When you set Windows 10 to allow only Windows Store apps, it allows them to be installed by anyone, not just the Store app
In Windows 10 Settings, on the For developers page, you have a choice for which programs can be installed:
I’ve seen confusion over the first choice: Windows Store apps. Setting this option allows the installation of apps that came from the Windows Store.
However, it doesn’t mean that they must be installed by the Windows Microsoft Store app.
Selecting Windows Store apps allows any app that has been signed by the Microsoft Store, which typically happens when a developer submits the program to the Store.
While it’s common for the installation to be done by the Store app itself, it doesn’t have to be.
For example, Windows Setup itself installs a number of apps, like the Mail app, and it does so from files that come with the Windows installation media. Since Windows can be installed without an Internet connection, there needs to be a way to get these apps installed without involving the Windows Store app.
You can do this installation yourself from PowerShell with the
Add-AppxPackage cmdlet. You can install it even though it’s not the Store app that’s doing the installation.
Sideload apps permits the installation of apps that are signed by a workplace whose certificate has been installed onto your system, typically when you join your computer to your workplace. This makes it possible for you to install line of business apps onto your system.¹
Note further than these limitations apply only to apps that are installed using the Appx/MSIX installation process. It has no effect on classic MSI packages, or Win32 apps that use custom installers. Nor will it prevent you from just plugging in a USB thumb drive and running a Win32 app directly from it.
The above Settings page is already out of date. Starting in Windows 10 build 18956, sideloading is enabled by default, but there is a policy to disable it. All that’s left behind a toggle named Install apps from any source, including loose files. Enabling this gets you what was previously called Developer mode.
The key word in all of this is from. This policy checks where you got the app from, not who it was installed by.
Bonus chatter: The grammarian in me disapproves of the phrasing of the two choices, since the placement of the word only is misleading. “Only install apps from the Windows Store” means “You can install apps from the Windows Store, but you can’t run them or anything else. The only thing you can do is install them.” I would have moved the word only to the place where the restriction applies: “Install apps only from the Windows Store.”
Bonus bonus chatter: The second option has another problem: It combines only (restrictive) with other (additive). Even if you ignore the misplaced only, the instructions “Only install apps from other sources that you trust, like your workplace” says that the only valid installation sources are the other ones. The default trusted sources are not allowed. I would have rephrased it as “Also install apps from other sources that you trust, like your workplace.” This highlights that this option is additive.
¹ The confusion likely stems from the vague term sideload, which has two different meanings in common use.
- To install software obtained from a third-party source.
- To install software from existing files, rather than via streaming download.
The dialog above is using the first definition. It’s referring to the source of the app, not to the means of installation.