New Windows 11 Security Feature Will Require a PC Reset

I didn’t pay enough attention to the security announcements that came out of this week’s Windows 11 hybrid work event. Because at least one of the new security-related features that I didn’t write up does deserve a mention.

It’s called Smart App Control.

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

“Smart App Control is a major enhancement to the Windows 11 security model that prevents users from running malicious applications on Windows devices that default blocks untrusted or unsigned applications,” Microsoft vice president David Weston explains. “It goes beyond previous built-in browser protections and is woven directly into the core of the OS at the process level. Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud. Model inference occurs 24 hours a day on the latest threat intelligence that provides trillions of signals.”

Smart App Control is interesting because it will be enabled by default on new Windows PCs in the future. But if you upgrade to whatever version of Windows 11 that enables this feature on an existing install, you will have to use Reset this PC to reset Windows 11 and clean install it. That is, I believe, unprecedented.

The problems with Microsoft’s other security announcements this past week, of course, are that we don’t know when these updates will occur, which customers will be impacted, and whether they require a commercial Microsoft 365 account or upgrade. That doesn’t excuse ignoring it, I guess, but it makes it hard to know which features will apply to all Windows 11 users. Including this one, actually.

 

Tagged with

Share post

Please check our Community Guidelines before commenting

Conversation 44 comments

  • johnnych

    07 April, 2022 - 11:08 am

    <p>Wow, so Microsoft is finally implementing a "Gatekeeper" like security feature for Windows now? I guess it’s time to get all those 16-bit notepad &amp; calculator apps signed quick! :)</p><p><br></p><p>Otherwise what happens to all of the old legacy apps that people like to run on Windows, will they still run?</p><p><br></p>

    • dftf

      07 April, 2022 - 11:12 am

      <p>Be a waste-of-time getting 16-bit apps signed, as no version of <em>Windows 11</em> natively supports them… they only run 32-bit code. <em>Windows 10 </em>is the last version to offer the 32-bit kernel variants, which did support 16-bit code. ;)</p>

      • dftf

        07 April, 2022 - 11:13 am

        <p>(Should have said "they only run 32-bit code, in-addition-to 64-bit code", to be exact.)</p>

    • Donte

      07 April, 2022 - 1:46 pm

      <p>A year or so ago, Apple had a half day outage where apps could not check in to verify the certs. Nothing would run on Mac’s at work, including MS Office apps. Apple’s apps could.</p><p><br></p><p>It was an eye opener to how little you own anymore. I will NOT be enabling this on Windows 11. If I do buy a new PC and not build it, I will wipe it and do a clean install.</p>

      • jimchamplin

        Premium Member
        07 April, 2022 - 9:07 pm

        <p>It will be enabled when you do a clean install of Windows 11. That’s kinda what the article was talking about.</p>

        • Bart

          Premium Member
          08 April, 2022 - 3:46 am

          <p>You should have kept quiet ;)</p>

          • huddie

            Premium Member
            08 April, 2022 - 8:46 am

            <p>I would like to imagine you have a choice of whether to enable Smart App Control upon clean install. I also imagine you can set a filter to exclude certain apps. However, we won’t know until closer to the time. Mind you, given it’s Microsoft we’re talking about here, we might not know until release, when users complain about it because Microsoft failed to publish details beforehand.</p>

  • dftf

    07 April, 2022 - 11:17 am

    <p>Is this new-feature really much-different from the current option in <em>Windows 10</em> to "only allow apps from the Microsoft Store", which then blocks anything-else (aside from apps built-into the OS) from running?</p><p><br></p><p>Also, if you look at the recent ransomware attack on <em>Nvidia</em>, where they had their internal certificates stolen, a combination of malware signing itself with a stolen, but valid, certificate, and a device having no Internet connection, so no AI cloud-scan can be ran, would surely allow for a bypass?</p>

    • lvthunder

      Premium Member
      08 April, 2022 - 11:33 am

      <p>I thought the certificates were expired, but Windows wasn’t checking the expiration date correctly.</p>

  • thalter

    Premium Member
    07 April, 2022 - 11:26 am

    <p>I’m guessing they want a fresh install to enable App Control, as that is the only way to guarantee that the computer isn’t already compromised. </p>

    • nickysreensaver

      07 April, 2022 - 10:32 pm

      <p>Yes. It’s also because its a new software. So it will help the machine learning for it if everyone is on a flesh slate. But with 0 whitelisting capability I can’t risk testing it in my environment.</p>

  • sherlockholmes

    Premium Member
    07 April, 2022 - 11:33 am

    <p>lol what?</p>

  • Aaron44126

    07 April, 2022 - 11:47 am

    <p>Well this is a great way to make sure that I don’t enable this feature anytime soon…</p>

  • BenPritchard

    Premium Member
    07 April, 2022 - 12:10 pm

    <p>This sounds a lot like Apple’s ‘<span style="color: rgb(29, 29, 31);">Notarization’ they did a few years back </span></p>

  • will

    Premium Member
    07 April, 2022 - 12:24 pm

    <p>While I like knowing some new upcoming features for Windows, the way Microsoft is now announcing things sucks.</p><p><br></p><p>Panos in front of a virtual background, talking the same way he does for hardware releases, "announcing" features with no ETA, and not addressing what is unfinished is just poor marketing. The whole event was a canned demo with fake Windows demo videos that were just more eye candy than anything. It was just cringy to watch.</p><p><br></p><p>I would have liked to have seen more info on the entire Microsoft suite and how that is helping the hybrid workflow: </p><ul><li>What is Office doing? </li><li>What is Teams doing? </li><li>What is Windows doing?</li></ul><p>All of these are part of people working in a hybrid environment, NOT just Windows. People use other devices such as Apple devices and it would be good to see how we can use anything to work remotly.</p><p><br></p><p>Also, the statement that was made of "Windows 11 was created because of the change in how we work!" is poor. Microsoft wanted something "new" and they did not work to improve or fix what they had in place. They are pushing and trying to show that Windows 11 is so much better than 10, and while it does look better and have some good options, it is NOT ready for business. Heck, the built in Chat is still 100% for consumers and not business. Microsoft has two versions of Teams and the consumer version is the default install.</p><p><br></p><p>Don’t get me wrong, I like Windows, but this is the same thing they did with Windows 10. Here is something you did not ask for, and we might fix what was missing from before.</p>

    • Donte

      07 April, 2022 - 1:48 pm

      <p>"<span style="color: rgb(0, 0, 0);">&nbsp;it is NOT ready for business. Heck, the built in Chat is still 100% for consumers and not business"</span></p><p><br></p><p><span style="color: rgb(0, 0, 0);">Most companies would wipe the pre-installed Windows and drop their own custom builds on the PC’s. Pre-installed apps are not a concern.</span></p>

      • will

        Premium Member
        07 April, 2022 - 5:32 pm

        <p>Yes, you would have your own image for large deployments, but that core feature is still a split of the Teams client into two different camps. I would have thought it would have been a high priorty to make Teams have a unified platform and allow that new v2 version to work with Work accounts, not just Microsoft accounts. Heck, even work with both.</p>

  • navarac

    07 April, 2022 - 12:31 pm

    <p>Another reason to abandon Windows? My PC does not belong Microsoft’s to control. End of. I worry when what they want to control steps over a certain point sometime in the future. </p>

    • blue77star

      07 April, 2022 - 5:28 pm

      <p>It is general idea of USA, EU and Western world to completely control resources and people. Those who resist, they get sanctions and marked as hostile territories. We are in era of corporate fascism, western imperialism…</p>

      • bluvg

        08 April, 2022 - 2:09 am

        <p>The western governments are the ones trying to control everything? Are you serious, or just trolling? Have you been to DPRK, China, Russia? </p>

        • navarac

          08 April, 2022 - 9:03 am

          <p>It’s not Western Governments. It is entitled US Tech Companies who think they know better. Cocky so&amp;so’s.</p>

          • lvthunder

            Premium Member
            08 April, 2022 - 11:37 am

            <p>Have you heard the Canadian Prime Minister or the President of the US talk? They both talk like they know best.</p>

      • waethorn

        08 April, 2022 - 1:11 pm

        <p>It’s either going to be NATO/UN/EU, or BRICS. One or the other.</p>

  • TomKer

    Premium Member
    07 April, 2022 - 3:09 pm

    <p>Does this mean my non-Windows 11 compliant PC that’s running Windows 11 by virtue of the Insiders program will have to be reset and end up not running Windows 11?</p>

    • WaltC

      08 April, 2022 - 9:07 am

      <p>I’m running the latest build of Win11 Insiders’, 22593, and there is no Smart App, and there is no mention of Smart App in the Microsoft developer notes accompanying this build. This looks to be a future goal for Windows, but I don’t see how it could be anything except an optional feature. </p>

  • johnlavey

    Premium Member
    07 April, 2022 - 4:35 pm

    <p>Well, I thought that turning on Smart App Control would be a good idea. I had to reset my computer. I went thru all the hoops and reset the computer…..including reinstalling several programs. After all that I went back to turn on Smart App Control, and guess what. It wouldn’t turn on. Foolish me to think this would actually work. I won’t be resetting my computer in the near or distant future.</p>

    • dftf

      07 April, 2022 - 5:19 pm

      <p>Did you not read this article or something? It literally warns you if you want to use it, you have you reset your PC, and yet you sound surprised that happened?</p>

      • Sykeward

        07 April, 2022 - 7:38 pm

        <p>What johnlavey is saying is that he reset his PC per the requirements and all the work that entails, but the option was still not available.</p>

        • johnlavey

          Premium Member
          08 April, 2022 - 5:10 pm

          <p>Exactly. Thank you.</p>

    • lvthunder

      Premium Member
      08 April, 2022 - 11:29 am

      <p>My guess is you need to turn it on before you install anything.</p>

  • Patrick3D

    07 April, 2022 - 4:39 pm

    <p>If this happens on the 1 machine I have running Windows 11 the PC isn’t being reset with Windows, it’s being reset with Linux.</p>

    • Bart

      Premium Member
      08 April, 2022 - 3:47 am

      <p>Sorry?</p>

      • navarac

        08 April, 2022 - 5:27 am

        <p>Don’t apologise LOL :-)</p>

    • navarac

      08 April, 2022 - 5:26 am

      <p>Already done it! For me, Microsoft has lost the plot with Windows 11. Might be fine for some, of course!</p>

  • jvpulver

    Premium Member
    07 April, 2022 - 7:27 pm

    <p><br></p>

  • winner

    07 April, 2022 - 8:11 pm

    <p>I continue to run Windows 10 while watching the W11 drama as it morphs and coughs its way along. </p><p>I don’t see any reason to upgrade at this time.</p>

    • Bart

      Premium Member
      08 April, 2022 - 3:47 am

      <p>Yeah, I’d ignore security as well.</p>

      • dftf

        08 April, 2022 - 1:14 pm

        <p><em>This </em>might be a good new thing, sure, but otherwise most of the "new" security in <em>Windows 11</em> is simply stuff that already exists in <em>Windows 10 — </em>BitLocker or "Device Encryption" (in the <em>Home</em> version), use of a TPM, use of SecureBoot, "Core isolation" — but the difference being there are now <em>enabled by-default.</em></p><p><br></p><p><em>Windows 11</em> is also available in 64-bit kernels only (so as to have a wider address-space for ASLR), but seriously, how-many people actually install the 32-bit kernel versions of <em>Windows 10 </em>today? Even if you were to do that PAE hack, which then allows up-to, what, 36GB of RAM to be addressed, you’re still limited to 2GB of RAM per-app beyond the first 4GB boundary. Which is pointless for most modern apps that use more than that, such-as AAA games, CAD editing, RAW photo editing, video-editing and so-on.</p><p><br></p><p>And even in <em>Windows 11</em>, some security settings still aren’t enabled by default: the <em>Ransomware Protection </em>isn’t (mostly as it’s a pain-in-the-arse to setup), nor is extending <em>DEP</em> to all processes: it still defaults to "Turn on DEP for essential Windows programs and services only". (I’d probably take a guess too that even in <em>W11</em>, TLS 1.0 and 1.1 still come enabled by-default too; they do as of a fresh-install of <em>Windows 10 Version 21H2</em>, anyway.<span class="ql-cursor"></span>)</p>

      • winner

        08 April, 2022 - 4:05 pm

        <p>W10 is still supported, Bart.</p><p>If you want the best security, Windows isn’t it.</p>

  • nickysreensaver

    07 April, 2022 - 10:30 pm

    <p> I tested it today and immediately had to disable it. I have an HP Spectre with a good bit of bloat on a fresh install. I immediately ticked the SAC. When I go to remove the preinstalled ‘Express VPN’ it doesn’t trust the application to even uninstall itself. I couldn’t even white list it. So I had to choose. Keep SAC on or uninstall bloatware. </p>

  • Bart

    Premium Member
    08 April, 2022 - 3:58 am

    <p>Am I right in saying, that Smart App Control is turned off by default for anybody who is in the Windows Insider program?</p><p><br></p><p>Support page does confirm:</p><ul><li>there is an Evaluation Mode; in which it is determined whether you qualify to have SAC ‘ON'</li></ul>

  • WaltC

    08 April, 2022 - 9:04 am

    <p>Kind of curious as to why you deleted the post I made to this thread yesterday…;) I said nothing that wasn’t factual. So Thurrott is now a part of the cancel culture? I still do not see how this feature will be anything but optional, when and if it sees the light of day. If this thread is a separate thread from the original, and the original thread still exists, then you have my apologies for being unable to find it on your site. It’s sort of like Pluton–AMD will be using Pluton in addition to its own security chip inside its CPUs–this is coming with Zen 4 later this year. But so far, Intel hasn’t said it has any plans to use Pluton. I cannot see Smart App as anything but optional as it will mean that Microsoft will be able to control what runs on your system, according to what has been said about it as linked in your post. </p>

  • waethorn

    08 April, 2022 - 9:56 am

    <p>My next PC will be more secure from hackers AND Microsoft — it’ll be running Fedora 36 and ONLYOFFICE.</p>

  • lonegull

    08 April, 2022 - 9:56 am

    <p>This feature will stay disabled on my PC. Certificates are readily forged or stolen, hackers can register their own certificates to bypass/spoof these controls. The same white listing ability is already available through the use of Application Control and Software Restriction Policies with gpedit in Windows Pro and above. Windows Home users would benefit. </p><p><br></p><p>If you aren’t hardening and regularly patching your system then no amount of signatures, certificates or AI will save you.</p><p><br></p><p><br></p><p><br></p><p><br></p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC