Microsoft has added a setting to Windows 10 that will let users restrict new software installation to only those apps hosted in the Windows Store.
The option debuted in the latest version of Windows 10 Insider, the preview program which gives participants an early peek at the next feature upgrade as Microsoft builds it. That version, labeled 15042, was released Friday.
With the setting at its most stringent, Windows 10 will block the installation of Win32 software -- the traditional legacy applications that continue to make up the vast bulk of the Windows ecosystem -- and allow users to install only apps from the Windows Store, Microsoft's marketplace.
Other settings allow software installation from any source, or, while allowing that, put a preference on those from the Windows Store.
Unless Microsoft removes them, the options will appear in the next Windows 10 feature upgrade, dubbed "Creators Update," which is to launch in March or April.
The appearance of the installation-origin settings followed reports last month that Microsoft was crafting another Windows 10 edition, called "Cloud," which would run only Universal Windows Platform (UWP) apps obtained from the Store.
Microsoft has said nothing about the purpose of the new settings or confirmed the reports of Windows 10 Cloud. But when the new options were applied, they touted themselves as making devices "safe and reliable."
When asked today for more information about the thinking behind the installation options, a company spokeswoman repeated a stock statement about the Insider program that included the line, "We regularly test new features and changes to existing features to see what resonates well with our fans."
By limiting Windows 10 to only the apps on the Windows Store, Microsoft will follow in the footsteps of Apple's iOS and macOS, as well as Google's Chrome OS. Each of those operating systems block all software but that hosted in a vetted mart, or in the case of macOS, let users choose the option. (The new Windows 10 setting is most like macOS's "Gatekeeper," which debuted in 2012's Mountain Lion.)
In iOS, for instance, the App Store serves as the only sanctioned software gateway; iPhone owners must "jailbreak" their smartphones for it to install apps not in the store. The practice has largely kept iOS devices malware free.
John Pescatore, the director of SANS, has argued for years that the best security move Microsoft could take would be to mimic iOS, and restrict what runs on the OS. He repeated his call in a recent interview.
"Look at iPhones and Android, they live without AV [antivirus] software," Pescatore said. "iOS and Android were built with app store construction and the Internet in mind," he added, pointing out that unauthorized executable code -- whether legitimate or malware -- could not be run on iOS.
"Unfortunately, Windows 10 still has much in it that was built before the Internet," Pescatore continued. "So, it's easy for executables to work." Since 2003 -- when Pescatore was with Gartner Research -- he's argued that Microsoft should restrict runnable code.
"Why doesn't Microsoft build into Windows a way to block executables?" he asked in summarizing his decade-and-more recommendation.