Published: Sep 28, 2022
Windows 11 Smart App Control is a new feature that Microsoft introduced in Windows 11 version 22H2, also known as the 2022 Update. Smart App Control is a system-level feature that can help to protect your Windows 11 PC by blocking malicious and untrusted apps.
In this article, we’ll explain how Windows 11 Smart App Control works and how you can enable it on your PC. If the feature can complement antivirus software and other protections, we’ll also detail some of its current limitations.
For a number of years, Microsoft Defender Application Control has allowed business customers to protect their users from untrusted and unwanted apps. Managed by an MDM app such as Intune or Microsoft Endpoint Configuration Manager, this feature leverages Microsoft’s “Intelligent Security Graph” to determine an app’s trustworthiness.
Until now, these security capabilities have not been available for consumers using Windows PCs… and this is fine, right? Windows 11 Home users should be able to run any apps they want, even if they could be considered “untrusted”.
However, there are many users – I’m thinking non-tech users really – who aren’t usually able to spot a malicious app. The problem is that, unlike on iOS, Android, and Chrome OS, Windows users exist in a world that isn’t a “closed app ecosystem”. Home and personal users can typically install any app from any source – Microsoft doesn’t need to approve these apps as Apple and Google do.
Windows 11 Smart App Control adds significant protection from new and emerging threats by blocking apps that are malicious or untrusted. The feature will block what Microsoft calls “potentially unwanted apps” (PUA), which are apps that may cause a device to run slowly, display unwanted ads, or do other things you don’t expect on your PC
Smart App Control works alongside other security software, such as Microsoft Defender and even non-Microsoft antivirus tools. But it’s not a replacement for these features.
So, how does Microsoft determine if a Windows app can be “trusted”?
When a developer creates an app, they are encouraged to “sign” the app using a digital certificate that verifies the developer’s identity. It proves that the app is really published by them and that it hasn’t been modified by anybody else after the developer published it.
Signing is just one part of the trust process. Microsoft also uses its cloud-powered security graph to verify if apps can be trusted. This security graph can analyze a huge number of apps being launched by users every day, and it uses that knowledge to predict if an app is safe or not. It’s even possible for it to determine the trustworthiness of an app that has never been seen before, using heuristic analysis.
When Smart App Control on Windows 11 blocks the launch of an app that may be unsafe, it presents the user with 3 options: “Ok”, “Send feedback”, and “Get Apps from Store”.
It’s not possible to create an exemption rule for a specific app locally – you’ll need to submit a copy of the app to Microsoft, along with comments. The company will then review the app and determine if it’s malicious or not.
As with almost all cloud-powered dynamic security features, Smart App Control isn’t perfect. If the feature can’t be sure about the trustworthiness of an app, and if the app hasn’t been signed by the developer, it’s considered untrusted by default.
Windows 11 Smart App Control can only be enabled on fresh installs of Windows 11 version 22H2 or newer. Even then, it starts in Evaluation mode, which means that it will first determine what type of user you are and whether Smart App Control is a good fit for you.
Here’s how to turn on Smart App Control on a fresh install of Windows 11 version 22H2:
If Smart App Control prevents you from doing day-to-day tasks or becomes a burden, you have 2 options:
When Smart App Control is set to Off, it is no longer possible to change the setting back to On or Evaluation.
The fact that the feature requires a fresh install of Windows 11 version 22H2 to be turned on isn’t exactly convenient. However, Windows 11 offers the option to reset your PC while keeping all your personal files.
If necessary, you can reset your PC from Settings, the sign-in screen, or by using a recovery drive or installation media. You can check out our previous guide on how to reset your Windows PC on Petri.
If you want to try out Smart App Control on a personal Windows 11 PC, I suggest giving your device a reset and seeing whether the default Evaluation mode figures you’re a good fit.
If you want to try out a similar feature on corporate devices, you should consider Microsoft Defender Application Control – it’s a highly configurable and powerful Enterprise version of Smart App Control.