New Windows 11 Security Feature Will Require a PC Reset

Posted on April 7, 2022 by Paul Thurrott in Windows 11 with 44 Comments

I didn’t pay enough attention to the security announcements that came out of this week’s Windows 11 hybrid work event. Because at least one of the new security-related features that I didn’t write up does deserve a mention.

It’s called Smart App Control.

“Smart App Control is a major enhancement to the Windows 11 security model that prevents users from running malicious applications on Windows devices that default blocks untrusted or unsigned applications,” Microsoft vice president David Weston explains. “It goes beyond previous built-in browser protections and is woven directly into the core of the OS at the process level. Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud. Model inference occurs 24 hours a day on the latest threat intelligence that provides trillions of signals.”

Smart App Control is interesting because it will be enabled by default on new Windows PCs in the future. But if you upgrade to whatever version of Windows 11 that enables this feature on an existing install, you will have to use Reset this PC to reset Windows 11 and clean install it. That is, I believe, unprecedented.

The problems with Microsoft’s other security announcements this past week, of course, are that we don’t know when these updates will occur, which customers will be impacted, and whether they require a commercial Microsoft 365 account or upgrade. That doesn’t excuse ignoring it, I guess, but it makes it hard to know which features will apply to all Windows 11 users. Including this one, actually.


Tagged with

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (44)

44 responses to “New Windows 11 Security Feature Will Require a PC Reset”

  1. johnnych

    Wow, so Microsoft is finally implementing a "Gatekeeper" like security feature for Windows now? I guess it's time to get all those 16-bit notepad & calculator apps signed quick! :)

    Otherwise what happens to all of the old legacy apps that people like to run on Windows, will they still run?

    • dftf

      Be a waste-of-time getting 16-bit apps signed, as no version of Windows 11 natively supports them... they only run 32-bit code. Windows 10 is the last version to offer the 32-bit kernel variants, which did support 16-bit code. ;)

      • dftf

        (Should have said "they only run 32-bit code, in-addition-to 64-bit code", to be exact.)

    • Donte

      A year or so ago, Apple had a half day outage where apps could not check in to verify the certs. Nothing would run on Mac's at work, including MS Office apps. Apple's apps could.

      It was an eye opener to how little you own anymore. I will NOT be enabling this on Windows 11. If I do buy a new PC and not build it, I will wipe it and do a clean install.

      • jimchamplin

        It will be enabled when you do a clean install of Windows 11. That's kinda what the article was talking about.

        • Bart

          You should have kept quiet ;)

          • huddie

            I would like to imagine you have a choice of whether to enable Smart App Control upon clean install. I also imagine you can set a filter to exclude certain apps. However, we won't know until closer to the time. Mind you, given it's Microsoft we're talking about here, we might not know until release, when users complain about it because Microsoft failed to publish details beforehand.

  2. johnlavey

    Well, I thought that turning on Smart App Control would be a good idea. I had to reset my computer. I went thru all the hoops and reset the computer.....including reinstalling several programs. After all that I went back to turn on Smart App Control, and guess what. It wouldn't turn on. Foolish me to think this would actually work. I won't be resetting my computer in the near or distant future.

    • dftf

      Did you not read this article or something? It literally warns you if you want to use it, you have you reset your PC, and yet you sound surprised that happened?

    • lvthunder

      My guess is you need to turn it on before you install anything.

  3. Patrick3D

    If this happens on the 1 machine I have running Windows 11 the PC isn't being reset with Windows, it's being reset with Linux.

  4. TomKer

    Does this mean my non-Windows 11 compliant PC that’s running Windows 11 by virtue of the Insiders program will have to be reset and end up not running Windows 11?

    • WaltC

      I'm running the latest build of Win11 Insiders', 22593, and there is no Smart App, and there is no mention of Smart App in the Microsoft developer notes accompanying this build. This looks to be a future goal for Windows, but I don't see how it could be anything except an optional feature.

  5. winner

    I continue to run Windows 10 while watching the W11 drama as it morphs and coughs its way along.

    I don't see any reason to upgrade at this time.

    • Bart

      Yeah, I'd ignore security as well.

      • dftf

        This might be a good new thing, sure, but otherwise most of the "new" security in Windows 11 is simply stuff that already exists in Windows 10 -- BitLocker or "Device Encryption" (in the Home version), use of a TPM, use of SecureBoot, "Core isolation" -- but the difference being there are now enabled by-default.

        Windows 11 is also available in 64-bit kernels only (so as to have a wider address-space for ASLR), but seriously, how-many people actually install the 32-bit kernel versions of Windows 10 today? Even if you were to do that PAE hack, which then allows up-to, what, 36GB of RAM to be addressed, you're still limited to 2GB of RAM per-app beyond the first 4GB boundary. Which is pointless for most modern apps that use more than that, such-as AAA games, CAD editing, RAW photo editing, video-editing and so-on.

        And even in Windows 11, some security settings still aren't enabled by default: the Ransomware Protection isn't (mostly as it's a pain-in-the-arse to setup), nor is extending DEP to all processes: it still defaults to "Turn on DEP for essential Windows programs and services only". (I'd probably take a guess too that even in W11, TLS 1.0 and 1.1 still come enabled by-default too; they do as of a fresh-install of Windows 10 Version 21H2, anyway.)

      • winner

        W10 is still supported, Bart.

        If you want the best security, Windows isn't it.

  6. nickysreensaver

    I tested it today and immediately had to disable it. I have an HP Spectre with a good bit of bloat on a fresh install. I immediately ticked the SAC. When I go to remove the preinstalled 'Express VPN' it doesn't trust the application to even uninstall itself. I couldn't even white list it. So I had to choose. Keep SAC on or uninstall bloatware.

  7. Bart

    Am I right in saying, that Smart App Control is turned off by default for anybody who is in the Windows Insider program?

    Support page does confirm:

    • there is an Evaluation Mode; in which it is determined whether you qualify to have SAC 'ON'
  8. WaltC

    Kind of curious as to why you deleted the post I made to this thread yesterday...;) I said nothing that wasn't factual. So Thurrott is now a part of the cancel culture? I still do not see how this feature will be anything but optional, when and if it sees the light of day. If this thread is a separate thread from the original, and the original thread still exists, then you have my apologies for being unable to find it on your site. It's sort of like Pluton--AMD will be using Pluton in addition to its own security chip inside its CPUs--this is coming with Zen 4 later this year. But so far, Intel hasn't said it has any plans to use Pluton. I cannot see Smart App as anything but optional as it will mean that Microsoft will be able to control what runs on your system, according to what has been said about it as linked in your post.

  9. waethorn

    My next PC will be more secure from hackers AND Microsoft — it’ll be running Fedora 36 and ONLYOFFICE.

  10. dftf

    Is this new-feature really much-different from the current option in Windows 10 to "only allow apps from the Microsoft Store", which then blocks anything-else (aside from apps built-into the OS) from running?

    Also, if you look at the recent ransomware attack on Nvidia, where they had their internal certificates stolen, a combination of malware signing itself with a stolen, but valid, certificate, and a device having no Internet connection, so no AI cloud-scan can be ran, would surely allow for a bypass?

    • lvthunder

      I thought the certificates were expired, but Windows wasn't checking the expiration date correctly.

  11. thalter

    I'm guessing they want a fresh install to enable App Control, as that is the only way to guarantee that the computer isn't already compromised.

    • nickysreensaver

      Yes. It's also because its a new software. So it will help the machine learning for it if everyone is on a flesh slate. But with 0 whitelisting capability I can't risk testing it in my environment.

  12. Aaron44126

    Well this is a great way to make sure that I don't enable this feature anytime soon...

  13. BenPritchard

    This sounds a lot like Apple’s ‘Notarization’ they did a few years back

  14. will

    While I like knowing some new upcoming features for Windows, the way Microsoft is now announcing things sucks.

    Panos in front of a virtual background, talking the same way he does for hardware releases, "announcing" features with no ETA, and not addressing what is unfinished is just poor marketing. The whole event was a canned demo with fake Windows demo videos that were just more eye candy than anything. It was just cringy to watch.

    I would have liked to have seen more info on the entire Microsoft suite and how that is helping the hybrid workflow:

    • What is Office doing?
    • What is Teams doing?
    • What is Windows doing?

    All of these are part of people working in a hybrid environment, NOT just Windows. People use other devices such as Apple devices and it would be good to see how we can use anything to work remotly.

    Also, the statement that was made of "Windows 11 was created because of the change in how we work!" is poor. Microsoft wanted something "new" and they did not work to improve or fix what they had in place. They are pushing and trying to show that Windows 11 is so much better than 10, and while it does look better and have some good options, it is NOT ready for business. Heck, the built in Chat is still 100% for consumers and not business. Microsoft has two versions of Teams and the consumer version is the default install.

    Don't get me wrong, I like Windows, but this is the same thing they did with Windows 10. Here is something you did not ask for, and we might fix what was missing from before.

    • Donte

      " it is NOT ready for business. Heck, the built in Chat is still 100% for consumers and not business"

      Most companies would wipe the pre-installed Windows and drop their own custom builds on the PC's. Pre-installed apps are not a concern.

      • will

        Yes, you would have your own image for large deployments, but that core feature is still a split of the Teams client into two different camps. I would have thought it would have been a high priorty to make Teams have a unified platform and allow that new v2 version to work with Work accounts, not just Microsoft accounts. Heck, even work with both.

  15. navarac

    Another reason to abandon Windows? My PC does not belong Microsoft's to control. End of. I worry when what they want to control steps over a certain point sometime in the future.

    • blue77star

      It is general idea of USA, EU and Western world to completely control resources and people. Those who resist, they get sanctions and marked as hostile territories. We are in era of corporate fascism, western imperialism...

      • waethorn

        It's either going to be NATO/UN/EU, or BRICS. One or the other.

      • bluvg

        The western governments are the ones trying to control everything? Are you serious, or just trolling? Have you been to DPRK, China, Russia?

        • navarac

          It's not Western Governments. It is entitled US Tech Companies who think they know better. Cocky so&so's.

          • lvthunder

            Have you heard the Canadian Prime Minister or the President of the US talk? They both talk like they know best.

  16. lonegull

    This feature will stay disabled on my PC. Certificates are readily forged or stolen, hackers can register their own certificates to bypass/spoof these controls. The same white listing ability is already available through the use of Application Control and Software Restriction Policies with gpedit in Windows Pro and above. Windows Home users would benefit.

    If you aren't hardening and regularly patching your system then no amount of signatures, certificates or AI will save you.