Managing Windows 8 Apps in an Enterprise

May 10, 2014

With Windows 8, a new type of applications was introduced, Windows 8 APPS.
These APPS behave different than the Windows applications we all know.
Users can install any App from the Windows Store.
In an enterprise, we don’t want certain APPS to be installed.

This article discusses how we can manage these APPS.


Today I’m going to discuss how to:

  1. Manage Start Screen Layout
  2. Restrict Windows 8 Apps with AppLocker
  3. Deploy Windows 8 Apps with SCCM


  • Windows 8 Enterpise version
  • Microsoft Live Account


1. Manage Windows 8 Start Screen Layout

You can preconfigure a Start Screen for your users in Windows 8.

First you need to manually configure the Start Screen Layout:

Then you need to export the Start Menu with Powershell

You can manage Windows 8 Start Screen in 3 ways:

  • Group Policy:
  • Sysprep CopyProfile setting
    • The user can modify the Start Menu Layout, but it’s not possible to update 
  • Copy exported Start Menu Layout in SCCM Task Sequence:
    • The user can modify the Start Menu Layout, but it’s not possible to update


2. Restrict Windows 8 Apps with AppLocker

New with Windows 8 Group Policies is the ability to block or allow certain Apps with AppLocker.
This is configured by Group Policy.

In this example, we will create a white list of applications that are allowed.

On a Windows 8.1 computer with RSAT installed, open the Group Policy Console.
Create a new Group Policy and configure the following policy
Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies\AppLocker\Pacakged App Rules –> Automatically Generate Rules…

Click Next

Click Select

Click Next

Click Review the Apps…

Select the default Apps you want to allow

Click Create

The Allow list has been created:


3. Deploy Windows 8 APPS with SCCM

There are 2 different ways to deploy Windows 8 Apps with SCCM:

  • Deploy inhouse developped APP
  • Deploy a Store APP 

Deploy inhouse developped APP
If you want to deploy an inhouse developped APP, you just need to import the APPX file into SCCM

Deploy a Store APP
If you want to deploy a Store APP (also called Deeplink), you need to import the APP from a computer that has this APP installed, and deploy it.

In this article, we’re going to DeepLink a Store APP.

First you need to manually install the APP on a Windows 8.1 reference client by using the Windows Store.
In this example, we will install the Lync APP.

Remark: You have to exclude the AppLocker policy on this computer

Import this new APP in the AppLocker Group Policy.
We need to add this APP to the Allow List.
In the AppLocker Group Policy, click “Create New Rule…”

Select the installed Lync APP

If you slide up the bar as in the screenshot , all versions of this APP are allowed
Click Next Next Create…

Lync has been added to the allow ist

Once the APP has been installed, import this APP in SCCM.

In the SCCM Console, go to Software Library –> Application Management –> Applications –> Create Application

Select “Windows app package (in the Windows Store) –> Click Browse

Enter the computer name where Lync is installed, click Connect.
Select the Microsoft Lync APP, click OK
Click Next

Click Next

You can change the name to a more readable name for the end user, click Next

Click Next

Click Close

Now the APP can be deployed to a usergroup.
If the deployment is set to available, the user can install it from the SCCM Application Catalog:

Click Yes

The Windows Store will automatically open to the correct APP, the user just needs to click Install