Windows 11 is getting a big security upgrade — may require OS reinstall

The Windows 11 logo seen through a digital magnifying glass
(Image credit: Shutterstock)

Windows 11 users can look forward to a slew of security updates going forward, including a new feature called Smart App Control that's designed to stop you from unknowingly running malicious apps on your PC. 

But there's a catch: If you decided to upgrade to Windows 11 instead of buying a PC with Windows 11 pre-installed, you'll have to reset your PC in order to enable Smart App Control.

That detail comes to us courtesy of a Microsoft blog post published Tuesday (April 5) that offers a brief rundown of some of the new security features planned for Windows 11. The post is attributed to Microsoft Enterprise and OS Security VP David Weston, and it speaks to how Smart App Control and other security features are being developed with hybrid work in mind. 

"Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud," according to the blog post. "Model inference occurs 24 hours a day on the latest threat intelligence that provides trillions of signals. When a new application is run on Windows 11, its core signing and core features are checked against this model, ensuring only known safe applications are allowed to run."

Smart App Control will ship on new devices with Windows 11 installed," it continues. "Devices running previous versions of Windows 11 will have to be reset and have a clean installation of Windows 11 to take advantage of this feature."

Put simply, Microsoft is adding a nanny feature to Windows 11 that will warn you (and perhaps do more than that) if it thinks an app you've downloaded is a threat or nuisance to you or your PC. On the surface, it appears very similar to extant Windows security features like Windows Defender (aka Microsoft Defender Antivirus), which uses machine learning and analysis of big data sets to suss out whether files on your PC are bad news or not.

(Image credit: Microsoft)

While we don't yet know when Smart App Control will become available for all Windows 11 users, an early version of the feature already rolled out to Windows Insiders on the Dev Channel last month as part of Windows 11 Insider Preview Build 22567

In the release notes for that preview build Microsoft explains a bit about how SAC works: It starts off in an "evaluation mode" in which it attempts to gather information about your PC and how it can help "without getting in your way too much", according to Microsoft. If it decides it can help you, it will evidently switch itself on automatically; otherwise, it will switch itself off. You can choose not to wait and just switch it on or off using a new Smart App Control control panel in the App & browser control section of the Windows 11 Security app.

However, here again there's a catch: If you disable Smart App Control, Microsoft says you will have to reset your PC to enable it again. But if you enable Smart App Control and it decides a given app is untrustworthy and shouldn't be run, there's no way to make an exception and tell Windows to run it anyway. 

"There is currently no way to bypass Smart App Control protection for individual apps," according to a Microsoft support page for the feature. "You can turn Smart App Control off, or (better yet), contact the developer of the app and encourage them to sign their app with a valid signature."

This seems like a bad way to set up a hands-off security feature that will be rolling out to the growing (albeit slowly) number of people using Windows 11. A cursory glance at the Smart App Control section of the Windows Feedback Hub (which you can access on Windows by hitting Win + F) already shows a number of complaints from early users frustrated by SAC restricting access to things like driver updates, Kasperksy Antivirus and Steam

We'll have to wait and see for ourselves how well Smart App Control works once it goes through the Windows Insider testing process and is released as a general Windows 11 update. Right now we expect to see it debut in the latter half of 2022 as part of the big Windows 11 22H2 update that's coming down the pike. Hopefully by then Microsoft will have added some more granular control options that let you choose how and when Smart App Control manages apps on your PC.

Alex Wawro
Senior Editor Computing

Alex Wawro is a lifelong tech and games enthusiast with more than a decade of experience covering both for outlets like Game Developer, Black Hat, and PC World magazine. A lifelong PC builder, he currently serves as a senior editor at Tom's Guide covering all things computing, from laptops and desktops to keyboards and mice.