close

Windows

Cloud

Microsoft 365

PowerShell

Active Directory

Security

Windows Server

Video

Microsoft Teams Day is back!

Home

Windows 11

Windows 11 Smart App Control Explained: What It Is and How It Works

Dean Ellerby

|

Windows 11 Smart App Control is a new feature that Microsoft introduced in Windows 11 version 22H2, also known as the 2022 Update. Smart App Control is a system-level feature that can help to protect your Windows 11 PC by blocking malicious and untrusted apps.

In this article, we’ll explain how Windows 11 Smart App Control works and how you can enable it on your PC. If the feature can complement antivirus software and other protections, we’ll also detail some of its current limitations.

What is Windows 11 Smart App Control?

For a number of years, Microsoft Defender Application Control has allowed business customers to protect their users from untrusted and unwanted apps. Managed by an MDM app such as Intune or Microsoft Endpoint Configuration Manager, this feature leverages Microsoft’s “Intelligent Security Graph” to determine an app’s trustworthiness.

Until now, these security capabilities have not been available for consumers using Windows PCs… and this is fine, right? Windows 11 Home users should be able to run any apps they want, even if they could be considered “untrusted”.

However, there are many users – I’m thinking non-tech users really – who aren’t usually able to spot a malicious app. The problem is that, unlike on iOS, Android, and Chrome OS, Windows users exist in a world that isn’t a “closed app ecosystem”. Home and personal users can typically install any app from any source – Microsoft doesn’t need to approve these apps as Apple and Google do.

Windows 11 Smart App Control adds significant protection from new and emerging threats by blocking apps that are malicious or untrusted. The feature will block what Microsoft calls “potentially unwanted apps” (PUA), which are apps that may cause a device to run slowly, display unwanted ads, or do other things you don’t expect on your PC

Smart App Control works alongside other security software, such as Microsoft Defender and even non-Microsoft antivirus tools. But it’s not a replacement for these features.

How Windows 11 Smart App Control works

So, how does Microsoft determine if a Windows app can be “trusted”?

When a developer creates an app, they are encouraged to “sign” the app using a digital certificate that verifies the developer’s identity. It proves that the app is really published by them and that it hasn’t been modified by anybody else after the developer published it.

Signing is just one part of the trust process. Microsoft also uses its cloud-powered security graph to verify if apps can be trusted. This security graph can analyze a huge number of apps being launched by users every day, and it uses that knowledge to predict if an app is safe or not. It’s even possible for it to determine the trustworthiness of an app that has never been seen before, using heuristic analysis.

When Smart App Control on Windows 11 blocks the launch of an app that may be unsafe, it presents the user with 3 options: “Ok”, “Send feedback”, and “Get Apps from Store”.

The feature blocked an app that may be unsafe
Smart App Control blocked an app that may be unsafe

It’s not possible to create an exemption rule for a specific app locally – you’ll need to submit a copy of the app to Microsoft, along with comments. The company will then review the app and determine if it’s malicious or not.

As with almost all cloud-powered dynamic security features, Smart App Control isn’t perfect. If the feature can’t be sure about the trustworthiness of an app, and if the app hasn’t been signed by the developer, it’s considered untrusted by default.

How to turn on Windows 11 Smart App Control

Windows 11 Smart App Control can only be enabled on fresh installs of Windows 11 version 22H2 or newer. Even then, it starts in Evaluation mode, which means that it will first determine what type of user you are and whether Smart App Control is a good fit for you.

Here’s how to turn on Smart App Control on a fresh install of Windows 11 version 22H2:

  • Head to the Settings app and search for Smart App Control.
Searching for Smart App Control in the Settings app
Searching for Smart App Control in the Settings app
  • The Windows Security windows will open with Smart App Control settings.
Evaluation is the default setting
Evaluation is the default setting
  • Again, Smart App Control starts in Evaluation mode by default. The feature will first analyze the apps you use, then the protection from untrusted apps will be automatically turned on if Windows 11 estimates that the feature won’t cause any inconveniences.
  • If you want to turn on Smart App Control now so that it starts enforcing protection, you can just choose On.
The feature is set to On - Evaluation mode is disabled
Smart App Control set to On – Evaluation mode disabled.

How to turn off Windows 11 Smart App Control

If Smart App Control prevents you from doing day-to-day tasks or becomes a burden, you have 2 options:

  1. Disable Smart App Control. This is a permanent choice that cannot be undone without performing a full reset of your Windows 11 PC.
  2. Reset your PC and return to Evaluation mode.
     
The Turn off Smart App Control warning pop up
The Turn off Smart App Control warning pop up

When Smart App Control is set to Off, it is no longer possible to change the setting back to On or Evaluation.

The feature is now turned off
Smart App Control is now turned off

The fact that the feature requires a fresh install of Windows 11 version 22H2 to be turned on isn’t exactly convenient. However, Windows 11 offers the option to reset your PC while keeping all your personal files.

If necessary, you can reset your PC from Settings, the sign-in screen, or by using a recovery drive or installation media. You can check out our previous guide on how to reset your Windows PC on Petri.

Conclusion

If you want to try out Smart App Control on a personal Windows 11 PC, I suggest giving your device a reset and seeing whether the default Evaluation mode figures you’re a good fit.

If you want to try out a similar feature on corporate devices, you should consider Microsoft Defender Application Control – it’s a highly configurable and powerful Enterprise version of Smart App Control.

Article saved!

Access saved content from your profile page. View Saved