{"id":103709,"date":"2020-04-28T07:00:00","date_gmt":"2020-04-28T14:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=103709"},"modified":"2020-04-28T09:44:43","modified_gmt":"2020-04-28T16:44:43","slug":"20200428-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20200428-00\/?p=103709","title":{"rendered":"When you set Windows 10 to allow only Windows Store apps, it allows them to be installed by anyone, not just the Store app"},"content":{"rendered":"<p>In Windows 10 Settings, on the <i>For developers<\/i> page, you have a choice for which programs can be installed:<\/p>\n<div style=\"width: 25pc; border: solid 1px black; padding: 1ex;\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"3\">\n<tbody>\n<tr>\n<td>\u25c9<\/td>\n<td>Windows Store apps<\/td>\n<\/tr>\n<tr>\n<td>&nbsp;<\/td>\n<td style=\"color: #808080;\">Only install apps from the Windows Store.<\/td>\n<\/tr>\n<tr>\n<td>\u2b58<\/td>\n<td>Sideload apps<\/td>\n<\/tr>\n<tr>\n<td>&nbsp;<\/td>\n<td style=\"color: #808080;\">Only install apps from other sources that you trust, like your workplace.<\/td>\n<\/tr>\n<tr>\n<td>\u2b58<\/td>\n<td>Developer mode<\/td>\n<\/tr>\n<tr>\n<td>&nbsp;<\/td>\n<td style=\"color: #808080;\">Install any signed app and use advanced development features.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>I&#8217;ve seen confusion over the first choice: Windows Store apps. Setting this option allows the installation of apps that came from the Windows Store.<\/p>\n<p>However, it doesn&#8217;t mean that they must be installed by the <span style=\"text-decoration: line-through;\">Windows<\/span> Microsoft Store app.<\/p>\n<p>Selecting <i>Windows Store apps<\/i> allows any app that has been signed by the Microsoft Store, which typically happens when a developer submits the program to the Store.<\/p>\n<p>While it&#8217;s common for the installation to be done by the Store app itself, it doesn&#8217;t have to be.<\/p>\n<p>For example, Windows Setup itself installs a number of apps, like the Mail app, and it does so from files that come with the Windows installation media. Since Windows can be installed without an Internet connection, there needs to be a way to get these apps installed without involving the Windows Store app.<\/p>\n<p>You can do this installation yourself from PowerShell with the <code>Add-AppxPackage<\/code> cmdlet. You can install it even though it&#8217;s not the Store app that&#8217;s doing the installation.<\/p>\n<p><i>Sideload apps<\/i> permits the installation of apps that are signed by a workplace whose certificate has been installed onto your system, typically when you join your computer to your workplace. This makes it possible for you to install line of business apps onto your system.\u00b9<\/p>\n<p>Note further than these limitations apply only to apps that are installed using the Appx\/MSIX installation process. It has no effect on classic MSI packages, or Win32 apps that use custom installers. Nor will it prevent you from just plugging in a USB thumb drive and running a Win32 app directly from it.<\/p>\n<p>The above Settings page is already out of date. Starting in Windows 10 build 18956, <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/application-management\/sideload-apps-in-windows-10\"> sideloading is enabled by default<\/a>, but there is a policy to disable it. All that&#8217;s left behind a toggle named <i>Install apps from any source, including loose files<\/i>. Enabling this gets you what was previously called <i>Developer mode<\/i>.<\/p>\n<p>The key word in all of this is <i>from<\/i>. This policy checks where you got the app <i>from<\/i>, not who it was installed <i>by<\/i>.<\/p>\n<p><b>Bonus chatter<\/b>: The grammarian in me disapproves of the phrasing of the two choices, since the placement of the word <i>only<\/i> is misleading. &#8220;Only install apps from the Windows Store&#8221; means &#8220;You can install apps from the Windows Store, but you can&#8217;t run them or anything else. The only thing you can do is install them.&#8221; I would have moved the word <i>only<\/i> to the place where the restriction applies: &#8220;Install apps only from the Windows Store.&#8221;<\/p>\n<p><b>Bonus bonus chatter<\/b>: The second option has another problem: It combines <i>only<\/i> (restrictive) with <i>other<\/i> (additive). Even if you ignore the misplaced <i>only<\/i>, the instructions &#8220;Only install apps from other sources that you trust, like your workplace&#8221; says that the only valid installation sources are the other ones. The default trusted sources are not allowed. I would have rephrased it as &#8220;Also install apps from other sources that you trust, like your workplace.&#8221; This highlights that this option is additive.<\/p>\n<p>\u00b9 The confusion likely stems from the vague term <i>sideload<\/i>, which has two different meanings in common use.<\/p>\n<ol>\n<li>To install software obtained from a third-party source.<\/li>\n<li>To install software from existing files, rather than via streaming download.<\/li>\n<\/ol>\n<p>The dialog above is using the first definition. It&#8217;s referring to the source of the app, not to the means of installation.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It&#8217;s about the source of the program, not the delivery mechanism.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[104],"class_list":["post-103709","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-tipssupport"],"acf":[],"blog_post_summary":"<p>It&#8217;s about the source of the program, not the delivery mechanism.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/103709","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=103709"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/103709\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=103709"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=103709"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=103709"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}