Microsoft Store does not open after a domain-joined computer makes a VPN connection

Applies to: Windows 10

Symptoms


Assume that you connect a domain-joined Windows 10 computer to a VPN connection that has force tunneling enabled. When you try to open Microsoft Store, it does not open, and you receive a "This page failed to load" error message.

If you do one of the following operations, Microsoft Store opens as expected:

  • Disconnect the computer from the domain, and then connect to the VPN connection.
  • Connect the computer to a VPN connection that has force tunneling disabled.
  • Turn off the Windows Defender Firewall service, and then connect the computer to the VPN connection.

Cause


The Microsoft Store app uses a security model that depends on network isolation. Specific network capabilities and boundaries must be enabled for the store app, and network access must be allowed for the app.

When the Windows Firewall profile is not Public, there is a default block rule that blocks all outgoing traffic that has the remote IP set as 0.0.0.0. While the computer is connected to a VPN connection that has force tunneling enabled, the default gateway IP is set as 0.0.0.0. Therefore, if the network access boundaries aren't set appropriately, the default block firewall rule is applied, and Microsoft Store app traffic is blocked.

Resolution


To fix this issue, follow these steps to create a Group Policy object (GPO):

  1. Open the Group Policy Management snap-in (gpmc.msc), and open the Default Domain Policy for editing.
  2. From the Group Policy Management Editor, expand Computer Configuration > Policies > Administrative Templates > Network, and then select Network Isolation.
  3. In the right pane, double-click Private network ranges for apps.
  4. In the Private network ranges for apps dialog box, select Enabled.
  5. In the Private subnets text box, type the IP range of your VPN adapter, and then select OK.

    For example, If your VPN adapter IPs are in the 172.x.x.x range, add 172.0.0.0/8 in the text box.
  6. Double-click Subnet definitions are authoritative, select Enabled, and then select OK.
  7. Restart the client to make sure that the GPO takes effect.

After the Group Policy is applied, the IP range that was added is the only private network range that is available for network isolation. Windows will now create a firewall rule that allows the traffic, and will override the previous outbound block rule with the new rule.

Notes

  • When your VPN address pool range changes, you should change this GPO accordingly. Otherwise, the issue will recur.
  • You can push the same GPOs from the DC to multiple computers.
  • On the individual computers, you can check the following registry location to make sure that the GPO takes effect:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation

More information


You can use the "checknetisolation" built-in tool to check the network capabilities. When the computer is connected to the domain profile and VPN force tunneling, the internetclient and internetclientserver capabilities aren't active. For example:

C:\Windows\system32>checknetisolation Debug -n=microsoft.windowsstore_8wekyb3d8bbweNetwork Isolation Debug Session started.Reproduce your scenario, then press Ctrl-C when done.      Collecting Logs.....Summary ReportNetwork Capabilities Status----------------------------------------------------------------------    InternetClient                Not Used and Insecure     InternetClientServer          Not Used and Insecure     PrivateNetworkClientServer    Missing, maybe intended   Network Capabilities Status----------------------------------------------------------------------    InternetClient                Used and Declared    InternetClientServer          Not Used and Insecure


Note On the same client, if you remove the computer from the domain or disconnect the VPN, you can see that internetclient is being used.

For more information, see Isolating Windows Store Apps on Your Network.