- Local password manager with Bitwarden unified - Mon, Feb 6 2023
- Prepare AD synchronization with Azure Active Directory using IdFix - Tue, Jan 31 2023
- Manage Windows security and optimization features with Microsoft’s free PC Manager - Mon, Jan 23 2023
Smart App Control leverages Microsoft's massive cloud intelligence and cybersecurity platform, which gathers signals about apps with malicious or unwanted intent and allows PCs to take advantage of these same insights. In addition, Microsoft has specified that Smart App Control will block any unsigned app or with an invalid code signature. Therefore, organizations that use Smart App Control must ensure that all internal and custom applications are signed with a proper code-signing certificate.
To view the Smart App Control settings, navigate to Settings > Privacy and security > Windows Security > App & browser control > Smart app control settings.
Modes of operation
In Windows 11 22H2, Smart App Control offers three basic modes of operation:
- Evaluation: Windows is essentially in an "audit" mode to evaluate whether your Windows system is a candidate for Smart App Control. The system will then automatically transition to on mode. Therefore, a system in evaluation mode will not block any applications. If the process finds apps that are not good candidates for Smart App Control or that Smart App Control may cause issues, the solution is turned off.
- On: This means the evaluation process has deemed Smart App Control safe to run on the end user system and will not get in the way of legitimate processes and procedures. It is not required to first go through evaluation mode. Administrators can manually transition from evaluation mode to on without first allowing the evaluation of processes and services to be complete.
- Off: If Smart App Control interferes with legitimate processes or services, it will be turned off. In addition, if Windows is not a fresh install, the feature will also be turned off.
In a clean installation of Windows 11 22H2, Smart App Control will be set to evaluation mode. You can manually transition to on. If you manually turn off Smart App Control, you will not be able to turn it back on unless you reinstall Windows.
Potential dealbreakers for the enterprise
The solution sounds excellent in principle for businesses looking for additional ransomware protection, but it may not be feasible in most cases for business use. There are a couple of reasons for this, including:
- No allowlist
- Clean Windows installation is required
- No management via group policies
Most organizations have custom or internally developed software that may have invalid or self-signed code certificates. Smart App Control would block these applications by default.
The lack of granular controls for configuring Smart App Control will likely mean that most companies will not adopt the solution until Microsoft adds more enterprise controls, with the ability to bypass and block apps manually or using policies.
Clean Windows installation is required
Another downside of Smart App Control is that it requires a clean installation of Windows 11 22H2. Since many organizations would likely not want to reinstall Windows across the board to take advantage of Smart App Control, it may not receive much traction in adoption for business use cases.
Below is an example of Smart App Control turned off on a Windows 11 22H2 workstation that was upgraded without a clean installation.
No group policy settings
Unlike the new phishing protection or several other Defender features, you cannot centrally manage Smart App Control using group policies. The administrative templates for Windows 11 22H2 do not contain a respective setting. For most companies, this will also be a showstopper since group policies are still the most widely used means to automate the configuration of Windows PCs.
The first release of Smart App Control in Windows 11 22H2 is a step in the right direction by adding security controls to help fight ransomware and other unwanted software. However, the lack of customization, management via group policies, or controls to allow or block specific apps, and the requirement to reinstall Windows to turn on Smart App Control will likely be dealbreakers for businesses.
Subscribe to 4sysops newsletter!
At this point, it seems it may be a solution more geared toward home users who purchase a freshly installed PC with the ability to evaluate and turn on Smart App Control out of the box with little technical expertise required.