New Windows 10 Feature Blocks Desktop Apps

Posted on February 27, 2017 by Paul Thurrott in Windows 10 with 70 Comments

New Windows 10 Feature Blocks Desktop Apps

An unannounced new feature in the latest Windows 10 Insider Preview build will let you emulate the rumored Windows 10 Cloud product version and block the installation of desktop apps.

Note: I believe this new feature was first reported by MSPowerUser, but it’s readily visible in build 15042 for anyone to find.

Of course, to see this functionality in action, you need to enable the new feature first. To do so, open Settings (WINKEY + I) and navigate to the new Apps area. In the default view there—Apps & Features—you will see the option in question: Installing apps.

If you open the drop-down menu, you will see the following options: “Allow apps from anywhere” (the default on mainstream Windows 10 versions), “Prefer apps from the Store, but allow apps from anywhere,” and “Allow apps from the Store only.”

(Presumably, Windows 10 Cloud will default to—and require—that last option. But we can only speculate about this unannounced new Windows version at this point.)

So let’s see what these options do.

Prefer apps from the Store, but allow apps from anywhere. With this option enabled, I attempted to download and install Google Chrome using Edge. To its credit, Edge initiates the download without any silliness. But when you attempt to run the installer, you receive the following dialog.

Allow apps from the Store only. With this option enabled, I attempted to download and install Apple iTunes using Edge. Again, the browser didn’t question the download. But when I ran the installer, the following dialog appeared.

One imagines that this is what Windows 10 Cloud users will always see. But again, that’s speculation.

Speaking of which, I’m curious about the possibility of enabling this functionality on a PC-wide basis. That is, could I as a PC admin configure all user accounts to prefer Store apps or block desktop application entirely? This might be handy for local accounts, like those used by children, for example.

Either way, very interesting.


Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (70)

70 responses to “New Windows 10 Feature Blocks Desktop Apps”

  1. maethorechannen

    What happens if you try to run a self contained "portable app" (like the portable version of Chrome found here - when in store only mode?

    • wbhite

      In reply to maethorechannen:

      It might work like SRP and deny any unsigned executable.

      • IanYates82

        In reply to wbhite:

        This was my question too and it's frustrating so many articles I've read haven't thought to try. Can we just download some random exe from the Internet and run it, or does it just block things that Windows sees an installers? (they added a lot of heuristics back in the Vista days to detects setups and elevate via UAC before execution)


    • jimchamplin

      In reply to maethorechannen:

      Arch wizard Saruman is watching his stone for people running Win32 binaries on Cloud SKUs. He dispatches a bird to put the warning on your screen if he detects it. Much more foolproof than say... blocking all Win32 binaries that aren't signed correctly.

  2. skane2600

    Reminds me of Windows N, the version that eliminated IE to satisfy the EU which it ended up not wanting it anyway.

    With MS wanting to port full Windows to ARM, to provide a downgraded tethered desktop experience with Continuum-supported phones, and now to provide a means to make full Windows, UWP only, it's clear that they have no coherent strategy and just throwing everything at the wall hoping something will stick.

    • WP7Mango

      In reply to skane2600:

      On the contrary, the strategy is very coherent.

      • skane2600

        In reply to WP7Mango:

        By all means describe this coherent strategy you are referring to.

        • WP7Mango

          In reply to skane2600:

          UWP is the long term strategy for Windows. Not sure why you can't see this?

          • skane2600

            In reply to WP7Mango:

            Unless UWP is a very, very, long term strategy, it makes no sense to bother with getting full Windows to run on ARM if the future is UWP (not to mention no clear path to increased MS profits with an ARM-based option.)

            The way I see it, the clock is ticking for UWP. If there isn't a significant movement of mainstream Win32 apps to UWP in the next 2 years, the "long term" is going to be the "short term".

            • jimchamplin

              In reply to skane2600:

              Not really. The API is future prof in ways that hoary old Win32 isn't. Add to it, UWP is under active development while nothing else will ever be added to the old legacy API.

              Old. Old. OLD.

              Can't say it enough. Old.

              UWP is nothing more than the implementation of ideas first established in Longhorn.

              • skane2600

                In reply to jimchamplin:

                I'm not sure what you mean by "future proof" MS may or may not add features to the legacy APIs but there's nothing inherent in UWP that makes it easier to modify than Win32.

                "Oldness" or "Newness" has no inherent relationship to market value. The Bash shell has been recently added to Windows 10 and makes Win32 look like a youngster.

              • hrlngrv

                In reply to jimchamplin:

                That old, Old, OLD set of APIs generates how many orders of magnitude more revenues for MSFT and ISVs than UWP apps?

                Also, it's not necessary to use MSFT's APIs for everything. Calculation-intensive software does a lot with object code which is identical across OSes but running on the same hardware. As for GUIs, Qt is definitely an option for continuing Windows development, and it's definitely actively maintained and advanced.

            • WP7Mango

              In reply to skane2600:

              Firstly - Windows on ARM makes perfect sense - it allows OEMs to offer full Windows capability on a wider range of hardware, without being tied to Intel. It also provides a better option for the "mobile" segment, i.e. laptops and hybrids with even longer battery life.

              Secondly - clearly Microsoft doesn't agree with you on UWP. Basically, it doesn't matter how you see it.

          • hrlngrv

            In reply to WP7Mango:

            UWP may make touch input easier to implement. How about interop functionality between different packages? Would Centennialized desktop software need to come with several scripting languages? Would all modules for each of those scripting languages need to be installed through the Windows Store?

            For PCs, UWP is at best a very problematic trade-off between touch+security and interop+automation functionality.

            I grant UWP may be great for Xbox, HoloLens and IoT, but in the rosiest of scenarios, those would account for an order of magnitude fewer devices than PCs.

            UWP for everything else, great (stipulated). UWP for PCs, not so great.

  3. navarac

    So.. who can see the potential for Microsoft deleting the option for Install apps from anywhere in the future for security reasons? I would feel extremely uncomfortable with anything that progresses in that direction.

  4. Daekar

    I can see this being popular in the enterprise if we ever get meaningful apps in the store.

  5. lordbaal1

    This is more like for IT admins or if you have kids using your computer and you don't want the to install anything.

  6. nbplopes

    This looks similar OSX. By default only App Store apps are granted OS permission to install, no questions asked.

    One can choose from this or App Store and Identified Developers under the Security & Privacy settings. If we choose the second, if the Developer is not identified the systems blocks the install. We need to go to the Preferences and explicitly grant permission to install the specific app.

    Don't see this new Windows 10 feature as much as emulating Windows Cloud, but bringing Windows 10 feature set on par with other systems that have an App Store service.

    Does this mean that we will have an OSX Cloud soon?

  7. Tony Barrett

    Under the guise of MS pretending that this is to protect end users, this is, without a doubt, Microsoft's first big push to start the rundown of Win32, and push consumers and developers to their App store. If you can't see this, you're not looking hard enough. Win32 is not where MS want to be, and because UWP is currently languishing in no-mans-land, they have to do something. The default setting in this update maybe 'don't do anything', but it's likely they'll slowly wind up the setting in each major update that follows. If they can instill fear or concern in the average user that legacy Win32 is no longer safe (as they're trying to do with Win7 - all totally unfounded I might add), then people will slowly get used to the idea, or at least that's how MS are thinking.

    I would say it's a clever move, but MS look like they'll be riding a very thin line on this one, as they've done before.

    • nbplopes

      In reply to Tony Barrett:

      I'm not an MS fan, but this analysis does not seam right. Windows Store serviced apps run on a more secured environment than regular desktop apps. These apps are not just UWPs. This feature allows the option of user being able to take advantage of that in a more explicit and organized way.

      This will not bring more apps to the Windows Store. I don't know what will bring more quality apps to the Windows Store because what is needed seams to strike deep into the Microsoft business model and approach to the market.

      Let me explain. Microsoft is known as a software predator since it decided to strike the productivity market with Office eliminating Wordperfect, Lotus and other software developers out of the way. So much so that the dream of a Windows developer is one of making something with such potential and marketshare enough to be bought and integrated into te Office ecosystem. They have done that in all sorts of areas, from Office to Exchange, to Accounting, to CRM, Notetaking, Development tools so on and so forth. I think they wanted once to buy Sales Force, heck they bought Nokia why not anything else allows them to be a one stop shop for all computing.

      My impression is that Office popularity rises with Windows 3.0 leveraging on undocumented tech and a a framework too bare and fluid within the system for third parties to cope with. Leaving outside of the door of Windows 3.0 full abilities any other software developers in the field. That is how it all started in my mind.

      In contrast Apple has a different approach that nurture its own advantages when it comes to building an ecosystem. Apple stance to software on top of the platform is to provide just enough functionality so that the user can be productive immediately. Yet they do not aim to be a one stop shop for everything but devices and OS. Meaning when it comes to software its easy to find Bettie alternatives than the ones provided by Apple. This is done on PURPOSE!!!!!!

      This "open" tactics to software opens the door to a more vibrant native app ecosystem than Windows.

      Than we have the Web which affects all desktops OS in terms of apps. Web Apps obviated the need to for dedicated desktop / tablet apps in many contexts. Furthermore its cross platform and required zero install. The drawback is that offline support is not very good enough. Google is making some strides on that respect. There are tools that foster the use of Web App technologies to build dedicated apps so on and so forth.

      If you have millions of users using a particular platform and still have difficulties of engaging developers to build dedicated apps to your OS the problem is not the number of users. It never was.

      Hololens all anything else will not change this and MS can't, simply can't afford step back from aiming to be one stop software shop Its deep into the company business structure. For the good or for the bad. This is just my opinion. Its not an easy problem to solve. MS just needs to navigate through this constraints.

      90% of the software I use in Windows is from MS. In OSX not definitely not from Apple has better alternatives are easy to find fostering a more open software business model on the top of they platform. Google is a mixed bag of things. The more they bake in Android and Chrome book their GSuite the more it becomes like MS and will eventually have impact on the software ecosystem.

      • skane2600

        In reply to nbplopes:

        WordPerfect eliminated themselves. I recall the CEO said they weren't interested in supporting Windows and when they finally did it was a total mess. I crashed the first version in the first 10 mins of use.

        Clearly any spreadsheet designed for DOS was going to be at a disadvantage due to the inability to clearly delineate rows and columns. Lotus was resting on it's laurels and didn't recognize the potential of Windows.

        Many companies had no trouble creating sophisticated Windows 3.0 and 3.1 programs despite not having access to alleged "undocumented" APIs.

        • nbplopes

          "Many companies had no trouble creating sophisticated Windows 3.0 and 3.1 programs despite not having access to alleged "undocumented" APIs."

          Where are they?

          Have you seen lately the breath of MS software?

          Simply put there is a conflict of interests. One wants to be the one stop dev shop for everything in software and have present or future competitors come in and populate their platform to legitimize it. What there in return? An aggressive competitor and a huge customer base that does not like to pay for software plus a hord of MS fans that do not appreciate much anything but MS?

          Something to think about.

          • skane2600

            In reply to nbplopes:

            What do you mean by "Where are they"?

            There is no conflict of interest. A company producing a product that can be extended or accessorized by third parties while while offering it's own compatible additional products is standard procedure not only in the computer business but in business in general. Apple, IBM, Amazon, Google all do this just to name a few.

          • Narg

            In reply to nbplopes:

            No where has been said that there will be a "one stop dev shop for everything" in Windows.  Even Microsoft has said they welcome 3rd party app shops for Windows.  You seem to be digging a hole that nobody wants.

      • hrlngrv

        In reply to nbplopes:

        . . . Microsoft is known as a software predator . . .

        Dunno about WordPerfect, but Lotus Development Corp under Manzi was at least as big a corporate SOB as MSFT at the time. Also, WordPerfect, Lotus and Borland each each contributed greatly to their own respective demises.

        MSFT did engage in unfair business practices, with Office developers having several months advanced info about changes in Windows. However, at least for Lotus, it clung to character mode in order to reap the rewards of its victories in its look-and-feel lawsuits. The first Windows version of 1-2-3 was the worst Windows program I've ever used.

        MSFT's big problem with Windows 10 and UWP is Windows 7's greater user share. ISPs for consumer software may be ready to move on, but B2B ISVs aren't going to abandon most of their customers no matter how badly MSFT may want them to do so. FWIW, there are also FOSS projects with considerable Windows users bases like Notepad++ and GNU R which are unlikely to feel any urgency towards UWP. [BTW, if UWP is so damn wonderful, why hasn't MSFT made a UWP version of MSFT R Open?]

        Tangent: the only MSFT software I use are Windows itself (so including IE), Office and Visual Studio. In theory I could replace the last with Code::Blocks, but I don't have the time to do so.

    • offTheRecord

      In reply to Tony Barrett:

      I, like several others in the comments, immediately thought of Tim Sweeney when I saw this.

      As it's shown here, I can sort of see how this might be a good thing if done thoughtfully. I tend to be a fan of flexibility, and more choice is often better than less choice. You can always bury the complexity of the choices deep in the settings where only those who really care about them can get to them. However, I can also see how this might evolve to be not such a good thing. How aggressively they push this, and the evolution of the settings in future updates/upgrades, will no doubt clue us in to their ultimate intentions. 

  8. hrlngrv

    FTHOI, I tested this out.

    First, the Settings window in the second image above only shows up using an Administrator account. The option doesn't appear using a standard user account. However, this seems to be a single-user setting, meaning enabling it using an Administrator account doesn't affect other standard accounts.

    If that means a standard user account would need to be flipped to an Administrator account to enable this, then flipped back to a standard user account for obvious other reasons, this would tend to complicate setup of new enterprise PCs.

    Also, does this mean Paul tests this sort of thing using an Administrator account?

    Added: This has no effect on my PC.

    Added more: this appears to be an all-users setting, though, again, it has no effect on my PC.

    • Dashrender

      In reply to hrlngrv:

      As a standard user - I would hope the installer would either prompt UAC or fail. Sadly Chrome's installer is specifically written to allow installation purely into user space, so that's a bad example app (and Google should be ashamed for making this!)

      You didn't mention though what did happen when you attempted install as a standard user, other than to say it didn't show you to Windows Store suggestion/requirement box. What did you see?

      • Eric Dunbar

        In reply to Dashrender:

        Apologies for replying to an old post:

        Chrome was written to allow it to install into user space because corporate systems prevent users from installing software to the Program Files folder. Corporate system were configured to run Internet Explorer as the primary browser, and, by default still are!

        If Google hadn't gone the user space installation route Chrome would never have been able to take off. In the mid-2000's Google had the double challenge of penetrating a market that, despite numerous anti-trust lawsuits, still had Windows unfairly providing preferential treatment to Internet Explorer. Microsoft did not make it easy for any other browsers! And, secondly, it had to make a browser that was better than IE.

        The second challenge was easy. After Microsoft had vanquished Netscape/Mozilla they stopped developing IE. FireFox and Safari came along and then Google jumped on Safari's bandwagon. The vast majority of the world now views the internet through the lens of Google or Apple.

        The first challenge, was not as easy, but, Google rose to the challenge. Despite the restrictions of running in user space to bypass corporate restrictions (and resistance to installing non-standard software), Google created a superior product to Microsoft's own IE which meant that users WANTED Chrome, and, because it installed in user space, they were able to do it themselves and not wait 10 year for corporate IT to do it. What is truly amazing is that Chrome has never had any serious security breaches. I suppose that's one of the benefits of running without the possibility of elevated permissions (and, in a way is a good demonstration of why UWP-only is not exactly a bad idea).

        The sad thing with UWP and Microsoft's new direction (Apple's browser restriction in iOS does not perpetuate a monopoly or abuse a monopoly in the mobile OS sphere while Microsoft still holds an effective monopoly on the desktop... Android, Google's baby, allows third party replacement apps for everything) is that we won't see Chrome and Dropbox challengers to any mediocre Microsoft status quo software or services (and, Microsoft has proved time and time again that they quickly stop developing when they have the upper edge... e.g. when Apple languished in the mid-90's Microsoft stopped developing Windows 95 (98/98SE/ME were little more than glorified bug fixes), when Microsoft used its desktop monopoly to favour IE and won against Netscape they stopped developing IE).

        Chrome and Dropbox became run-away successes because they did what Microsoft couldn't do--they got their respective ideas right. But, they could only do this because they were (a) better than Microsoft's own products, and (b) USERS could install them in user space, despite corporate restrictions (both products owe a great deal of their success to early adoption by corporate users).

        When Microsoft migrates consumers to Windows 10 S it's game over for competition with Microsoft. A better competitor will be harmed by Microsoft's restricting their access in UWP, while, I'm sure they'll give their own apps and services all sorts of inside advantages.

        For example, (1) we will NEVER see a third party browser for Windows 10 S/Windows 10 Store only. NEVER. Microsoft has made it crystal clear that Edge will be the unchangeable default for browsing, and, that Bing will the unchangeable default search engine for Edge. Third party "browsers" will have to use the Edge browser engine. The terms of the Windows Store preclude third party browser engines.

        Let me repeat that: we will NEVER see FireFox, Chrome, Opera, Vivaldi, Chromium or any other browser appear in the Windows Store. Microsoft's Windows Store terms won't let them bring their browser engines to the Windows Store.

        For example, (2): Take a look at how Microsoft handles file access in Microsoft Office. You can only get integration with a cloud platform if you use OneDrive. Microsoft does not allow third parties to enter the open/save dialogue boxes in Office 2016. Microsoft even makes it difficult to save files to disk.

        I work in a corporate environment and most people use Office at home (even most of the Mac users), and everyone uses it at work (Windows shop). NO ONE uses OneDrive. Despite the fact that DropBox is a much more common tool and we also have Google Drive/Google Apps/whatever it's called, there is no Google or Dropbox integration into the Save/Open interfaces for Office, and, there never will be.

        Yet another example of Microsoft using its monopoly advantage to push its own, inferior (or, at the very least, extremely unpopular) software and to exclude superior (or, at the very least, preferred/popular) software.

        Anyway, my comment just veered off in a whole new direction. Take care.

  9. wright_is

    Put this together with group policy and a fixed corporate Store and you eliminate the headaches of licenses and users installing non-approved software.

    You can do this already, partially, with group policies and SMS - but adding in the store makes management easier and possibly cleaner.

    • hrlngrv

      In reply to wright_is:

      Re non-approved software, this may prevent installing it, but does it prevent running it? There's a lot of portable software in the wild, software which doesn't require installation beyond extracting from a zip file.

  10. zorb56

    Do we know for certain that Windows 10 Cloud will not run desktop apps? Maybe Microsoft is staging to add desktop apps to the store and Win 10 Cloud will only allow those desktop apps. Far fetched but possible I guess.

  11. Polycrastinator

    Doesn't Microsoft allow businesses to create their own store listings for their employees? I forget whether you can include normal desktop apps in there, or vApp pointers, but if so, I can see how you'd want this for businesses. For normal users, until Microsoft gets more desktop apps into the store (like, Chrome) it's useless. I wish it were practical to only use the store, but it's really not.

  12. thespecificocean

    Actually really excited about this feature. Ive been asking for it since Win10 came out. I'll instantly turn this on for my non-techie grandparents.

  13. Chris_Kez

    Tim Sweeney is going to blow a gasket.

  14. Narg

    For some Enterprise uses, specialty setups, and tightly controlled educational purposes this is a God-send of a feature!  This is one of the features than made the small but noteworthy following on the original Surface (Windows RT) tablet so strong.  It's a great move for Microsoft to take.

    • hrlngrv

      In reply to Narg:

      Windows RT wasn't a failed product? Nevertheless makes a fine exemplar for enterprises?

    • Dan

      In reply to Narg:

      Enterprises haven't written Windows Store apps, they use legacy Win32 apps and browser based as they work with 100% of their deployed desktops.

    • skane2600

      In reply to Narg:

      A few more "strong" products like Windows RT and MS might end up out of business. They'll always be small niche markets with special needs, but I don't think MS can survive by catering to them.

  15. PatrickD

    Is there any chance that Microsoft will actually not allow traditional desktop apps on Windows 10 in the future? This move makes me a bit worried about them eventually moving in this direction. I have given the windows store a chance, I have tried the UWP apps for several programs that also have a desktop version. I find the UWP apps pretty useless for the most part, they are missing major functionality vs. the traditional desktop versions.

    • GarethB

      In reply to Patrick

      They can't really not allow traditional apps. They might as well stop selling Windows. It'd be the same effect.

      The most aggressive I could ever consider is them turning this setting on by default. Even that would cause a huge outcry, and would make last years aggressive push for Win10 upgrades seem inconsequential. ... despite that there would be some advantages. But the most Googled search term would be how to turn it off.

      Just waiting for the Tim Sweeney tirade to start.... 3.... 2... 1....

    • jimchamplin

      In reply to PatrickD:

      People have been freaking out about that on the Macintosh for the better part of a decade since Apple introduced the Mac App Store and it's still never come to pass.

      • nbplopes

        In reply to jimchamplin:

        True. This feature has been If I remember in OSX since the App Store appeared.

        I don't think core of this is for MS is to block out of App Store apps to be installed but to increase security for most users. Its a Win Win situations. User get added security and MS can get some $$ through the App Store.

        Of course if most apps are not in the App Store is not that good. But at the moment in OSX my experience is 50/50.

        The title of the article is mostly sensationalist.

        • hrlngrv

          In reply to nbplopes:

          UWP may boost security, but how much greater a boost would Windows security receive if it were simpler to configure user accounts so they could only run Store apps and anything in C:Program Files and C:Windows? That is, prohibit running anything under C:Users, C:ProgramData and on any removable drives?

          • nbplopes

            In reply to hrlngrv:

            The Store is not just about UWP. But secured containers of win32 apps. Meaning added security installing and using win32 apps.

            • hrlngrv

              In reply to nbplopes:

              I understand the theory behind Project Centennial, but App-V predates Windows 10 and UWP. That is, containers for Win32 apps don't require UWP. UWP would only provide some convenience. However, ISVs could, if they wanted, provide their software in App-V containers if they saw sufficient demand.

              My point was that far greater security could be achieved if MSFT made it easier to run software ONLY in C:\Program Files and C:\Windows. Redesigning Windows so that C: was read-only when standard users could log-in, similar to how Chrome OS mounts / read-only, would also be a huge help (though it'd require a separate read-write drive for the paging file and the HKLM registry hive, etc).

              Without automation either through a built-in macro/scripting system or interface to outside scripting languages, many workplace Windows programs are much less useful. However, with automation and access to the entire file system, similar to what Paint 3D provides with its Import-Export facility for all image file types, UWP apps could run destructive scripts or ransomeware.

              It's a trade-off between security and functionality. From my perspective, UWP doesn't provide enough security to justify its current lack of functionality.

      • offTheRecord

        In reply to jimchamplin:

        I'm not sure we can conclude that just because Apple hasn't done something means that others won't, either.