The Good and the Bad of Windows 11's New Smart App Control

The new security feature does help to address the growing ransomware issue. But it's not perfect.

One of the more interesting security features to be introduced in Windows 11 22H2 is Smart App Control. As the name implies, Smart App Control is a tool that is designed to keep dangerous apps (such as ransomware or spyware) from running on a Windows 11 system.

The idea behind Smart App Control is really simple. When you launch an app, Windows consults a cloud database to see what is known about the app. If the app is known to be safe, then it is allowed to run as usual. If the app is considered to be unsafe or malicious, then Windows prevents it from running.

This of course raises the question of what happens if the app that you are trying to run is not listed in the database or if you are working offline and Windows cannot access the database? In those cases, Windows will use the app's signature as a secondary means of validating the app. If the app's signature is valid then the app is assumed to be valid. If on the other hand, the app us unsigned or if the signature is not valid then the app is prevented from running.

As you can see, the Smart App Control feature could go a long way in helping organizations to prevent ransomware infections and to prevent the installation of potentially unwanted programs. For those who may be unfamiliar with term, potentially unwanted programs are those applications that get sneakily bundled with something else. For example, there are download sites that will try to trick you into installing a browser toolbar when you download an application.

Based on the limited testing that I have done with Smart App Control, it does seem to be effective. Better still, using it could not be simpler. To use Smart App Control, click on Settings and then go to App and Browser Control. Now, click on Smart App Control Settings to access the Smart App Control interface.

Smart App Control has three modes of operation: On, Off and Evaluation. The On and Off modes are self-explanatory, but the Evaluation mode needs a bit more explaining. When you enable Evaluation mode, you are essentially telling Windows to watch how you use your PC. In doing so, Windows will make a determination as to whether or not Smart App Control is a good fit for you based on the types of applications that you use. If Windows finds that Smart App Control is going to get in your way then it will automatically turn it off. Otherwise, Smart App Control will eventually be automatically enabled.

As great as all of this may sound, there are two potential downsides to using Smart App Control, although there is a good reason for at least one of those downsides.

The first downside (the one with the good reason) is that even if you upgrade to Windows 11 22H2, you can't use Smart App Control. Yes, you read that correctly. Microsoft has given you a shiny new security feature that it will not allow you to use.

As it turns out, you can only enable Smart App Control on a clean Windows installation, as shown in Figure 1. Microsoft does this because a PC that is already in use could potentially already have malicious or unwanted software installed and so Smart App Control is unable to ensure that PC's safety. While I get why Microsoft did this, I would have preferred them to create an "I accept the risk" button that allows you to turn on Smart App Control and block anything new (and unwanted) from being installed.

[Click on image for larger view.] Figure 1. You can only enable Smart App Control for clean Windows installations.

The second disadvantage to using Smart App Control, and this is a big one, is that Microsoft does not give you an override option. In other words, if Smart App Control were to determine that one of your apps that you use every day is untrustworthy, you have no recourse. The app is simply blocked and there is no way to remove the block short of disabling Smart App Control. This could be a huge problem for anyone who uses older apps, as legacy apps are less likely to appear in Microsoft's database and are also much less likely to be signed than newer apps are.

Ultimately, I think that Smart App Control will end up being a good tool for improving Windows' security. Even so, Microsoft really, really needs to add a whitelist option. Otherwise, most people will probably resort to using AppLocker or a third party application control tool.

About the Author

Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.


comments powered by Disqus

Subscribe on YouTube