The most common way malicious software gets into a computer is running an untrusted app that the user downloaded from an unknown source. Windows 11 has another layer of protection for this, Smart App Control. Let us explain what it is, how it works and why it has one important condition.

What Smart App Control is

Smart App Control (SAC) is a Windows 11 security feature that blocks the running of untrusted or potentially malicious apps. Before it allows a program to run, it verifies whether it is trustworthy. If it is not, it simply does not let it run.

For deciding, it uses a combination of a cloud model and digital signatures. Microsoft evaluates in the cloud whether an app is known and safe. If a program is digitally signed by a trusted publisher or the cloud evaluates it as safe, it runs. If it is unknown, unsigned or evaluated as risky, SAC blocks it.

What it protects against

  • Malicious software (malware) that pretends to be an ordinary app. The article on types of computer viruses covers what kinds of threats exist.
  • Untrusted programs from unknown sources that are neither signed nor verified.
  • Potentially unwanted apps that get added to the computer together with other software.

It is a complement to antivirus, not a replacement for it. There is an article on choosing antivirus, how to choose antivirus.

Important: it can only be enabled on a clean install

This is key and often surprises people. Smart App Control can only be enabled on a freshly installed (or reset) Windows 11. You cannot just enable it on a system you have been using for a long time. The reason is simple: Windows needs to be sure the system is not already affected by untrusted software.

The feature has three states:

  • On actively blocks untrusted apps.
  • Off the feature does not work.
  • Evaluation mode is the initial state in which Windows watches how you use the computer and itself decides whether to turn SAC on or off, so it does not restrict you needlessly.

Beware: once you turn Smart App Control off, it cannot be turned back on without a new install or reset of Windows. There is an article on reinstalling, reinstalling Windows.

Where you find it

You find the Smart App Control state in the Windows Security app, App & browser control, Smart App Control. There you see whether it is on, off or in evaluation mode.

Who it suits

  • Ordinary users who only run verified, widespread apps. For them it is great extra protection with no work.
  • Less experienced people, whom it helps prevent running something dangerous.

Who it may restrict

  • Advanced users and developers who run a lot of lesser known or unsigned software (for example small tools, older programs). SAC may block even a legitimate but unverified app for them.

If SAC restricts you more than it helps, it can be turned off. You have to count on the fact, though, that turning it back on is only possible via a new install.

Smart App Control and overall security

Smart App Control is just one layer. Real security stands on several measures at once: antivirus, updates, backups, caution with emails. The article on cybersecurity principles gives an overview, and on fraudulent messages there is phishing and fraudulent emails.

Conclusion

Smart App Control in Windows 11 is a clever layer of protection that blocks the running of untrusted and malicious apps based on cloud evaluation and digital signatures. It has one important condition: it can only be enabled on a clean install. For an ordinary user it is extra protection for free, for an advanced one it can sometimes be restricting.

Need advice on securing your computer or with a clean install of Windows 11? Get in touch, we will be happy to help.