Windows 10 Creators Update: block Win32 program installation
If you run the latest Windows 10 Insider Build, you may have spotted a new option already that lets you block the installation of Win32 programs on the system.
While there is no guarantee that the feature will land in the Creators Update, as Microsoft may pull it again before the final version is released, it appears as if users get the option to block any win32 program installation on the device.
The feature is not turned on by default of course, and it is unclear why Microsoft added it to the operating system.
Administrators could use it to lock down the system. One side-effect of not being able to install Win32 applications is that it will also keep malware that is distributed through installers in check.
The core difference to Windows RT Cloud is that users may run any win32 program that is already installed on the system, and also any software that does not require installation.
Windows 10 Creators Update: block Win32 program installation
The new feature offers two options when it comes to the installation of legacy Windows programs on a system running the latest version of Windows 10.
The first blocks the installation of any win32 programs. Users who try to install programs anyway get the following message:
You can only install apps from Windows Store. Limiting installations to apps from the Store helps to keep your PC safe and reliable.
A link points to the relevant preference under Apps & features in the settings.
The second option displays the same message, but adds ab "install anyway" button to the prompt. This means that users may install the legacy program after all, as it is not blocked completely.
Do the following to configure the feature:
- Tap on the Windows-key, and select Settings from the Start menu.
- Navigate to System > Apps & features.
- Select "choose where apps can be installed from", and pick one of the available options:
- Allow apps from anywhere.
- Prefer apps from the Store but allow apps from anywhere (prompt with install anyway).
- Allow apps from the Store only.
I don't see many scenarios where users may want to limit the installation of programs on their devices.
While you may block your parents, kids, or anyone else from installing win32 apps after adding all they require to the system, it is not a method that will block all malware or unreliable software from running on the device. The main reason for that is that it will only block installations, but nothing else.
The locked down setting won't prevent program updates either. So, if a win32 program is already installed, any updates for it will install fine as well.
The German site Deskmodder discovered the Registry values for the feature:
- Tap on the Windows-key, type regedit.exe and hit the Enter-key.
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
- Locate AicEnabled.
- Value of Anywhere means all installations allowed.
- Value of PreferStore displays warning but allows bypass.
- Value of StoreOnly blocks all future win32 installations.
Now You: What is your take on the feature? Good to prevent malware infections and installation of unreliable software? Useless? Or something in between?
Bill Gates helped to make Microsoft the global standard by selling a platform that was open to all software developers that ran on nearly every machine. The new business model now seems to destroy its own customer base by trying to force them to throw away any hardware or software deemed incompatible at their whim. Case in point, we now refuse to upgrade your 2 year old machine because we feel it is too old, go buy another $3000 system. Your company requires support for actual productivity applications instead of children’s toys from the app store? Sorry, blocked. Right now we have the option to allow, but soon they will likely remove the feature and force all apps behind the store wall. We pay $5000 for real production tools for work, and simply cannot rely on joke apps from the toy store. We’re also not willing to rent software or use it as service since it is financially a waste of investment. For example, $800 to rent software tools we need x 12 per year totals $9600 of annual investment per platform that does not build any equipment equity for the company. It is money we are not willing to pour down the drain. Adobe and Autodesk have already been removed from our pipeline for non-rental competitors, and the same will go for Windows and Microsoft tools if the wind doesn’t change for the better. But what do I know, keep doing what you’re doing, customers have endless pockets and limitless patience for games.
But why idiots use Windows 10 in the first place? Use Windows 7 or 8.1 with Classic Shell and wait till the CEO gets fired again. Maybe next CEO will be one who understands that operating systems need to be offline and keep the user in control. Not an always changing “service” that reduces value and control with each “free update”.
sweeney was right. :)
Why is there no option for “Only allow local apps, no apps from Store”, hmm?
The MS operating system will be one big google type store soon. There will be no choices available ! It’s bad for consumers but worse for business’. I hope all companies worldwide start looking for alternatives soon.
Yup, one step further towards Micro$oft’s walled garden. Expect this to be enforced in a year or two, at most. There is no other reason why this should exist. It’s not helping anyone, not even sysadmins, it’s just one more annoyance. Because sysadmins (just like every other single other home user of Windows 7 or newer) already had a feature called AppLocker, which not only serves the same purpose, but it offers much more granularity when it comes to which software should or should not run on a PC.
Before anyone claims “but you can disable it”.. yeah, the same way you could disable lock screen, cortana,. and God knows what other cr.p is in this OS.
Isn’t this part of the Totalitarian tip-toe where they take small steps towards killing off [legacy] Win32 apps? MS just don’t get it. The reason I’m on Windows is for those Win32 apps. If I wanted a UWP-type platform, Android would be the better option…
It’s good option for one man sysadmin shops. Easy to secure Windows.
The downward spiral continues…
Store Apps! So much Freedom and Democracy!
MS is obviously working on one of those settings as becoming the default (at some time). I would prefer ‘Allow apps from anywhere’ as the default setting, but honestly can’t see that happening. The worst outcome would be ‘Allow apps from the Store only’ as the default. I do not have a MS Account and I am reluctant to get one. My bet is that the default setting will eventually be ‘Prefer apps from the Store but allow apps from anywhere (prompt with install anyway)’.
I do not see this as addressing a security problem. It has no hope in hell of controlling bloat. It may lead to more UWP versions of Win32 apps, but developers are not beating down Redmond’s doors. Win32 apps have to meet pretty high standards and prerequisites so it is unlikely that they will have malware payloads. I think they are just imitating the Apple Store strategy. Apple deploys a heavy hand over their Store apps. and they make a lot of revenue on them.
If none of the three options become the default, and they remain opt-in only, then it should not cause Gamers and third party win32 app developers too much despair. The problem would be if it does not stay that way.
It’s most likely the equivalent of Apple’s macOS Gatekeeper feature which also offers from where apps can be installed; plus, my guess is it may be also related to that Cloud version of W10.
For less experienced users this feature may be useful, but it doesn’t seem to be need at all for those who know how to deal with stuff on Windows machines.
My country variant of Windows Store doesn’t have anything worth attention in choice of modern applications, not mention that there are just few win32 programs in it, so I don’t see how this feature of preferring Store apps over classic programs could offer me anything good. And another thing is that I don’t like idea of corporations being able to control of what I have installed on my machine (both App Store and Windows Store can remotely remove application from computers for any reason) despite of how this could potentially safe my ass; we never know when they decide that they totally remove ability of installing applications from other sources because of this false sense of security and need for “progress”.
Win32 programs, in other words, every program ever made for Windows. Yeah sure let’s block that and only allow “apps” from our Store! Progress!
I guess you haven’t read the second half of the article.
From article:
Select “choose where apps can be installed from”, and pick one of the available options:
1. Allow apps from anywhere.
2. Prefer apps from the Store but allow apps from anywhere (prompt with install anyway).
3. Allow apps from the Store only.