I just installed Python3.10.1 from the Windows 10 App Store. 
Most workflows depend on creating virtual environments, but (1)

    python -m venv venv

    # -> Error 1260: Windows cannot open this program because it has been prevented by a software restriction policy

However, a (2)

    python -m venv --without-pip venv

completes, only to not allow execution of (3)

    .\venv\Scripts\python.exe
    # -> Error 1260: Windows cannot open this program because it has been prevented by a software restriction policy


Reason for this probably are the (not so unreasonable) cooperate Software Restriction Policy (in our case enforced by Applocker):
You are not allowed to execute from where you are allowed to write.

So basically Python is broken in many MS Windows cooperate settings. Cooperate meaning (Software Restriction Policies) + (Usage of Virtual Environments). 

And my feeling is that it does not need to be, the virtual environment implementation with those *.exe copies being a kludge, IMHO.


Note: (2) is reminiscent of bpo-45337, which was fixed with 3.9.

Try using symlinks if you're allowed, e.g. `python -m venv --symlinks <name>`.

Note that a virtual environment created with symlinks is unreliable in some cases because ShellExecute[Ex]W() eagerly resolves a symlink before calling CreateProcessW().

Also, you won't be able to use EXE script wrappers in an active environment due to the security restrictions in place on your system. You'll need to use `python -m <module>` alternative commands, such as `python -m pip` instead of `pip`.

symlinks do not work for me, this may be another bug (should I create a new issue?):

    python -m venv --without-pip --symlinks venv

Unable to symlink 'C:\\Users\\****\\AppData\\Local\\Microsoft\\WindowsApps\\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\\idle.exe' to 'C:\\****\venv\\Scripts\\idle.exe'
Error: [Errno 22] Invalid argument: 'C:\\Users\\****\\AppData\\Local\\Microsoft\\WindowsApps\\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\\idle.exe'

> symlinks do not work for me

Sorry, I forgot that you're using the store app. The store app has to use the copied venv launchers. 

When a store app is run from the command line, the system executes an appexec link from "%LocalAppData%\Microsoft\WindowsApps". Unfortunately appexec links have to be executed directly in order for CreateProcessW() to find the required app information that's in the link. The API doesn't manually reparse symlinks until it reaches an appexec link.

Currently we have a glitch in our internal access rights system. This resulted in me loosing my Admin-privileges.
I can only install python from the app-store, which is ok.
But without venv support I am stuck for the time being.

If you execute "python -m venv --without-pip ..." to create, then as a workaround you can set the __PYVENV_LAUNCHER__ environment variable to the full path to the venv's python.exe and run the normal python3.10.exe.

As Eryk mentioned, you'll need to run everything through "-m" instead of the script wrappers that pip would install. This includes "-m ensurepip", which should be able to install pip into the venv normally.

Note that this is an undocumented/unsupported environment variable, and so it may change in later releases. But it should work fine throughout 3.10's lifetime (and it hasn't changed _yet_ in 3.11).

Also, if you see people discussing PEP 582, you might want to throw in a vote of support. It is intended to provide the benefits of a venv without needing to do tricks like we do for the current design, but it keeps being rejected for "not being sufficiently useful".

Seems like in your case it would be very useful. That might help sway some of the opponents.

I can confirm that setting __PYVENV_LAUNCHER__ to ANY path with prefix  ./venv/Scripts/ does indeed mark the python session as being a virtual environment, no special permissions needed.

However, you will have no tooling support whatsoever (e.g. PyCharms Package Mngt) because __PYVENV_LAUNCHER__ is, after all, non-standard.

While the discussion is interesting for some who are trying to work around security policy mechanisms, we can't control what policies people enforce upon themselves that make their machines useless for software development.  Marking as not a bug.

The normal thing to do is to obtain an exemption to policies from the corporate security org managing your machine(s) because you have a business need for it.

If you have specific implementation changes that would make life easier, file specific issues for those to be addressed.  (ex: PEP 582 is pretty specific - and there is a package manager https://pdm.fming.dev/ that supports it)