Done a bit of searching and the issue seems to be documented here: https://docs.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/microsoft-store-not-open-domain-joine-computer-vpn
I’ve made the reg change on my laptop and I can access the Microsoft store now. Question for anyone else who has had this issue and implemented this fix - do I also need to specify the IP ranges of my corpnet? Just concerned that if I only specify the VPN range the Microsoft store will work on the VPN, but it’ll be broken for those in the office.
Glad you shared this as we have had an issue with the store and GP for a long time. Finally just said the hell with it.
Anway to answer your question it would not apply to corpnet due to this one sentence.
“While the computer is connected to a VPN connection that has force tunneling enabled, the default gateway IP is set as 0.0.0.0.”
When on your LAN you do not have a gateway of 0.0.0.0
We had this issue a few years ago and added our VPN subnets to network isolation via group policy as described in the article. The issue only occurs with VPN’s that use split tunneling and there’s no need to add your LAN subnets.
Interesting. I actually just addressed this ourselves - it wasn’t this issue though, it was the fact that our “MFA required if you’re not originating from these trusted zones” policy, and the recommended MS excluded from tunneling for their IP ranges, meant that the users were failing to authenticate due to the lack of MFA.
Sorted it for the most part by allowing it from Hybrid-joined devices without MFA. I’ll be doing a more targeted fix using those specific apps and PRT’s/user agent fixes along with device registration later.
I addressed this by added the Microsoft s
Store app to the split tunneling policy by exe. In case you’re looking for an alternative solution.
Setup GPO Computer > Administrative Template > Network / Network IsolationPrivate network ranges for apps - EnabledPrivate Subnets : Use the subnets for the Globalprotect clients
Subnet definitions are authoritative - Enabled
Edit: Just saw the link that you sent. We have done this and it does fix it.
Edit 2: When you are in the office, it is marked as internal and bypasses the virtual adapters so you wont have this issue on corpnet.
It’s just the ‘Subnet definitions are authoritative’ bit that made me think it will affect normal Network automatic discovery of corp subnets when not on VPN and in office corp environment.
“Turns off Windows Network Isolation’s automatic discovery of private network hosts in the domain corporate environment.”
Is that not the case then and it only affects the VPN subnet defined in the ‘Private network ranges for apps’?
That’s my primary concern too.
Well I implemented it for a subset of endpoints and so far so good, no issues. But hard to confirm as corp office usage is low at the moment.