Microsoft Store: install Apps for domain accounts despite WSUS


DerekJaymes03

New member
Local time
1:28 AM
Posts
1
OS
Windows 11
Hi All,

I have a problem and I'm looking for some good advices.

At work, we (Company A) have a classic (not cloud-based) Active Directory structure which is not directly managed by ourselves, but by another organization (Company B), which works for us (this approach cannot be changed!).

Sometimes (but not too often!), we can ask this IT organization (Company B) to make some changes in the settings they apply to us (e.g. the group policies), in order to accomodate our needs.

System and security updates are currently managed by Company B through a WSUS server (this approach, in general, cannot be changed too), and after our Windows (mainly 10, but hopefully soon 11!) clients are domain-joined, it looks like it is not possible to install any App through the Microsoft Store anymore (it "downloads" some 65 KiB "header" and hangs forever, and temporarily operating with a local administrator account isn't of any help!).
  • (please note that if I disjoin from the domain, downloading from the Store works again!)
I believe the culprit is the WSUS, since in the past (but always inside the same organization!) I was not able to install (e.g.) RSAT either, but after I (temporarily) applied, properly configured, the following (local) group policy to my work (domain-joined) PC...

(Policy A)
Computer Configuration → Policies → Administrative Templates → System → Specify settings for optional component installation and component repair

... I (temporarily) bypassed the WSUS and then RSAT (and .NET, and so on) installation worked well to me (I'm an IT too, but "of another kind": I can only "suggest" group policies and settings, not directly manage them).

I'm looking for something similar to Policy A, but related to the Microsoft Store, not to the optional features.

I explain myself better:

In general, we're "happy" with this (unexpected and not planned) WSUS behaviour, since it also "prohibits" our users to install unwanted Apps from the Microsoft Store, but sometimes we'd like to overcome this "limitation", since we could feel the need to provide our users with Apps distributed through the Microsoft Store only (e.g. the NVIDIA control panel, and maybe a lot more in the future).

I've found some "hints" online (e.g. here, here and here), but it feels strange to me that this problem still doesn't have a "common", widespread, solution online.

Given our internal needs, I think the "best" approach would be to temporarily apply some "kind of" (Policy A), but related to the Microsoft Store, if it exists! (since I personally didn't find any reference online), not to the optional features, without asking our (Company B) IT managers to disable and re-enable the WSUS way-on-the-go (it would be impossible!).

A sidenote:

I'm aware we could also disjoin our clients from the domain, install the Store Apps directly through Internet and then re-join, but...
  • ... this would be inefficient (delete the AD PC objects, recreate the objects, wait for AD replicas, since the DCs are elsewhere, manage trust-denied issues, etc. ... all of this for each of almost 500 clients?)
  • (moreover) ... if I need to install an App from Store for a domain user account (which maybe already has a local profile created on a specific PC), I can't login and perform the installation with that domain account while the PC is disjoined from the domain, right? (I also don't think Windows allows some kind of "sudo anotheruser" approach...)
    • (BTW, is it possible to "provision" an App from somebody else's account, e.g. install an App from Store for the user DOMAIN\User by acting with the identity LOCAL\Administrator?)
      • or, better, is it possible to install Store Apps system wide? (in case, LOCAL\Administrator might already have the App installed pre domain-join, in absence of the WSUS...)
Does anybody have a suggestion about a "good" way to proceed in bypassing the limitation described above?
  • (Company B doesn't know a specific GP dedicated to the Store to bypass WSUS, but I think sometimes power users may "know better" than ITs that don't always can/want afford to "study" and "experiment"...)
Many thanks.

P.S.
Sorry if this is the wrong post area, I didn't find anything more related to the Store and/or the GPs...

P.P.S.
Happy Easter to Everybody!
 

My Computer

System One

  • OS
    Windows 11
Back
Top Bottom