What is, and has been great about MS Paint is that no matter what Windows machine I have been on, I know that I have had it available. No matter if it's my old grandma's computer, if I have needed to quickly do something simple with an image, MS Paint has always been there for me. Now that will no longer be the case. If I have to download and install it on the computer before I use it, then what is the point? It will be faster to just google "MS paint online free" and click the first link.
Additionally you can't download apps off the windows store unless you sign up for /into a Microsoft account, which is a much bigger pain than simply downloading the first app you find searching on Google. Also my corporate windows 10 laptop has the entire window store and modern app infrastructure disabled, meaning I would not be able to access MS Paint.
this is a key people are ignoring. by moving the win32 mspaint from a native file on the filesystem to app-v/Centennial, it will be able to run on non-x86 hardware with emulation. in two years if Windows 10 S and Qualcomm dominate, having legacy apps available in the store will be a bonus not a burden. it will be similar to the OSX/Rosetta days.
> Also my corporate windows 10 laptop has the entire window store and modern app infrastructure disabled
Wow that's... What?
For all its warts, the Windows Store is a secure app delivery platform. Doesn't disabling it merely encourage downloading zipped executables from sleazy unencrypted websites?
I don't understand the shock here? Large corporations don't want users installing random apps. I don't see why an NHS laptop, for example, should have Bejewelled installed, or some dodgy app which gives permissions to the user's drives, and uploads files.
Similarly, though admittedly not a problem in the same way with Windows store apps, to Chrome extensions. Those working in secretive environments with naive users shouldn't have something like "Youtube auto-hd" installed, which will feedback every single website they visit to some shady third party analytics company. IMO this is why having even the concept of these apps inside a "secure" (re. enterprise) version of Windows is a massive oversight. I will admit that this is not a problem in the LTSB branch of Windows 10 Enterprise; I had the disabled apps magically re-enable themselves 3 times after "updates" on non-LTSB before switching back over.
Sorry to rant, but in summation, don't be shocked when corporate users want their laptops to be as restricted and purely for work as possible.
I work in finance. Most web sites you could download an exe from are blocked, downloading exes is disabled and running installers is restricted to admin accounts by group policy. If you do get round all that and do it anyway and you're caught, theres a good chance you'll be fired.
One issue is that some classes of users and locations (e.g. Trading floors) are restricted by law concerning the communications systems they can use for work because all communications regarding financial transactions has to be auditable.
On the other hand most of the banks have their own internal software libraries you can install stuff from and you get a bunch of useful utilities by default such as Irfanview, notepad++, Greenshot or similar. Machines for devs are often less locked down.
Any company can install a reporting agent on their desktops and that will collect basic information like what .exe files have been executed.
Once a portable app shows up in the reports you are simply fired by blatant disregard for the rules and procedures you agreed to when signing your contract.
Finance is a heavily regulated environment and you can't get away with things that would be excusable in other places.
> Once a portable app shows up in the reports you are simply fired by blatant disregard for the rules and procedures you agreed to when signing your contract.
That seems to be a rather extreme clause; I doubt that a bank would care if a developer installed something that was not whitelisted. It would be a different story if the developer linked against code whose source was not easily attributable.
If an organisation is locking down their computers, they hopefully have set permissions correctly to prevent users from running untrusted programs, no matter what the source.
In brief, if any of the said applications require Registry entry, it denies that through the permission model that these systems have installed.
If it requires altering some files under some directory, it denies that as well.
Some corporations even restrict such shady websites altogether using an exhaustive list of restricted domains and subdomains, often maintained by a third party, who do this list maintenance full-time for corporates like IBM, TCS, just to name a few.
On top of it, almost all network and device activities are tracked, flash drive ports disabled, etc. to ensure "security".
(Only a handful of underpaid device managers have access to Admin account. Forget the fact that this still doesn't prevent them from doing so at their discretion, or credentials sharing)
> I don't understand the shock here? Large corporations don't want users installing random apps.
Perhaps we should all go back to mainframes and green-screen dumb terminals?
That's why "the shock".
I understand the security issues - they are absolutely valid in today's world.
But the whole reason the PC came about, was because it moved the computing resources from some sacrosanct computing "temple" (complete with acolytes who kept the system running, secure, and managed) to the general office, and allowed the users to customize and control their software and data to allow for a more "agile" flow.
Computer-based spreadsheets, for instance, weren't anything new when VisiCalc appeared on the scene in 1979 (and later on the PC in 1981) - what was new was having such a powerful piece of software available on a machine that was cheap and independent of the "computer room". Users and managers now had direct control of their data and processes, and ultimately this set the stage toward today's reality.
Gone were having to wait (and wait, and wait) for approval to get a particular application installed; gone were having to wait for the budget approval, hardware upgrades or acquisitions, etc - tons of effort, time, planning, etc needed just to get a simple app (if such was even allowed by the mainframe service contract! Maybe that needed renegotiation as well!).
Just go down to ComputerLand, buy a PC and a copy of VisiCalc (or whatever), plop it on a desk, and work. Freedom!
Ever since then, though, there has been this security of the system and data (physical security, data security, backups, viruses, worms, trojans, etc) that has been problematic. Various solutions have been tried, none have been 100% effective. Problems still exist, data gets wiped or lost, employees move on, leaving password-enabled zip files behind nobody knows how to access, data leaves the building, laptops are stolen, viruses and malware abound, cryptolocking happens, and on and on and on...
But people still want their freedom. They want to just download and run a piece of software to make their life and work flow better. They don't want to wait for approval and budgets.
How do you solve this dilemma?
Going back to a locked down system isn't the answer; as tempting as it may seem, it merely moves the problem up the stack, while increasing frustration for the actual users of the systems.
Hence my snarky response - because that was (in a way) considered "ultimate security" - a centralized system, with no smarts at the end nodes. Tightly controlled, regulated, monitored, updated, and secured. Many major companies (most of them gone today) built fortunes on that model. That such few of these companies remain tells you something about how that model faired. Trying to return to it might not be the best thing to do.
What the answer to the problem should be, though, I can't say unfortunately...
> For all its warts, the Windows Store is a secure app delivery platform. Doesn't disabling it merely encourage downloading zipped executables from sleazy unencrypted websites?
In a corporate environment in many cases it is undesired that users install applications. So of course one disables Windows Store. Additionally one prohibits downloading zips etc. I have read of a way how in Windows one can set that files created/downloaded by users cannot be executed, which is also a desired configuration in many corporate environments.
> For all its warts, the Windows Store is a secure app delivery platform.
For some value of $secure, yes. It's has package integrity checks, sure, but there's plenty of PUPs, adware and spyware in apps that for some corporate networks are considered a no-no.
You shouldn't be running binaries you don't trust no matter where they come from :) . And honestly I would probably use the MS store if it didn't suck balls.
Seriously whoever designed their "modern" UI needs to get booted. It's terrible and the main reason nobody uses the windows app store.
Ubuntu, MacOS, and even Steam on Windows all have a good app store interface. MS designed the OS and their version is a UI nightmare.
I'm hoping in some way there's some MS employees watching this thread. Please fix the damn app store by just extending the functionality of "add/remove programs" which everyone knows how to use and works fine.
I agree that the Windows App Store is a bad experience. I don't agree that they should extend add/remove programs to encompass this functionality. It's from literally 1995 and should be removed from Windows. It's actually really funny to me how some dialogue boxes and options modals have been unchanged for 20 years.
This is pretty normal, users who have this enabled would not have the admin permissions to install apps from sleazy websites. The store also includes things like games and social media apps which corporate love to block. IT support is another issue, if users can install random apps from the store then they will expect IT to support random apps.
We also had a look at the enterprise store recently to publish our own apps too, but the reliance on azure cloud means that we'll be publishing through other means for the foreseeable future.
It's amazing to see how MS destroying it's own platform.
For what it's worth at work we had the same thing when moving from Windows 7 to Windows 10. Though they got rid of the restriction when people bitched about not being able to run the default Windows calculator.
Since a lot of us are programmers we were effectively allowed to install anything else normal that we wanted, but for some reason metro applications were disabled.
Since Windows 8.1 a couple years back, you can sign into a Microsoft account in the Store on top of an Active Domain account without confusing/combining them. Since Windows 8.1 you can even sign into a Microsoft account on an individual app basis, signing in for specific app purchases only. Since early Windows 10 that individual app basis has been expanded so that most free apps don't require a Microsoft account to sign in at all, if you so desire.
Furthermore, the Windows Store for Business uses Active Domain accounts entirely and allows you to connect Windows Store licenses to corporate licensing policies, if you want to control corporate application requisitions centrally but still give users some individual control in Store installed apps. (Not to mention carrying private internal apps for an enterprise.) WSB has been around in various capacities since Windows 8.1 as well, but also fully came into its own very early in Windows 10.
As for application vetting and "apps people need", that's entirely a subjective judgment, but there is an application vetting process in place which is more than you can say about the traditional google for an MSI/EXE and hope its correct install process.
Well, people said Updates were a trusted channel until Microsoft started rounding up Win 7/8 installations. I can certainly see the once bitten twice shy sentiment from many.
Yes it is. Paint has been a bundled app for decades and they have decided not to include it any more. "Available for free" is different than "comes included". Also, this whole thing looks like a big advertisement for their new Paint3D or whatever it is. They promote it in the blog and point out that it has a lot of features Paint has, and oh by the way it's free in the store too just like Paint.
Nope. I run Linux or OSX at home so I don't really care one way or the other. But I do see it as pushing some kind of agenda on MS part since it is a change and it did promote another program as an alternative. I see clearly in this case.
But you can install any app from Sourceforge/<OtherMalwareRiddenSite>, it's just that MS has chosen not to offer their App Store in the Win10 Long Term Support Branch, which most enterprises use. So they've actually locked you out of the walled garden, which is a bit funny.
One main paramount of security is to reduce your attack surface. One of the first steps to that is to uninstall/remove things that don't belong or that you will not use. An ad-riddled(with ads likely served by a relatively insecure ad network) game is not something that belongs in a corporate network.
Try removing CandyCrushSaga and Facebook, and XBoxIdentityProvider(among many others)...they come right back after the next round of updates.
If you're going allow Windows Store with all of its junk(that you have very little control over), might as well allow Bonzai Buddy, Ask Toolbar, and Super PC Cleaner 2017 Premium Edition Recommended Microsoft!
And the argument that Windows Store apps are more secure so even if a ad or application is malicious the damage is limited doesn't hold water. A quick google will bring up tons of examples of code escaping sandboxes, even entire virtual machines. Any environment, no matter how secure, will always benefit from a reduction in attack surface area.
Well, if your policy allows installing random apps from the Internet but forbids installing sandboxed and vetted apps, then you're not making any sense, regardless of whether the latter type of apps may still be a risk.
I didn't catch the angle in one of the parent posts that everything BUT windows store was allowed, but re-reading the chain I can see that now. Yes, blocking sandboxed and vetted apps but allowing anything else is indeed nonsense.
The biggest issue with the Windows Store is the forced installation of several apps that do not belong in an enterprise environment, unnecessarily increasing attack surface.
Yes, and the person I was replying to works in a place that seems to allow users to install random software from the internet. Thats 99.99% of your attack surface, why not restrict that?
I'm not going to get into the details of sandboxing here, but needless to say managed applications running in a sandbox are a big improvement over unmanaged, unsigned applications running with admin rights.
Sadly even now I run into large software companies that require users to have local admin privileges(and disable UAC) for their software to function correctly. And that's in the finance sector.
I've been dealing mostly in the healthcare sector now and it's even worse. Particularly with imaging software vendors. I deal with some that still only support Windows XP.
I've seen companies still distributing software updates on floppies, for that $25k spin-a-ma-thingy in the corner with the proprietary interface to the Win98 PC, that keeps on working and delivering useful results.
A famous example from the car industry is McLaren having a stack of 25-year-old Compaq LTE 5280 laptops, running DOS, because that's the only machine that will run the proprietary CA card module for the diagnostic software for the McLaren F1 (106 cars produced '92-'98, 100 left today, each valued north of $10 million).
No, IT department says "You guys are sensible, you can install whatever you like. But we'll keep you on Win10 LTSB, where MS promises to do less spying and break stuff less often." But Win10 LTSB doesn't have the MS App Store, so any app store exclusive software (mainly MS stuff) cannot be installed.
Wasn't an issue before MS removed core functionality from their desktop OS. At some point one wonders if Apple's success has Microsoft regretting that Windows wasn't locked down and app-ified from the beginning.
Compared with the alternative (bundled crapware, invasive ads, fake download buttons) rampant on the "old school" download sites, authenticating with Microsoft seems like a very small price to pay.
In this case it's not really a question of technical possibilities, but corporate policy: if it says you can't install any software without permission, then better don't try as it can be used against you.
If there is no such clause in your contract, there is no much difference between downloading and using Portable Apps Platform software (which is mostly open source, but beware of catches such as IrfanView which is free as in beer only for non-commercial use) and bringing your own copy of Paint (on a pendrive, for example).
This is also true for the App Stores (Mac, iOS, Android), all of which require you to make an account before even using it - Mac might still be an exception, but only barely.
All the official ones on commercial platforms, maybe; fdroid on Android works fine with no login, for instance, and GNU/Linux desktops have the equivalent in package managers.
When that "Get Office" thing first popped-up, I was sure my PC was infected with malware and came to the brink of formatting my hard drive.
Later came the random console pop-up from the automatic WSL updates [1] and then I did panic enough to actually format all the things but that's another story.
You might want to review the scheduled tasks. My system had "OfficeBackgroundTaskHandlerRegistration" set to run every hour. It only pops up for an instant, but it would grab input focus and thus do bad things to my blood pressure.
Active Desktop was always optional, wasn't it? And was it really used for advertising by default? I thought it was mostly arbitrary browser windows that you could attach to the desktop.
It's both. Having ads on some apps doesn't make it not an OS anymore. I won't deny it's an advertising platform, just like android or ios or television or radio or the internet. And while it's equally annoying on all those media/systems, it doesn't lessen their or usefulness
There are ads in the Windows UI. I've been an iOS user for 9 years and can't recall seeing an ad in the OS. So it does not seem "just like" iOS, at all.
I'm not sure I would consider paint at the forefront of bloat, given that the base OS runs in the tens of gigs. I wouldn't be surprised if the default background image is larger than mspaint.exe. To say nothing of the store apps they auto install for you.
> Pinball had to be removed for this sort of reason.
What? No. It was removed because it was a 32bit application written by a 3rd party and there was a hard to fix bug on 64bit windows that made it unplayable, so they dropped it.
From Raymond Chen's answer to this question in the first comment to the same blog post:
> That would have been even more work, because there was at the time no infrastructure in Setup for having 32-bit-only components. (And then automatically uninstalling it when WOW64 was disabled.)
I was under the impression pinball was removed because it was basically unsupportable and too had too much low level hacky graphics code to port across changes in the graphics subsystems. A shame though, it was a fun game.
6.36 MB, that's how much space takes MS Paint. In era when web pages sizes are no longer counted in kilo- but megabytes is this really a meaningful size reduction? Because it's definitely a meaningful feature loss.
There will still be a Paint on every Windows machine, it's just Paint 3D instead of MS Paint from now on. And yes, Paint 3D allows to manipulate 2D images as MS Paint did.
That was how it was branded—Paint 3D replaced mspaint.exe and it was positioned as an upgrade (Paint → Paint 3D). But there was substantial backlash when Paint 3D didn’t do all that mspaint.exe had done, and Microsoft caved to pressure and put mspaint.exe back a build or two later.
You wouldn't think that hard, but look at this thread and all the different ways people are using it. And for them not having feature parity could mean changing keybindings!
Plus it does do some off the wall stuff, someone in this thread mentioned it can pull images from a scanner!?
It's slower to start than Paint (on this laptop at least), and I can't see any way to import an image using a scanner using it (one of my main use cases for Paint).
And why on earth does the menu icon in Paint 3D look like a folder icon?
They could do what Apple does with Java: provide a stub tool that, when run, asks permission to download and install the real thing. That streamlines the "download and install" process.
For Paint, I'm not sure that would be a big win, disk space-wise. mspaint.exe is around 6.5 MB on my system, but it may need additional files. However, they could do the same for Notepad (which probably isn't on the firing line yet because quite a few installers and updaters launch it by hard-coded path if users want to read release notes) and a few other tools and share the code for asking permission between those.
> no matter what Windows machine I have been on, I know that I have had it available
So MS Paint is to Windows what Vi is to Unix?
That is, no matter which editor you prefer, you'll always end up learning Vi, at least its basics. Because when in doubt, it may be the only viable editor that exists on your target system for sure.
To clarify Paint's appeal; in addition to this list https://news.ycombinator.com/item?id=14845533 , if you want to drag a square selection of something somewhere else, paint is probably still the goto app in 2017. If not, it has been for far too long. It's a failure on the part of other image apps. Paint hits a power/accessibility sweet spot.
More pertinently, what happens when your grandma searches for "MS Paint" in the Store, other than needing an account? We all know the store is mostly trash and I have no doubt that people pushing their trash will leap on this chance to flood the search results for relevant keywords.
Grandma will first search paint in the start menu. And then she will open the highlighted entry labelled 'Paint 3D'. Then she will promptly close the abomination that appears on screen after 10 seconds.
This is precisely the reason I started using linux over windows - the "standard" tools available on almost every machine I would come across impressed me with their power and ease of use. Of course, while not all, most of these are from the gnu toolset - hence the occasional requests for gnu to be included in the default moniker.
Because I infrequently use windows, it makes the presence of notepad, paint, and calc even more important. They are the tools I reach for first to accomplish simple tasks on Windows. Happy to hear Paint is staying.
Thus yet reason for windows users to do Google searches and follow the instructions for what they find. Which if it's malware will be "download and run ...."
I was surprised to be enjoying using Paint at times, and as a keyboard fan, my only regret is that it's hard to pick colors (so actually painting gets slower). If MS had improved that part, I'd be using it on a regular basis.
paint on windows 3.1 had more features. for example, it had the ability to erase one color to another color. I was a bit shocked when I opened paint in '98
I mean something like [1]. That was literally the first result when I googled for mspaint online. I agree that if you are already downloading something you might as well download the real version from the Windows Store.
