Slashdot Mirror
Microsoft To Introduce a New Feature In Windows 10 Which Will Allow Users To Block Installation of Desktop Apps (mspoweruser.com)
Microsoft is planning to introduce a new feature to Windows 10 that will allow a user to prevent installation of desktop apps. The latest Windows Insider build comes with an option that allows users to enable app installations only from the Windows Store. From a report on MSPowerUser: Once enabled, users will see a warning whenever they try to install a Win32 app -- they will get a dialog saying apps from the Windows Store helps to keep their PC "safe and reliable." This feature is obviously disabled by default, but users can enable it really easily if they want.
When computers had an admin account.
Until Microsoft makes some real, hard, restrictions on how a Windows install provided by an OEM on a new computer looks, this is all just smoke.
At first, I misread the headline as "Windows 10 now allows you to block back-door installation"...
If you want news from today, you have to come back tomorrow.
Yeah... 'till the next update.
Microsoft sells this as important step against bloatware/malware, but this coudn't be further from the truth. Windows 10 desktops come preloaded with bloatware, and often it re-installs itself after you have removed it. The real motivation for microsoft to do this is because the model of making a limited app store and then taxing every app a big amount (30% usually) has been very successful on the mobile market and they want this for windows too.
anit trust issues! with going app store only.
This feature is obviously disabled by default, but users can enable it really easily if they want.
Until it's not. It's only a matter of time before Microsoft sets this by default to try and force users to buy apps from the Windows store.
"Oh, you want to install this software that removes malware/spyware? DENIED!"
"NMeet the new boos same as the old boss."
...to block unwanted OS updates.
Maybe make it an option in the windows update system that you can pick and choose which updates to install & which ones to block.
That would be a VERY useful feature. They really should see if there is some way to accomplish that.
Taking a queue from the safest OS on the market, MicroSoft today announced that it is going to build a walled garden where only applications that MicroSoft has deemed are safe will be allowed to be installed.
so heres how to use it in the latest release:
users: another screen, another popup, another warning. mash enter until the bad square goes bye bye.
Sysadmins/developers: crinkle nose, furrow brow, open mouth slightly, and quietly under your breath mutter "what the hell" while roaming around the popup to determine if theres a means to disable this garbage in the future. become concerned your app isnt in the store...did it need to be in the store? what was the process for that and why isnt the standup aware? how long has microsoft had its own app store?? people cant possibly use this right? disable the feature, push it as disabled in all GPO's. release your app in iOS and android instead. receive six user bugs in the next 5 years for windows 35 millenium chrome hyper walnut marmalade edition not running this code because your tertiary support agreement uploads werent made exclusive to the hyper microsoft money choo choo store. close as cant-fix/wont-fix and go make another cup of tea.
Good people go to bed earlier.
..... Microsoft spyware, err, "apps" or "features"?
I'd disable the egregious data harvesting that Microsoft is doing. That's a bigger concern to me than desktop apps.
Microsoft has already expressed a desire to kill Steam
I'm sure they aren't happy about "losing revenue" to Google Play or iTunes either
How long before some future update changes the default to enabled on all Windows systems?
If they ever force this option on us then I'll be done with Windows.
I only want mobile! With big friendly buttons!
Microsoft look enviously at Apple, who get to control and profit from their walled garden. Then they glance over at Android, and see Google has their play store (which, whereas it may not be a walled garden, has a fence around). Fire users most certainly have their own walled garden courtesy of Amazon.
Apple and Google are both benefiting from these "almost monopolies" they run controlling their users, skimming a bit off the top from everyone. No doubt, Microsoft sees that these are profitable ventures and they want the same control over what runs on Microsoft Windows. It's a little harder to do because there is a lot of legacy applications, and neither consumer, nor software producers want to give a little bit of each purchase to Microsoft. Microsoft are going to continue baby-stepping towards that goal though because they want the money, and their competitors are already doing that.
It will be a sad day when you have no option but to buy from the Microsoft store, but that day is coming.
"That's the way to do it" - Punch
Yet another reason to not use Windows 10. Walled garden or prison---it's a slippery slope.
I want the ability to block the Windows Store from the users. Windows took that ability away from IT in Windows 10 Pro. Thanks, Microsoft.
"A plan fiendishly clever in its intricacies"- Homer Simpson
Looks like he called it.
Wasn't there are article about how the majority, I believe has high as 75% of the Windows Store apps were considered malware?
https://www.howtogeek.com/1949...
I mean, sure they probably have improved their content since the days of this, but let us not forget how they let this slip not to long ago.
Place something witty here
to have moved to Linux. Fast as hell, i can choose however i want my UI to function and show, it doesn't ask me for permissions and shit,
and most importantly it is desktop friendly and doesn't have any of that mobile/touchscreen UI diarrhea which infests Windows now.
There's also a lack of "something happened" on Linux, contrary to people telling me.
I only ever have Windows 7 completely walled up except for some multiplayer video games which are allowed to connect.
That's also the only thing i use it for, video games. By the time games have lost support for Windows 7, Valve and GoG would have ported most libraries
to MacOS and Linux via intermediary porting, while new games are increasingly multi-support.
By then, i will finally be completely rid of Windows. Hackingtosh and Linux, that's where i'm 100% staying in the future.
There used to be a management piece that allowed you to block the installation of certain specific executables. It would be a nice feature, if this were set in Windows directly, or in group policy or something so I could finally block those stupid coupon sites my users seem to always install and destroy their computers. Since the apps install to a user profile, its hard to block.
In the later stages of that progression, how will testing applications in Visual Studio work?
It makes perfect sense to prohibit users from installing a program, especially ones that have not been signed, audited and vetted. This prohibition should be on by default but could be disabled from within the control panel only by an admin user, but this is enough of a deliberate action that this would foil a large number of accidentally opened email attachment trojans. The current security situation of making email attachments executable with a few clicks is dismal. The warning messages that currently display are often ignored by users. RBAC rules should be used to lock a user out from running any executable whatsoever from their home directory.
No Win32 also means no Steam library, leveling the play field for Windows Store to deliver games without being able to install competing stores. How convenient!
Twinstiq, game news
That's my 'feature' for blocking the installation of Windows 10 -- which solves ALL the security problems of Windows 10, all at once, permanently.
Modern app appers ONLY app apps, so this setting makes Appdows 10 even appier by lockout out LUDDITE software!
Apps!
Project "Boil The Frogs" is picking up pace I see!
Twinstiq, game news
The Deep State describes those responsible for long term agendas that are not to be displaced by passing power nodes, like particular presidents or CEOs. Microsoft follows the rule of the Deep State- hardly surprising since Bill "reduce the Human population by at least three billion using any means possible" Gates comes from a powerful family of eugenicists.
The Internet is FREEDOM. The PC in its original form is freedom. Both must be neutered. Win 10 store is a pale and useless copy of Apple's store, but Apple's version teaches us. Apple bans apps for 'political' and 'social' engineering reasons. The usual scum here and elsewhere say this isn't 'censorship' cos a corporation does it. Of course, when a corporation has a monopoly, the efectiveness of their censorship is better than that done by any government.
Only a few days ago british sheeple were told by aan NGO that children coders are 'hackers' and 'hackers' are 'criminals'. A common enough Stasi FUD tactic. But it sits perfectly with Microsoft initiative- and no surprise there. Having a non-locked-down PC will be a crime in much of the world (especially in the UK) before 10 years passes. Now lets see if this site's 'lamenes filter'- based on an early version of Google's 'perspective' censorship tool, will ban this comment.
anit trust issues! with going app store only.
Yet Apple and Google appear to be able to get away with it....
I'm not entirely sure to which phenomenon you refer. True, Apple locks iOS devices down to use apps from the App Store, but Apple's market share is nowhere near large enough to have "market power" over smartphone apps. As for Google, except for about the first year of AT&T-branded Android devices, practically every Android device with Android Market (now Google Play Store) has offered a checkbox to let users choose to install applications from unknown sources. In fact, last time I checked, Google required a working Android Debug Bridge with adb install as a condition of licensing its copyrighted Google Play Store application.
Do these "business critical" computers happen to be laptops in odd form factors, which would rule out building your own desktop or using a System76 laptop? Or does the "extra software" require a device driver or have some other good reason not to run in Wine? If not, use GNU/Linux.
While i feel the suspicion is natural. Apple did this years ago with the mac app store in MACOS. you can still install "desktop" apps but disabling the switch. They are trying to steer grandma to the store so there are less security issues and yes, profit.
I don't see them ever disabling this by default, unless critical acceptance of the windows store occurs. It didn't work for mac. I don't expect windows to be successful.
But in the end if Microsoft can convenience all the win32 apps to move to the store. Then I am ok with moving to the UWP apps.
I don't expect them to be successful. Enterprise is very slow to change.
only reason i have windows is for gaming and 99% are steam games you kill steam guess what you kill....my wish to use windows 1000000%
The right thing, is a) to never let users run as admin
Ransomware can do a lot of damage to the data in a user's account even without elevated privileges.
There's no reason for 99% of apps out there to actually need administrator privileges
Even to install? Or should operating systems allow per-user installation of device drivers in order to support applications that need a specific device driver? For example, iTunes installs an iPod/iPhone/iPad driver, and Fitbit Connect which installs a tracker receiver driver. Or do only 1 percent of applications need such a driver?
if i wanted to use BSD I'd use openbsd or freebsd thank you
developers can still sign code with their key when selling other ways, including boxed retail.
Then how can a developer sign code when distributing software through non-commercial means, particularly free software? Though price competition has made the cost of a domain-validated TLS certificate trivial, with Let's Encrypt offering 90-day certificates to domain owners without charge and SSLs.com offering 3-year certificates for $5 per year, there's as of yet no counterpart to those for code signing on macOS or Windows.
If application developers have to wait in line for their applications to be reviewed and deemed worthy of publication in Windows Store, then it's also "queue".
now we have "alternative features"?
you can install apps on MacOS by confirming that Yep, you are ok to install this and entering the mahic password.
Only Apps that have Apple siging are allowed in the App Store (AFAIK)
There's nothing to stop malware from finding its way into the windoze store.
What about software that can't run in Wine?
If a publisher refuses to add support for GNU/Linux, either natively or through Wine, a business relying on that publisher's proprietary software ought to plan a migration now to a different publisher that is willing.
Apple's been boiling its frogs (sorry, I mean, customers) longer, and has moved from the ability to install any app you want, to the ability to install any app you want IF you set up preferences to allow it, to an inability to set up preferences to allow it, but if you try, a button appears (which you have to go into preferences to find) that may allow it (doesn't alway appear)...
They're one or two steps away from "app store only."
The frogs.... sorry, the customers... just one step from boiling now.
Interesting to see Microsoft begin to turn up the heat.
I guess pretty much everyone's a frog now.
Customer. I meant customer.
I've fallen off your lawn, and I can't get up.
...until the first patch after any perceived fuss dies down....
A button enabling the blocking of crappy store apps - including those peddled by MS without the users' consent - would be a lot better.
If you can only use Metro^H^H^H^Hodern apps and no Windows-API applications, why use Windows at all? The only reason I would use Windows is that it runs a program that I can't replace. Otherwise Windows is just too much pain.
One of the more compelling reasons to stick with Windows in the enterprise is that it is straightforward to author, update and deploy software without having to go through a third-party store approval process. If I need to get an update to accounting software that takes care of a sales tax issue, I want that update deployed now, and not wait days for somebody to review it and make sure it complies to whatever flavor-of-the-week UI conventions that a particular reviewer may or may not make an issue out of.
This "feature" needs to be defaulted OFF in Windows Professional and "higher", and on a domain-connected computer needs to be configured at the GPO level. If Microsoft places any artificial constraint on managing this (i.e. you must be running a Windows Server Enterprise version to disable this) it will be the largest caliber of bullets Microsoft has shot into its own foot (and it fires there a lot).
One of the reasons the UWP is not getting adopted is the cumbersome nature of getting software built in-house for in-house use deployed. People may live with a store approval process for mobile apps, but they will not live with it for in-house developed software being solely used in-house. It's why after evaluating UWP we stuck with WPF, because even though there were lots of creature comforts in places like Windows.Devices, the deployment obstacles were far too numerous.
Sure, for now. All new APIs are being written specifically for UWP, and as Win32 will diverge further and further to the point where it will no longer be possible to backport patches and improvements to Win32. At that point it will be considered deprecated and unsupported, even prevented due to security liabilities. Likely only businesses will be able to license a Win32 VM for legacy applications.
Twinstiq, game news
Operative phrase, "a user".
Why would I want to "Block" myself (logged in as Admin or Root) from installing a Desktop App?
The answer is Microsoft is "a user" and Microsoft will block Desktop Apps it does not want!
Typical M$ Double-Talk.
Ha ha
I'm running Windows 10 LTSB. It does not include Windows Store.
You'll need a special license from the government - administered by Microsoft - to run dev tools and debuggers.
From what government? For 95 percent of the world, Microsoft is foreign. Why would one country's government let a foreign corporation administer its developer licenses?
This feature is obviously disabled by default, but users can enable it really easily if they want.
Until it's not. It's only a matter of time before Microsoft sets this by default to try and force users to buy apps from the Windows store.
On the one hand, I accused Apple of exactly this within the past few weeks, so I'm certainly not above believing that Microsoft would follow this very path.
On the other hand, I see this being a much rougher sell for Microsoft than Apple. Apple hasn't been to court for web browser choice, and isn't under the same EU scrutiny. I also think the number of niche, high-priced LoB applications for Windows far outnumbers those for OSX, so trying to make sure every critical application on Main Street is still working is going to be about as tough a sell as having every one of those businesses formatting their computers to then pay $10/month for LTSB Windows is going to make a mess.
Ultimately, I see it this way: The moment Microsoft makes it impossible to install legacy applications on Windows 10 is the day that Linux starts making inroads. If the options are "pay monthly for an OS that doesn't run Windows applications" or "get an OS that doesn't run Windows applications for free", I have a sneaky guess which will win that contest.
We'll see...
Oh. :-(
At first glance I thought they meant that you could not install ANY desktop apps. So you only had the ones you had, but no more.
And then you start removing them finally leaving nothing but normal programs and all's right with the world. (Except for all of the telemetry and monitoring and the missing Start Menu.)
if only Microsoft could find a way to disable Metro...
If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
Is that where the ads in the start menu lead? I don't click on that random crap.
>> This feature is obviously disabled by default
yeah? Guess what their next move will be.
Steam is to big to be locked out and then linux will crush windows.
And there is no way the supermico, hp, dell, ETC will go locked windows only boot loaders unless they want to lose the server market.
Needs less sandboxing / open to user maps and mods.
At least let games have a game.exe and a mapedit.exe as part of the same app.
developers can still sign code with their key when selling other ways, including boxed retail.
Then how can a developer sign code when distributing software through non-commercial means, particularly free software? Though price competition has made the cost of a domain-validated TLS certificate trivial, with Let's Encrypt offering 90-day certificates to domain owners without charge and SSLs.com offering 3-year certificates for $5 per year, there's as of yet no counterpart to those for code signing on macOS or Windows.
Those macOS (and iOS) Developer Certs are FREE, as in Beer, dumbass. It only costs if you want to be listed in the Mac App Store (or iOS App Store).
Honestly, with Steam and most have a package manager with similar applications, I don't see why people can't just use Linux if they are that worried about malware to give up their admin rights. They want everyone to chose the Windows store not for safety, but because they get a cut of all the apps sold and more data on to collect on everyone. And when everyone is dumb and comfy, they make everything only work if connected to the Internet, gaining more control. Though, if the servers get hacked regardless of update options, they're all screwed anyway. Then, they introduce AI into the mix, the seek and destroyer of open source privacy and encryption. It is. Don't argue. All AI is good for is tasks that humans can't do in a time crunch, like cracking passwords or digital fingerprinting. I don't need to be told what my best app match is because I've made an actual effort to be proactive in the things I care about. Maybe the Great AI overlord will see this one day, do some digging and find out who I actually am and revoke my food card. Oh well, good thing I garden and didn't opt for the "store only" option.
Last I checked most ransomeware doesn't have an "installer"....will just execute....so...yea....
when a billion users were trying to keep windows 10 from getting shoved up their ass without lube?
What good is trying to teach everyone to code if everyone is going to have to pay $$ to get developer access to their machines? Oh wait, never mind.
So much for cross-platform languages when you're restricted to a store's API for app approval.
Microsoft has wanted a share of those game sales for a long time.
Games are the only reason Windows even exists in my household.
I want the app control to block all the Microsoft (bloatware,useless) apps so I can have room to install what I need to run. Why is this so difficult?
There is a setting in System Preferences -> Security & Privacy that controls this. The default is "Mac App Store and identified developers". The other two options are "Mac App Store" and "Anywhere". The latter gives you an "are you really sure?" prompt and then shuts the fuck up. There is also protection of the OS directories (even root can't fuck with them), starting in 10.10 (or is it 10.11?), unless you perform the proper magickal ceremony to disable it, which includes starting a command-line shell after a reboot into recovery mode. And once you've done it, it also shuts the fuck up about it.
So if you know what you're doing, you can go back to more or less normal Unix hacking, but you won't have to worry about grandma getting pwned.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Are mine.
Says the Windows app store!
Rick B.
There is also protection of the OS directories (even root can't fuck with them)
Then you are not really root.
To quote Pitr: "God, root, what is difference?"
Why do you focus so much attention on young people?
I focus on situations similar to those to which I am exposed, and there are young people in my family.
Most high school students DON'T have comp sci 101 homework
Don't, but will. (Source: "Making it Count: Computer Science Spreads as Graduation Requirement" by Allie Bidwell)
Those macOS (and iOS) Developer Certs are FREE, as in Beer
Only for programs that you compile and run on machines associated with the same ID.
dumbass.
Ad hominem, uncalled for.
It only costs if you want to be listed in the Mac App Store (or iOS App Store).
Or if you want other people who have Gatekeeper configured for "identified developers" to be able to run your software. From "Distributing Apps Outside the Mac App Store":
From Apple Developer Program: How It Works:
As far as I can gather from the pages I linked, a valid Apple Developer Program membership is required to sign a macOS application for distribution outside the Mac App Store to Gatekeeper users, and renewals thereof are required to sign updates to said application that are also distributed outside the Mac App Store to Gatekeeper users. Perhaps you were confusing it with the relatively recent decision to allow a copy of Xcode associated with a particular Apple ID to sign for an iOS device associated to the same Apple ID, which is not distribution. Please help me and other readers of this discussion by explaining what I misread.
"Company B didn't do it" means absolutely shit in Microsoft's decision making.
I remember that, it was termed "Admin Rights".
they (apple, ms, google) want to mimick the safety that linux distro repos bring, however it doesn't work when all the stuff you put in is closed source.
On a long enough timeline, the survival rate for everyone drops to zero.
Can't you understand that most companies do not have developers inhouse, as it's not their trade to develop software?
And why should they contribute money to the Wine project when they can buy off-the-shelf an OS that just works, complete with easy-available support?
Do you even understand what a business is, and how it operates?
Now this feature is awesome cause, that will definitely restrict/block the malicious software/scripts into PC.
If you wanted a tablet that you can throw desktop apps on, you would get the Pro version that runs x86 and windows 8/10 pro.
For which Microsoft charged twice what it charged for the Surface non-Pro, and at least three times the price of the netbooks that had preceded it.
And why should they contribute money to the Wine project when they can buy off-the-shelf an OS that just works
In later stages of the rumored plan, editions of Windows below Enterprise will completely block installation of desktop applications, with the override tied to Windows Server and a volume license of Windows Enterprise. At this point, if the publisher of the application on which the business relies does not make it available to existing licensees through the Windows Store, Windows will no longer be "an OS that just works".
The same governments that you claim will impose a developer licensure regime and outsource its administration to a local subsidiary of an American corporation will also require the ability to make and use classified software for national defense purposes.
In other words you don't know what your machine is running
This is true if the PC runs Windows. It is not true if the PC runs GNU/Linux. Disabling or rekeying UEFI Secure Boot, which is a separate mechanism from TPM, allows the PC to run GNU/Linux. All x86 and x86-64 PCs certified for Windows 8 allow disabling or rekeying Secure Boot, and many (I'd guess most) PCs certified for Windows 10 allow it as well. Only Windows RT devices and certain avoidable Windows 10 PCs use Secure Boot without letting the device's owner disable or rekey it.
As usual, you Trusted Computing loons keep saying you can disable the TPM
What are the consequences of disabling the TPM in Windows?
or change the keys
The TPM and Secure Boot are separate mechanisms. One difference between the two is that the machine's owner can change the Secure Boot keys but not the TPM key.
As I said, everything after that is a software update.
What are the consequences of "a software update" if the user has chosen to disable the TPM? What are the consequences of "a software update" if the user has chosen to disable or rekey Secure Boot?