If you connect a Windows 10 computer joined to a domain to a VPN connection for which forced tunneling is enabled, and when you try to open Microsoft Store, it does not open and you receive a message Unable to load this page error message, then this message is intended to help you. In this article, we will identify the potential cause of why Windows 10 computers joined to a domain on a VPN do not open the Microsoft Store app, as well as the solution you can try to fix this problem.
According to Microsoft, the Windows Store app uses a security model that depends on network isolation. Specific network capacities and limits must be enabled for the store application and network access must be allowed for the application.
When the Windows firewall profile is not Public, there is a default blocking rule that blocks all outgoing traffic whose remote IP address is defined as 0.0.0.0. While the computer is connected to a VPN connection for which forced tunneling is enabled, the default gateway IP address is set to 0.0.0.0. Therefore, if the network access limits are not set correctly, the default blocking firewall rule is applied and traffic to Microsoft Windows Store applications is blocked.
However, if you do any of the following, the Windows Store opens as expected:
- Disconnect the computer from the domain, then connect to the VPN connection.
- Connect the computer to a VPN connection whose forced tunneling is disabled.
- Disable the Windows Defender Firewall service, and then connect the computer to the VPN connection.
Microsoft Store app does not work after joining the domain
If you’re facing this issue when a Windows 10 computer joined to a domain on a VPN doesn’t open the Microsoft Store app, you can follow the instructions described below to easily fix this issue.
- Open the Group Policy Management snap-in (gpmc.msc).
- Open the Default domain policy for editing.
- In the Group Policy Management editor, expand Computer configuration > Strategies > Administrative Templates > Network.
- To select Network isolation.
- In the right pane, double-click Private network ranges for applications.
- in the Private network ranges for applications dialog box select Activated.
- in the Private subnets In the text box, enter the IP range of your VPN adapter.
For example, if the IP addresses of your VPN adapter are in the 172.X.X.X beach add 184.108.40.206/8 in the text box.
- Click on Okay.
- Double click The subnet definitions are authoritative.
- To select Activated.
- Click on Okay.
- Restart the client to make sure that the GPO takes effect.
Windows will now create a firewall rule that allows traffic and will replace the previous outbound blocking rule with the new rule because after applying Group Policy, the IP range that has been added is the only network range private available for network isolation.
You can now transfer the same GPOs from the domain controller to multiple computers. And on individual computers, you can check the location of the registry below to make sure the GPO takes effect:
Finally, when your range of VPN address pools changes, you should modify this GPO accordingly – otherwise, the problem will occur again.