How to Allow Only Apps From the Store on Windows 10 (and Whitelist Desktop Apps)

Windows 10’s Creators Update has a switch you can flip to only allow apps from the Windows Store. This feature can also be used to whitelist your existing desktop apps, only allowing your currently installed applications to run and blocking new applications until you allow them. It’s similar to Gatekeeper on macOS.

How to Run Only Apps From the Store

You’ll find this option under Settings > Apps > Apps & Features after upgrading to the Creators Update. Under “Installing Apps”, you can select either “Allow apps from anywhere”, “Warn me before installing apps from outside the Store”, or “Allow apps from the Store only”. The default option allows you to run applications from anywhere, which is the way Windows has traditionally worked.

At the moment, choosing to run only applications from the Windows Store is a bit limiting. Many applications aren’t available in the Windows Store, including the desktop versions of Microsoft’s own Office applications. However, as more desktop applications are packaged for the Windows Store via Project Centennial, blocking desktop applications from elsewhere may become a useful security feature to help prevent malware from being installed on your system.

How to Whitelist Specific Desktop Apps

If you select “Allow apps from the Store only”, you’ll still be able to run all the desktop apps you’ve already installed. However, if you download an .exe file or other app from the Internet and try to run or install it, you’ll see a message saying the installation was blocked.

Want to install the app anyway? Click the “Open Settings” link or head back to Settings > Apps > Apps & Features and set the option to “Allow apps from anywhere”. Install the app normally. After you do, you can set the option back to “Allow apps from the Store only”. The app you just installed will be given permission to run, while future apps you install won’t have it.

While the wording here refers to “installing applications”, this also works for self-contained .exe files like portable apps. When you download a new .exe file, Windows will prevent you from opening it. If you tell Windows to run all software, you can then launch the .exe file. Tell Windows to block apps from outside the Store afterwards and you’ll still be able to run that .exe file and any other apps you’ve already run.

You can also choose the “Warn me before installing apps from outside the Store” option to save time. When you try to run or install a new app file, it will be blocked but you can click “Install anyway” to give the app permission to run. You’ll only have to give it permission once, and it will be allowed to run without any additional prompts in the future.

This feature is pretty interesting because it gives Windows desktop users an easy way to whitelist desktop apps, something that’s normally restricted to Enterprise and Education editions of Windows with AppLocker. Once you get the apps you use installed, you can flip this switch to block new apps from running without your express permission.

This sort of whitelisting was previously possible on any edition of Windows 7 and 8 via Family Safety, but that feature was removed from Windows 10. This new “Installing apps” option allows you to set up a basic form of whitelisting once again.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Twitter.