Firewall block rule for store apps for specific user group

I think you mean managing the firewall by GPO. There is no 'GPO firewall'. I see you crossed that out and so I'm presuming you know that. Just so you're not confused. You can do it by setting individual rules. Although you can also configure your HOSTS file to block particular IP addresses known to connect out. You will need to reveal hidden files/folders followed by changing ownership of the folder 'WindowsApps' to yourself in order to gain access to the folder where the apps are stored, if you want to go about creating individual rules. Now you'll need to perform ownership change (make sure it is recursive so that you're not doing it again and again as per folder). So basically you'll have to replace owner on subcontainer and objects. The 'WindowsApps' folder is in Program Files directory. By default you will be locked out. Do this and you should see the changes being made in real time followed by access to the folder.

You can then reference the subsequent folders and add firewall rules as required. If you want to block Windows Store app you can do the same as above but just block the app itself. You can also run Powershell scripts to remove the app itself with something like this

Code:

powershell -command "Get-AppxPackage *Microsoft.WindowsStore* | Remove-AppxPackage"

. All that is happening there is you're executing Powershell, providing an option followed by commands that fetches app information based on the argument provided. This is then piped into a final command which runs on the last argument provided. Microsoft Store should now be disabled.

Or simply you can remove all apps (I know, extreme, but it is helpful in some cases) with something like this:

Code:

powershell -command "Get-AppXPackage | where-object {$_.name -notlike '*store*'} | Remove-AppxPackage"

Now there's no Windows apps installed. You can run Powershell commands manually to install them as and when necessary though. To reinstall them Windows Store works with a manifest that tells it what is installed by default. You can use this to then reinstall apps with something like this:

Code:

Get-AppXPackage -allusers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}

Here you're just running a command followed by an option piped into a conditional statement followed by what is to be ran based on that statement, which is essentially all apps being reinstalled based on the app manifest. I personally find it easier just to uninstall the apps I don't want instead of creating firewall rules. You can also block Windows from installing apps automatically installing with regedit entries to ensure they aren't installed at a later date should you delete them.

Thank you for your reply, but the problem is that I have no exclusive control over systems which will be using my firewall setup, ex. I can't decide to remove or disable store apps. that's up to user who own the OS.

My job is to define rules based on installed software, I know we can define individual rules for individual store apps for individual user, but problem is that if there are ex. 8 users on system with approx 30 apps per user then this means 8 x 30 = 240 rules just to control store apps.

That's not acceptable because of firewall performance in first place and then maintainability of rules in second place.
That's why I seek a rule that blocks apps based on user group not single user.
Or at least a rule for individual apps that apply to multiple but not all users, that's fine too.

I understand store apps are isolated per user and that's why rules must be specific to user too, which is really horrible design if you ask me regarding firewall rules, so I'm hoping someone knows the solution, I mean there must be solution to this problem.

Why would we need to define several hundreds of rules to control apps network traffic? that's insane!

I'm using PowerShell for this job, so the possible solution is not limited to firewall GUI.