, just like
before. If you upgraded from 7/8 or are in the Insider Program, then you get a
digital entitlement to your Microsoft account which gets restored
automatically when you next sign on. [http://windows.microsoft.com/en-
us/windows-10/activation-in-...](http://windows.microsoft.com/en-
us/windows-10/activation-in-windows-10)

> overly complicated licensing structure

There are two editions for consumers: Home, and Pro. With the differentiator
being fairly clear from the name alone (home is for home users, pro gives you
things you aren't going to ever use at home but might at work, like AD join).
There are other editions like Enterprise and Education, but an end user will
never even see them.

> forced integration of unrelated products

Cortana _is_ a part of Windows. It started as a Windows Phone feature, and got
brought over to desktop. There's nothing unrelated about it. Bing is
integrated to Cortana because that's the backend powering it. It's like how Ok
Google uses Google on Android. Using a third party provider would not give
nearly the amount of insight it currently has, since the two teams can work
together to improve results and the overall experience.

> integration of advertising into the OS (lockscreen and wallpapers)

Spotlight has shown _one_ ad that I am aware of (Tomb Raider). Otherwise, it
gives you curated images rotated every so often. Your wallpaper does not
change, that is not a feature of Spotlight. It's also completely disableable;
you just set your own image.

~~~
tdkl
> It's also completely disableable

How about being opt-in?

Can we please just give you money and have a edition of Windows 10 LTSB for
consumers where you don't have to wrestle with all this crap?

Also will this "surprise motherfucker" style of updates continue when the free
update period runs out in July 2016 and MS starts charging money? Because if
it won't, get prepared for some heavy legal action.

~~~
mynameisvlad
I believe Windows 8 introduced the group policy to set a default lock screen
image ([https://technet.microsoft.com/en-us/itpro/windows/whats-
new/...](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-
spotlight)). Since Enterprise is the only LTSB SKU, I would assume some sort
of group policy is also being deployed. Wouldn't be too hard to set that
policy up, which disables Spotlight automatically.

------
TheRealDunkirk
The ball is back in Apple's court. They seem to take the end user more
seriously, but they've been mixed. I made a comment taking Microsoft to task
when their surreptitious telemetry came to light, and someone pointed me to
proof that Apple was doing about the same thing. This is Apple's chance to
continue to distance themselves from their competition. They've done well
standing up for privacy, with the recent FBI demand to decrypt iPhones, but
this is a chance to go further.

Man, I really wish Google would release their desktop Linux. Ubuntu is OK, but
someone with pockets like that could finish the job, and make a credible,
consumer-accessible, 3rd alternative to keep BOTH #1 and #2 on their toes. If
I could just run Linux-supported games with the same performance as under
Windows -- I'm not even talking Windows games under Wine -- I might finally
get rid of my Windows partition to get away from such things. Valve has got to
be working on a Linux distro, which they will release on their SteamBox (along
with Half-Life 3, mark my words), but who knows when THAT will be.

~~~
Grishnakh
>They seem to take the end user more seriously

Unless you're trying to keep music on your computer and use iTunes, in which
case they upload all your music to the cloud and delete it off your PC.

>Man, I really wish Google would release their desktop Linux. Ubuntu is OK,
but someone with pockets like that could finish the job, and make a credible,
consumer-accessible, 3rd alternative to keep BOTH #1 and #2 on their toes.

Have they actually talked about doing this?

It really wouldn't take much to make a "credible, consumer-accessible" version
of Linux. Most of the pieces are already present, and Linux Mint for instance
is already very easy for a non-expert to install and use. The main problems
are 1) graphics drivers for non-Intel chips and 2) software compatibility.
Lots of games already work on Linux thanks to Steam. A little more work with
WINE maybe, and some improvements to Nouveau, and some more polishing and
you'd easily have something that a casual PC user can install easily and use.
It'd probably help too if they finally finished Wayland and got the whole
systemd thing settled. Then they'd just need to use their influence to push
other companies to do their part, such as stupid printer manufacturers who
don't make Linux drivers for their winprinters (not a problem for good
printers, but for the cheapo inkjets it still is).

Hoenstly, I find it pretty disappointing that Red Hat hasn't done more in this
area, particularly considering they're the ones who created systemd and employ
many Gnome3 devs. You'd think they'd be pushing corporate Linux desktops hard,
but they don't seem to be.

~~~
TheRealDunkirk
> I find it pretty disappointing that Red Hat hasn't done more in this area

Me too. Especially now that the 2 things that kept Linux from being a player
in the corporate space were 1) Office, and 2) Exchange. Now you can get Google
Apps or iCloud or any of a number of hosted applications for these things.
Unfortunately, the last time I tried Fedora, a couple months ago, I got a
couple of cryptic selinux-related errors, and quickly decided "ain't nobody
got time for that," but if a company would get serious about an image (as they
do for Windows, anyway), the path is wide open for a Linux desktop in the
enterprise, at vast cost savings.

------
rchowe
The reasoning behind this made a lot more sense to me once I started to do a
back-of-the-envelope calculation.

There can't have been that many end users who had Windows 10 Pro and went into
group policy to turn off the store. So you're looking at small businesses who
were using PCs with Win10 Pro on them (likely that came with the PC) that
_were_ turning off access to the store but can't any more. The IT admins for
these companies are the people Microsoft wants to upsell.

Lets say that there are 500 businesses who care about this feature each with
an average of about 20 PCs (probably a high estimate for PCs, low estimate for
number of businesses). That's 10000 PCs that Microsoft could potentially
convince to upgrade, at (a quick guess based on Google) $120/PC, to Win10
Enterprise, or a potential $1.2M more in revenue that doesn't cannibalize one
of their other businesses (assuming more changes to differentiate Pro vs
Enterprise). Probably the people who will upgrade are people with factory
computers running Win10 Pro.

And for people that don't upgrade, they get to promote their app store. Win-
win.

~~~
fweespee_ch
> Microsoft has retroactively removed the ability of companies to turn off
> access to the Windows Store in its Windows 10 Pro version.

Yes but by "upsell" you mean "extort by way of feature removal after the
product was purchased".

~~~
rchowe
I suspect that the removal is actually an artifact of them saying that later
versions of Windows will be incremental updates to Windows 10. Normally they
would just wait until Windows 11 to make the change, but since they can't do
that any more, they just roll it out in an update.

Yeah it was a bait-and-switch for small businesses.

------
overgard
Who would have thought that an update policy that allows a corporation to
silently update your computer whenever they feel like it would be abused?

------
chris_wot
So basically, what Microsoft are really doing is forcing admins to block
access to the app store through their firewall or proxy. Or setup local
workstation's firewall via Group Policy - to block their app store.

Or remove the app store entirely, which is technically possible as it's not an
essential part of Windows. (if it is, then I invite them to review the times
they were forced to state that Internet Explorer was an essential part of
their operating system during anti-trust...)

I don't think they've thought this one through very well.

------
jalami
Microsoft isn't the only guy doing this. I understand enterprise/professional
customers have gotten exceptions for years, but for everyone else this is
common practice on almost all other platforms. I still think it's a bad
practice.

Microsoft is just following the other companies that are _winning_ and somehow
doing so without pissing their userbases off. Their main asset, as I see it,
are people that cannot or will not switch. So as it is for most companies with
a semi-loyal userbase: lock it down before the garden empties too much.

IOS has an appstore, Android has an appstore, Mac has an appstore, Chrome has
an appstore, Firefox has an appstore, Ubuntu kind of has an appstore. Firefox,
iOS and Chrome don't allow you to install outside of their appstore without
running different builds. Android makes it difficult, removing it is even more
difficult and you lose half your phone in the process. Sure there's homebrew,
f-droid, cydia and chocolatey for hackers, but that's a tiny subset. Windows
really wants control like everyone else. The internet has changed a lot since
the decentralized software and hardware days Microsoft is used to. Microsoft
doesn't get to sell their user metrics, control what users install on their
systems or where they're installing from. They don't get to charge uploaders
or put fees on downloaders/purchasers. The Windows store is pretty much a flop
at this point, but they want it to be the canonical way to install software on
Windows like every other platform.

Not a Windows problem really, they just get the negative press that every
system should get for trying to force people into a garden. If it gains steam
years down the road, I could see them pull a Firefox and lock down external
installs without 'approval' for security.

Just a few weeks ago I bought a Microsoft Miracast dongle, OS independent or
so it claimed. Only way to configure it was to have a Windows10 computer and
download the driver/configuration software from their Appstore. I no longer
own it. I really don't think this is an isolated problem though.

Edit: Clarification

~~~
Kristine1975
>iOS ... don't allow you to install outside of their appstore without running
different builds

At least companies apparently can create their own appstore for their custom
apps:
[https://developer.apple.com/programs/enterprise/](https://developer.apple.com/programs/enterprise/)

~~~
jalami
This is true, but it still costs you 300 dollars a year, uses the same
mechanisms the market uses (no loose .ipas) and you have to give lots of
trackable info to Apple (company info, devices, apps, update/use metrics).
It's all centralized too, so if they change their policy (like go back to the
>500 employee rule) or don't like an app you're sharing, you might be in
trouble. If Windows can eventually swing even this with their marketplace, I
think they'd be ecstatic.

------
geographomics
You can uninstall it with an administrative Powershell using this command:

    
    
        Get-AppxPackage Microsoft.WindowsStore | Remove-AppxPackage
    

Would this not continue to work?

------
thothamon
Just one more reason for me to avoid Windows whenever possible, for myself and
for my companies.

I grant Microsoft today is a much better corporate citizen than it was 15
years ago, and I appreciate that. But a move like this feels very much like
the bad old days to me.

~~~
CaptSpify
Every time they release a new open-source product, everyone jumps up and down
saying "look, they've totally changed!"

No, unfortunately they haven't. They're just putting on a new coat of paint.
They have improved, sure, but rising one or two levels when you've dug
yourself down twenty isn't actually that much of an improvement.

------
colemannerd
Unlike many comments, I really like this. I think it unthinkable that
businesses reduce employee's productivity by locking down their machine. In
the days when Microsoft wasn't checking the security of applications, this was
understandable. With a managed and secured store, this is security for the
sake of security. If you believe you should disable something just for
security without examing the value of the feature, why are you letting users
access the internet?

~~~
thomnottom
Will Microsoft be sending people over to my office free of charge to handle
technical issues with regard to their store? Can I send over any questions
from auditors and federal regulators concerning user access to their store?

------
tdkl
How can someone still trust MS ?

~~~
askyourmother
We don't. Time to get off that train wreck of a platform!

~~~
arca_vorago
There it is. The vindication I was after. I knew I wasnt just crazy for doing
everything I could to minimize ms in my ecosystem. Personally, I think rms,
gnu, and gplv3 are the way to go. We need to protect user freedoms more than
developer freedoms.

~~~
Grishnakh
It's not users vs. developers, it's users vs. vendors. The devs working for MS
are just hired guns doing what they're told in exchange for a paycheck;
they're not making decisions like this.

~~~
arca_vorago
To the user the dev and the vendor is indistinguishable. Also, Nuremberg
defenses aren't usually the most solid, but I see what you mean.

------
satysin
They should rename it to Windows 10 "Professional" Home Edition

~~~
wvenable
That's actually what it is. Professional is the version for end users, people
like you and me, who want to run more than "Home" on their own computers.

Enterprise is for computers owned by your company.

~~~
cmdrfred
I for one don't find this change very professional. I'd go further and call
anything but enterprise 'Windows 10 Ad Supported edition'.

~~~
wvenable
Being able to install software on your own machine is pretty fundamental. If
it's not your machine, it shouldn't be running Windows Professional.

~~~
chris_wot
Being able to prevent the installation of software is _also_ pretty
fundamental. Given that Professional has Group Policy, it's intended to be
used within a Windows Domain, and to get a Windows Domain you need a server
version of Windows. Which really only businesses purchase.

~~~
wvenable
Yes, professional allows you to attach your own computer to a domain. I guess
Microsoft is pretty confident that store apps are sufficiently sandboxed.

------
bedane
This reminds me of the mandatory updates for the cheapest windows 10 version.

In the era of bloated/invasive OSes and arbitrary pricing according to the
customer's profile rather than according to the value of the product, you
don't pay more for more features.

You pay more for the right to deactivate the unwanted features.

Some day you will have to pay for disabling all the "telemetry" and "unique
advertiser ID" stuff. Or maybe that's already the case, I didn't bother
checking.

------
Esau
I have historically liked Windows but I shudder what is becoming of it. Every
time I turn around lately, Microsoft is taking administrative freedom away
from users and businesses.

------
jheriko
the criticism here is imo unfounded. MS are exceptionally supportive of
developers in my experience, and this feels like part of that.

since blocking access to the store is in fact an enterprise requirement... why
not restrict it to the enterprise edition?

... and besides that. how about employers trusting their employees anyway?

this is much less than what other platform holders have done in this respect
too... Apple being foremost amongst the worst in this category - and yet still
receiving fanboy support to the level of religiosity.

~~~
pritambaral
> MS are exceptionally supportive of developers in my experience, and this
> feels like part of that

That's a reasoning that does not justify the act. "We are friendly to
developers" should not translate to "Users, you don't get to control your own
computers (as much)".

> how about employers trusting their employees anyway?

Wut? That is a terrible argument, it does nothing to contribute to the
discussion – which is about a recent Microsoft act, policy, and behaviour, and
instead tries to swerve the discussion away from it into unrelated,
unagreeable sociological and human-resource-management points.

> is much less than what other platform holders have done in this respect too

Doesn't excuse Microsoft

> Apple being foremost amongst the worst in this category - and yet still
> receiving fanboy support

Are they receiving support _for_ a similar action. Support for an unrelated
action is inadmissible here, because a corporation can be condemned for one
thing and praised for another.

Plus, is it the same people doing both the Apple-praising and the MS-bashing?

------
mtgx
Why even have a Pro version? Just to charge twice as much for BitLocker, which
should be default in every Windows version, just like it is on any other
operating system?

------
hardlianotion
That's - er - disingenuous.

------
venomsnake
Gee microsoft ... if only admins knew that there existed firewalls.

~~~
Zenst
Exactly and indeed would be a flaw if Microsoft's own built in firewall for
windows ignored the users wishes, as that would be a security oversight in
this respect.

------
rasz_pl
No they dont, blocking windows store is one firewall rule.

~~~
jessaustin
It has been some time since I've used Windows in a corporate setting, but ISTM
that just blocking in the network would lead to a degraded user experience and
many more support calls. "When I needed to open this file it opened the
program [because why would a user know that's the windows store and not
something capable of reading their odd file?] and then it just stopped doing
anything!"

~~~
chris_wot
So uninstall it. It's still possible :-)

[https://4sysops.com/archives/how-to-remove-the-store-app-
in-...](https://4sysops.com/archives/how-to-remove-the-store-app-in-
windows-10/)

------
CyberDildonics
How many bait and switches will people put up with?

