Slashdot Mirror
Microsoft To Introduce a New Feature In Windows 10 Which Will Allow Users To Block Installation of Desktop Apps (mspoweruser.com)
Microsoft is planning to introduce a new feature to Windows 10 that will allow a user to prevent installation of desktop apps. The latest Windows Insider build comes with an option that allows users to enable app installations only from the Windows Store. From a report on MSPowerUser: Once enabled, users will see a warning whenever they try to install a Win32 app -- they will get a dialog saying apps from the Windows Store helps to keep their PC "safe and reliable." This feature is obviously disabled by default, but users can enable it really easily if they want.
At first, I misread the headline as "Windows 10 now allows you to block back-door installation"...
If you want news from today, you have to come back tomorrow.
Yeah... 'till the next update.
Microsoft sells this as important step against bloatware/malware, but this coudn't be further from the truth. Windows 10 desktops come preloaded with bloatware, and often it re-installs itself after you have removed it. The real motivation for microsoft to do this is because the model of making a limited app store and then taxing every app a big amount (30% usually) has been very successful on the mobile market and they want this for windows too.
anit trust issues! with going app store only.
This feature is obviously disabled by default, but users can enable it really easily if they want.
Until it's not. It's only a matter of time before Microsoft sets this by default to try and force users to buy apps from the Windows store.
"NMeet the new boos same as the old boss."
so heres how to use it in the latest release:
users: another screen, another popup, another warning. mash enter until the bad square goes bye bye.
Sysadmins/developers: crinkle nose, furrow brow, open mouth slightly, and quietly under your breath mutter "what the hell" while roaming around the popup to determine if theres a means to disable this garbage in the future. become concerned your app isnt in the store...did it need to be in the store? what was the process for that and why isnt the standup aware? how long has microsoft had its own app store?? people cant possibly use this right? disable the feature, push it as disabled in all GPO's. release your app in iOS and android instead. receive six user bugs in the next 5 years for windows 35 millenium chrome hyper walnut marmalade edition not running this code because your tertiary support agreement uploads werent made exclusive to the hyper microsoft money choo choo store. close as cant-fix/wont-fix and go make another cup of tea.
Good people go to bed earlier.
I'd disable the egregious data harvesting that Microsoft is doing. That's a bigger concern to me than desktop apps.
You mean the malware account?
You do not have a moral or legal right to do absolutely anything you want.
Microsoft has already expressed a desire to kill Steam
I'm sure they aren't happy about "losing revenue" to Google Play or iTunes either
How long before some future update changes the default to enabled on all Windows systems?
I only want mobile! With big friendly buttons!
Microsoft look enviously at Apple, who get to control and profit from their walled garden. Then they glance over at Android, and see Google has their play store (which, whereas it may not be a walled garden, has a fence around). Fire users most certainly have their own walled garden courtesy of Amazon.
Apple and Google are both benefiting from these "almost monopolies" they run controlling their users, skimming a bit off the top from everyone. No doubt, Microsoft sees that these are profitable ventures and they want the same control over what runs on Microsoft Windows. It's a little harder to do because there is a lot of legacy applications, and neither consumer, nor software producers want to give a little bit of each purchase to Microsoft. Microsoft are going to continue baby-stepping towards that goal though because they want the money, and their competitors are already doing that.
It will be a sad day when you have no option but to buy from the Microsoft store, but that day is coming.
"That's the way to do it" - Punch
Yet another reason to not use Windows 10. Walled garden or prison---it's a slippery slope.
The point of failure of often at layer 8.
I want the ability to block the Windows Store from the users. Windows took that ability away from IT in Windows 10 Pro. Thanks, Microsoft.
"A plan fiendishly clever in its intricacies"- Homer Simpson
Looks like he called it.
Wasn't there are article about how the majority, I believe has high as 75% of the Windows Store apps were considered malware?
https://www.howtogeek.com/1949...
I mean, sure they probably have improved their content since the days of this, but let us not forget how they let this slip not to long ago.
Place something witty here
No, you will continue to use it as the sheep you are
There used to be a management piece that allowed you to block the installation of certain specific executables. It would be a nice feature, if this were set in Windows directly, or in group policy or something so I could finally block those stupid coupon sites my users seem to always install and destroy their computers. Since the apps install to a user profile, its hard to block.
In the later stages of that progression, how will testing applications in Visual Studio work?
It makes perfect sense to prohibit users from installing a program, especially ones that have not been signed, audited and vetted. This prohibition should be on by default but could be disabled from within the control panel only by an admin user, but this is enough of a deliberate action that this would foil a large number of accidentally opened email attachment trojans. The current security situation of making email attachments executable with a few clicks is dismal. The warning messages that currently display are often ignored by users. RBAC rules should be used to lock a user out from running any executable whatsoever from their home directory.
No Win32 also means no Steam library, leveling the play field for Windows Store to deliver games without being able to install competing stores. How convenient!
Twinstiq, game news
Yes. It's called Windows Signature.
Modern app appers ONLY app apps, so this setting makes Appdows 10 even appier by lockout out LUDDITE software!
Apps!
Project "Boil The Frogs" is picking up pace I see!
Twinstiq, game news
anit trust issues! with going app store only.
Yet Apple and Google appear to be able to get away with it....
I'm not entirely sure to which phenomenon you refer. True, Apple locks iOS devices down to use apps from the App Store, but Apple's market share is nowhere near large enough to have "market power" over smartphone apps. As for Google, except for about the first year of AT&T-branded Android devices, practically every Android device with Android Market (now Google Play Store) has offered a checkbox to let users choose to install applications from unknown sources. In fact, last time I checked, Google required a working Android Debug Bridge with adb install as a condition of licensing its copyrighted Google Play Store application.
Do these "business critical" computers happen to be laptops in odd form factors, which would rule out building your own desktop or using a System76 laptop? Or does the "extra software" require a device driver or have some other good reason not to run in Wine? If not, use GNU/Linux.
Did you build a desktop PC from parts with Linux in mind? Because a lot of home users don't have that luxury. They need a laptop in a size System76 doesn't offer, or they can't afford more than an existing hand-me-down PC. Last night I was in a chat room with someone who tried five different WLAN cards he already owned of which Ubuntu successfully detected zero, but Windows let him load a driver from a USB flash drive.
The right thing, is a) to never let users run as admin
Ransomware can do a lot of damage to the data in a user's account even without elevated privileges.
There's no reason for 99% of apps out there to actually need administrator privileges
Even to install? Or should operating systems allow per-user installation of device drivers in order to support applications that need a specific device driver? For example, iTunes installs an iPod/iPhone/iPad driver, and Fitbit Connect which installs a tracker receiver driver. Or do only 1 percent of applications need such a driver?
developers can still sign code with their key when selling other ways, including boxed retail.
Then how can a developer sign code when distributing software through non-commercial means, particularly free software? Though price competition has made the cost of a domain-validated TLS certificate trivial, with Let's Encrypt offering 90-day certificates to domain owners without charge and SSLs.com offering 3-year certificates for $5 per year, there's as of yet no counterpart to those for code signing on macOS or Windows.
If application developers have to wait in line for their applications to be reviewed and deemed worthy of publication in Windows Store, then it's also "queue".
Or you could switch from Steam to PlayStation Store and leave Windows behind.
now we have "alternative features"?
What about software that can't run in Wine?
If a publisher refuses to add support for GNU/Linux, either natively or through Wine, a business relying on that publisher's proprietary software ought to plan a migration now to a different publisher that is willing.
Apple's been boiling its frogs (sorry, I mean, customers) longer, and has moved from the ability to install any app you want, to the ability to install any app you want IF you set up preferences to allow it, to an inability to set up preferences to allow it, but if you try, a button appears (which you have to go into preferences to find) that may allow it (doesn't alway appear)...
They're one or two steps away from "app store only."
The frogs.... sorry, the customers... just one step from boiling now.
Interesting to see Microsoft begin to turn up the heat.
I guess pretty much everyone's a frog now.
Customer. I meant customer.
I've fallen off your lawn, and I can't get up.
...until the first patch after any perceived fuss dies down....
Until the trapdoor opens and you fall through it and the rope actually breaks your neck, the building of the scaffold, the hanging of the rope, the tying of the noose, the marching you up on to the platform, putting a hood over your head and putting the noose around your neck is all just smoke.
Got it.
One of the more compelling reasons to stick with Windows in the enterprise is that it is straightforward to author, update and deploy software without having to go through a third-party store approval process. If I need to get an update to accounting software that takes care of a sales tax issue, I want that update deployed now, and not wait days for somebody to review it and make sure it complies to whatever flavor-of-the-week UI conventions that a particular reviewer may or may not make an issue out of.
This "feature" needs to be defaulted OFF in Windows Professional and "higher", and on a domain-connected computer needs to be configured at the GPO level. If Microsoft places any artificial constraint on managing this (i.e. you must be running a Windows Server Enterprise version to disable this) it will be the largest caliber of bullets Microsoft has shot into its own foot (and it fires there a lot).
One of the reasons the UWP is not getting adopted is the cumbersome nature of getting software built in-house for in-house use deployed. People may live with a store approval process for mobile apps, but they will not live with it for in-house developed software being solely used in-house. It's why after evaluating UWP we stuck with WPF, because even though there were lots of creature comforts in places like Windows.Devices, the deployment obstacles were far too numerous.
Sure, for now. All new APIs are being written specifically for UWP, and as Win32 will diverge further and further to the point where it will no longer be possible to backport patches and improvements to Win32. At that point it will be considered deprecated and unsupported, even prevented due to security liabilities. Likely only businesses will be able to license a Win32 VM for legacy applications.
Twinstiq, game news
I'm running Windows 10 LTSB. It does not include Windows Store.
or they can't afford more than an existing hand-me-down PC.
Or better yet you do as I have done. Buy an off-lease Lenovo Thinkpad for $150.00 or so [...] and if you really need Wi-Fi a $10 Netgear WG111V3 will always work in Linux
That's good to know for people with $160 for a project. I too have had good luck with GNU/Linux on an off-lease ThinkPad, needing only to install the proprietary firmware for iwlwifi. But in this particular case, a hand-me-down PC with a hand-me-down Windows license is $0, which is $160 less and which is all my source was willing to spend on an experimental PC to run retro games.
I really don't like using Wi-Fi though, as all of the 11 channels are super congested already in most locations, and even if they are not, an Ethernet connection to the router is much faster!
A 400 foot (122 m) cable run to the basement where my source is staying (long story including disinheritance) is more than $0, as it needs a switch in the middle to repeat the signal. And my source found that one of his five WLAN could get a signal in the less congested 5 GHz band (as can the off-lease ThinkPad I tried).
You'll need a special license from the government - administered by Microsoft - to run dev tools and debuggers.
From what government? For 95 percent of the world, Microsoft is foreign. Why would one country's government let a foreign corporation administer its developer licenses?
Last night I was in a chat room with someone who tried five different WLAN cards he already owned of which Ubuntu successfully detected zero, but Windows let him load a driver from a USB flash drive.
USB wi-fi devices should "just work" on any modern Linux, even most PCI cards should work. Failing that, a wifi bridge will work.
This feature is obviously disabled by default, but users can enable it really easily if they want.
Until it's not. It's only a matter of time before Microsoft sets this by default to try and force users to buy apps from the Windows store.
On the one hand, I accused Apple of exactly this within the past few weeks, so I'm certainly not above believing that Microsoft would follow this very path.
On the other hand, I see this being a much rougher sell for Microsoft than Apple. Apple hasn't been to court for web browser choice, and isn't under the same EU scrutiny. I also think the number of niche, high-priced LoB applications for Windows far outnumbers those for OSX, so trying to make sure every critical application on Main Street is still working is going to be about as tough a sell as having every one of those businesses formatting their computers to then pay $10/month for LTSB Windows is going to make a mess.
Ultimately, I see it this way: The moment Microsoft makes it impossible to install legacy applications on Windows 10 is the day that Linux starts making inroads. If the options are "pay monthly for an OS that doesn't run Windows applications" or "get an OS that doesn't run Windows applications for free", I have a sneaky guess which will win that contest.
We'll see...
Oh. :-(
At first glance I thought they meant that you could not install ANY desktop apps. So you only had the ones you had, but no more.
And then you start removing them finally leaving nothing but normal programs and all's right with the world. (Except for all of the telemetry and monitoring and the missing Start Menu.)
if only Microsoft could find a way to disable Metro...
If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
Is that where the ads in the start menu lead? I don't click on that random crap.
>> This feature is obviously disabled by default
yeah? Guess what their next move will be.
Steam is to big to be locked out and then linux will crush windows.
And there is no way the supermico, hp, dell, ETC will go locked windows only boot loaders unless they want to lose the server market.
Needs less sandboxing / open to user maps and mods.
At least let games have a game.exe and a mapedit.exe as part of the same app.
developers can still sign code with their key when selling other ways, including boxed retail.
Then how can a developer sign code when distributing software through non-commercial means, particularly free software? Though price competition has made the cost of a domain-validated TLS certificate trivial, with Let's Encrypt offering 90-day certificates to domain owners without charge and SSLs.com offering 3-year certificates for $5 per year, there's as of yet no counterpart to those for code signing on macOS or Windows.
Those macOS (and iOS) Developer Certs are FREE, as in Beer, dumbass. It only costs if you want to be listed in the Mac App Store (or iOS App Store).
Honestly, with Steam and most have a package manager with similar applications, I don't see why people can't just use Linux if they are that worried about malware to give up their admin rights. They want everyone to chose the Windows store not for safety, but because they get a cut of all the apps sold and more data on to collect on everyone. And when everyone is dumb and comfy, they make everything only work if connected to the Internet, gaining more control. Though, if the servers get hacked regardless of update options, they're all screwed anyway. Then, they introduce AI into the mix, the seek and destroyer of open source privacy and encryption. It is. Don't argue. All AI is good for is tasks that humans can't do in a time crunch, like cracking passwords or digital fingerprinting. I don't need to be told what my best app match is because I've made an actual effort to be proactive in the things I care about. Maybe the Great AI overlord will see this one day, do some digging and find out who I actually am and revoke my food card. Oh well, good thing I garden and didn't opt for the "store only" option.
Last I checked most ransomeware doesn't have an "installer"....will just execute....so...yea....
Microsoft has wanted a share of those game sales for a long time.
Games are the only reason Windows even exists in my household.
You're thinking about it in the wrong way. Currently it's an opt-in mechanism to force you to app all your apps from the Windows Store, in the same way that the Windows 10 malgrade was also opt-in initially. Then one day you'll click on a close box and Microsoft will take it as you authorising a mandatory lockdown on non-MS approved apps. This isn't a feature, it's stage 0 of making Windows 10 even more of a panopticon-jail.
There is a setting in System Preferences -> Security & Privacy that controls this. The default is "Mac App Store and identified developers". The other two options are "Mac App Store" and "Anywhere". The latter gives you an "are you really sure?" prompt and then shuts the fuck up. There is also protection of the OS directories (even root can't fuck with them), starting in 10.10 (or is it 10.11?), unless you perform the proper magickal ceremony to disable it, which includes starting a command-line shell after a reboot into recovery mode. And once you've done it, it also shuts the fuck up about it.
So if you know what you're doing, you can go back to more or less normal Unix hacking, but you won't have to worry about grandma getting pwned.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Are mine.
Says the Windows app store!
Rick B.
Why do you focus so much attention on young people?
I focus on situations similar to those to which I am exposed, and there are young people in my family.
Most high school students DON'T have comp sci 101 homework
Don't, but will. (Source: "Making it Count: Computer Science Spreads as Graduation Requirement" by Allie Bidwell)
Those macOS (and iOS) Developer Certs are FREE, as in Beer
Only for programs that you compile and run on machines associated with the same ID.
dumbass.
Ad hominem, uncalled for.
It only costs if you want to be listed in the Mac App Store (or iOS App Store).
Or if you want other people who have Gatekeeper configured for "identified developers" to be able to run your software. From "Distributing Apps Outside the Mac App Store":
From Apple Developer Program: How It Works:
As far as I can gather from the pages I linked, a valid Apple Developer Program membership is required to sign a macOS application for distribution outside the Mac App Store to Gatekeeper users, and renewals thereof are required to sign updates to said application that are also distributed outside the Mac App Store to Gatekeeper users. Perhaps you were confusing it with the relatively recent decision to allow a copy of Xcode associated with a particular Apple ID to sign for an iOS device associated to the same Apple ID, which is not distribution. Please help me and other readers of this discussion by explaining what I misread.
I remember that, it was termed "Admin Rights".
they (apple, ms, google) want to mimick the safety that linux distro repos bring, however it doesn't work when all the stuff you put in is closed source.
On a long enough timeline, the survival rate for everyone drops to zero.
Now this feature is awesome cause, that will definitely restrict/block the malicious software/scripts into PC.
If you wanted a tablet that you can throw desktop apps on, you would get the Pro version that runs x86 and windows 8/10 pro.
For which Microsoft charged twice what it charged for the Surface non-Pro, and at least three times the price of the netbooks that had preceded it.
And why should they contribute money to the Wine project when they can buy off-the-shelf an OS that just works
In later stages of the rumored plan, editions of Windows below Enterprise will completely block installation of desktop applications, with the override tied to Windows Server and a volume license of Windows Enterprise. At this point, if the publisher of the application on which the business relies does not make it available to existing licensees through the Windows Store, Windows will no longer be "an OS that just works".
The same governments that you claim will impose a developer licensure regime and outsource its administration to a local subsidiary of an American corporation will also require the ability to make and use classified software for national defense purposes.
In other words you don't know what your machine is running
This is true if the PC runs Windows. It is not true if the PC runs GNU/Linux. Disabling or rekeying UEFI Secure Boot, which is a separate mechanism from TPM, allows the PC to run GNU/Linux. All x86 and x86-64 PCs certified for Windows 8 allow disabling or rekeying Secure Boot, and many (I'd guess most) PCs certified for Windows 10 allow it as well. Only Windows RT devices and certain avoidable Windows 10 PCs use Secure Boot without letting the device's owner disable or rekey it.
As usual, you Trusted Computing loons keep saying you can disable the TPM
What are the consequences of disabling the TPM in Windows?
or change the keys
The TPM and Secure Boot are separate mechanisms. One difference between the two is that the machine's owner can change the Secure Boot keys but not the TPM key.
As I said, everything after that is a software update.
What are the consequences of "a software update" if the user has chosen to disable the TPM? What are the consequences of "a software update" if the user has chosen to disable or rekey Secure Boot?