As part of its recent campaign to make Windows the platform of choice for “hybrid work,” Microsoft is rolling out a new security feature. It’s called Smart App Control and it’s kind of like Windows Defender SmartScreen on steroids. This new feature aims to prevent malicious apps from being installed by unwitting users. While that’s certainly a noble goal, there’s just one problem: in order to run it you’ll have to perform a clean installation of Windows. Though the hardcore among us used to boast about regularly nuking and reinstalling Windows to maintain peak performance, that’s no longer the case. Now we boast about how long we go without having to reinstall Windows. That’s because it’s a pain reinstalling all our apps and programs we spent years tweaking. Also with SSDs, Windows usually runs quite fast, even after years of uptime.
The new security feature appeared in a recent Windows Inside build of Windows 11, and the company has described it in a recent blog post. According to Microsoft, “Smart App Control goes beyond previous built-in browser protections and is woven directly into the core of the OS at the process level. Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud.” The company says its cloud processes an incredible 24 trillion “security signals” every 24 hours. It’s this data that it will use to predict which apps are malicious.
The rub is if you enable it on a system with pre-installed apps, it won’t be able to examine them prior to them being installed. The company doesn’t say why it can’t examine already installed apps, like a virus scanner of sorts. Microsoft only states, “Smart App Control will ship on new devices with Windows 11 installed. Devices running previous versions of Windows 11 will have to be reset and have a clean installation of Windows 11 to take advantage of this feature.”
According to a summary of it by Ghacks.net, after a clean install you can enable it but it runs in evaluation mode. In this mode it examines your PC usage to determine if it should be enabled or not. It won’t block anything in this mode as it’s merely examining the situation. After this trial period is over, the software will either turn itself on or off. Alternatively, admins can choose to enable it or not. However, if you turn it on and then disable it later, you’ll need to do a clean install of Windows again.
Here’s the rub with just turning it on and letting it do its thing; there doesn’t appear to be any workaround for it blocking an application. Smart App Control will flag and block applications based on three criteria: known malicious applications, untrusted apps, and potentially bad software. In order to determine if an app is trusted or not, Microsoft relies on signed software and usage. Unsigned apps that its cloud doesn’t recognize will be blocked. This could be a problem since an app can be untrusted but still safe. You might have an obscure app you’ve run for 10 years that Microsoft won’t like, for example. It will block the installation of these apps, and there’s no way to add them to a “white list.” That could be a problem for a lot of users for obvious reasons. (Legitimate applications with a relatively small number of users are likely to run into this problem. Many benchmarks and less-common applications I’ve used over the years have run afoul of SmartScreen -Ed)
Hopefully Microsoft figures out a way to either enable it without a clean installation. At the very least, the company could allow some kind of exclusion list for certain apps. Even Apple allows you to override its security suggestions by typing your password and clicking several buttons. It’s possible Microsoft will rethink this, as its blog post notes it’s still in its early stages. In its blog post highlighting the new security features, it concludes with, “More details on this feature will be shared in the future.”