When you set Windows 10 to allow only Windows Store apps, it allows them to be installed by anyone, not just the Store app

Raymond Chen

Raymond

In Windows 10 Settings, on the For developers page, you have a choice for which programs can be installed:

Windows Store apps
 Only install apps from the Windows Store.
Sideload apps
 Only install apps from other sources that you trust, like your workplace.
Developer mode
 Install any signed app and use advanced development features.

I’ve seen confusion over the first choice: Windows Store apps. Setting this option allows the installation of apps that came from the Windows Store.

However, it doesn’t mean that they must be installed by the Windows Microsoft Store app.

Selecting Windows Store apps allows any app that has been signed by the Microsoft Store, which typically happens when a developer submits the program to the Store.

While it’s common for the installation to be done by the Store app itself, it doesn’t have to be.

For example, Windows Setup itself installs a number of apps, like the Mail app, and it does so from files that come with the Windows installation media. Since Windows can be installed without an Internet connection, there needs to be a way to get these apps installed without involving the Windows Store app.

You can do this installation yourself from PowerShell with the Add-AppxPackage cmdlet. You can install it even though it’s not the Store app that’s doing the installation.

Sideload apps permits the installation of apps that are signed by a workplace whose certificate has been installed onto your system, typically when you join your computer to your workplace. This makes it possible for you to install line of business apps onto your system.¹

Note further than these limitations apply only to apps that are installed using the Appx/MSIX installation process. It has no effect on classic MSI packages, or Win32 apps that use custom installers. Nor will it prevent you from just plugging in a USB thumb drive and running a Win32 app directly from it.

The above Settings page is already out of date. Starting in Windows 10 build 18956, sideloading is enabled by default, but there is a policy to disable it. All that’s left behind a toggle named Install apps from any source, including loose files. Enabling this gets you what was previously called Developer mode.

The key word in all of this is from. This policy checks where you got the app from, not who it was installed by.

Bonus chatter: The grammarian in me disapproves of the phrasing of the two choices, since the placement of the word only is misleading. “Only install apps from the Windows Store” means “You can install apps from the Windows Store, but you can’t run them or anything else. The only thing you can do is install them.” I would have moved the word only to the place where the restriction applies: “Install apps only from the Windows Store.”

Bonus bonus chatter: The second option has another problem: It combines only (restrictive) with other (additive). Even if you ignore the misplaced only, the instructions “Only install apps from other sources that you trust, like your workplace” says that the only valid installation sources are the other ones. The default trusted sources are not allowed. I would have rephrased it as “Also install apps from other sources that you trust, like your workplace.” This highlights that this option is additive.

¹ The confusion likely stems from the vague term sideload, which has two different meanings in common use.

  1. To install software obtained from a third-party source.
  2. To install software from existing files, rather than via streaming download.

The dialog above is using the first definition. It’s referring to the source of the app, not to the means of installation.

6 comments

Comments are closed. Login to edit/delete your existing comments

  • Ian Goldby
    Ian Goldby

    “The canteen only serves fish on Fridays.”
    1. On Fridays if you don’t want to eat fish then you are out out of luck.
    2. If it’s not Friday, you can’t get fish from the canteen.
    3. Humans aren’t served on Fridays.
    🙂

  • Avatar
    Fleet Command

    The second option has another problem: It combines only (restrictive) with other (additive).

    You created this problem when you faked the Settings dialog box. The genuine Setting screen in Windows 10 v1909 says “Install apps from other sources that you trust, like your workplace.” There is no “only” in the genuine sentence.

    The above Settings page is already out of date. Starting in Windows 10 build 18956…

    Does the grammarian in you not disapprove of using “already” for a Windows build that is not even released yet? The latest released build of Windows 10 is 18363. (That’s Windows 10 v1909.)

    • Avatar
      Mike Morrison

      Perhaps from his perspective as a Windows developer “already” is appropriate. Build 18956 may be in his rear view and he’s working on newer builds.

    • Avatar
      Danstur

      Given that the current insider preview build is Build 19619.1000, I think it’s fair to say that a build after 18956 is very much released.

      Sure it might not be available for everyone, but if you go by that argument, neither is 18363 “released” yet.

  • Avatar
    GL

    Though I believe Windows Setup installs the Microsoft-Store-signed version, it doesn’t have to do it in this way. Since Setup runs with administrative privilege, it can temporarily toggle the setting, deploy the appx, then revert the setting. Once installed, it seems Windows doesn’t bother verifying where the app came from when running it. I found a while ago that Adobe Reader DC MSI does this to sideload their Notification Manager app.