Smart App Control is a new security solution from Microsoft built into Windows 11 22H2. It aims to add a protective layer against ransomware by complementing Microsoft Defender's other security features like SmartScreen or Controlled Folder Access. However, it has some notable limitations that may be a dealbreaker for most organizations.

Smart App Control leverages Microsoft's massive cloud intelligence and cybersecurity platform, which gathers signals about apps with malicious or unwanted intent and allows PCs to take advantage of these same insights. In addition, Microsoft has specified that Smart App Control will block any unsigned app or with an invalid code signature. Therefore, organizations that use Smart App Control must ensure that all internal and custom applications are signed with a proper code-signing certificate.

To view the Smart App Control settings, navigate to Settings > Privacy and security > Windows Security > App & browser control > Smart app control settings.

Viewing Smart App Control in Windows 11 22H2

Viewing Smart App Control in Windows 11 22H2

Modes of operation

In Windows 11 22H2, Smart App Control offers three basic modes of operation:

  • Evaluation: Windows is essentially in an "audit" mode to evaluate whether your Windows system is a candidate for Smart App Control. The system will then automatically transition to on mode. Therefore, a system in evaluation mode will not block any applications. If the process finds apps that are not good candidates for Smart App Control or that Smart App Control may cause issues, the solution is turned off.
  • On: This means the evaluation process has deemed Smart App Control safe to run on the end user system and will not get in the way of legitimate processes and procedures. It is not required to first go through evaluation mode. Administrators can manually transition from evaluation mode to on without first allowing the evaluation of processes and services to be complete.
  • Off: If Smart App Control interferes with legitimate processes or services, it will be turned off. In addition, if Windows is not a fresh install, the feature will also be turned off.

In a clean installation of Windows 11 22H2, Smart App Control will be set to evaluation mode. You can manually transition to on. If you manually turn off Smart App Control, you will not be able to turn it back on unless you reinstall Windows.

Clean installation of Windows 11 22H2 and Smart App Control options

Clean installation of Windows 11 22H2 and Smart App Control options

Potential dealbreakers for the enterprise

The solution sounds excellent in principle for businesses looking for additional ransomware protection, but it may not be feasible in most cases for business use. There are a couple of reasons for this, including:

  • No allowlist
  • Clean Windows installation is required
  • No management via group policies

No allowlist

Most organizations have custom or internally developed software that may have invalid or self-signed code certificates. Smart App Control would block these applications by default.

The lack of granular controls for configuring Smart App Control will likely mean that most companies will not adopt the solution until Microsoft adds more enterprise controls, with the ability to bypass and block apps manually or using policies.

Clean Windows installation is required

Another downside of Smart App Control is that it requires a clean installation of Windows 11 22H2. Since many organizations would likely not want to reinstall Windows across the board to take advantage of Smart App Control, it may not receive much traction in adoption for business use cases.

Below is an example of Smart App Control turned off on a Windows 11 22H2 workstation that was upgraded without a clean installation.

Smart App Control requires reinstalling Windows if it is turned off

Smart App Control requires reinstalling Windows if it is turned off

No group policy settings

Unlike the new phishing protection or several other Defender features, you cannot centrally manage Smart App Control using group policies. The administrative templates for Windows 11 22H2 do not contain a respective setting. For most companies, this will also be a showstopper since group policies are still the most widely used means to automate the configuration of Windows PCs.

Wrapping up

The first release of Smart App Control in Windows 11 22H2 is a step in the right direction by adding security controls to help fight ransomware and other unwanted software. However, the lack of customization, management via group policies, or controls to allow or block specific apps, and the requirement to reinstall Windows to turn on Smart App Control will likely be dealbreakers for businesses.

Subscribe to 4sysops newsletter!

At this point, it seems it may be a solution more geared toward home users who purchase a freshly installed PC with the ability to evaluate and turn on Smart App Control out of the box with little technical expertise required.


Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account