Windows 11's Newest Security Feature Requires Full Reset

Windows 11's reset screen
(Image credit: Future)

Windows 11’s newest security feature comes with a sting in the tail: if you’ve upgraded to the newest version of Microsoft’s operating system, rather than bought a new PC with it installed, you’ll need to reset it if you want Smart App Control. The news broke in a blog post from David Weston, vice president of OS security and enterprise at Microsoft, subsequently reported on by PCWorld.

Windows 11's smart app control

(Image credit: Future)

“In a future release of Windows 11 you’re going to see significant security updates that add even more protection from the chip to the cloud by combining modern hardware and software,” writes Weston in his post, which sounds fine, as enhanced security was one of the reasons we have Windows 11 in the first place. 

One of these major enhancements is Smart App Control, which appeared in a recent Windows 11 insider build, and blocks malicious, untrusted and potentially unwanted apps. The first set are flagged by Microsoft, but the ‘smart’ part of the system kicks in for the others, taking into account digital signatures, app usage, and Microsoft's cloud-based security service. There doesn’t seem to be a way of whitelisting apps, or unblocking them in any way once they’re blocked.

It also acts in a new and strange way, according to German news site Ghacks. Once installed, Smart App Control enters evaluation mode, learning whether it can assist you but not blocking anything, until it automatically turns on. It can be manually turned on or off from the Windows Security app. The strange thing is that, if turned off, it cannot be turned back on without a full reset of the PC and a clean install of Windows 11.

The need for a clean installation if you want Smart App Control on your existing Windows 11 PC is detailed in Weston’s blog post: “Devices running previous versions of Windows 11 will have to be reset and have a clean installation of Windows 11 to take advantage of this feature,” he writes.

Microsoft’s security splurge is dressed in the language of hybrid working and zero trust, as the Redmond software giant attempts to push its Pluton platform. Smart App Control, and the promotion of Microsoft SmartScreen to a part of the OS instead of a security app, is part of a drive to protect critical business machines used at home from phishing, ransomware, and other unwanted nasties, and it’s up to company IT departments to decide whether to deploy it. Home users with Microsoft Defender switched on are unlikely to need it urgently, so the need for a clean install, while annoying, might not affect many users after all.

Ian Evenden
Freelance News Writer

Ian Evenden is a UK-based news writer for Tom’s Hardware US. He’ll write about anything, but stories about Raspberry Pi and DIY robots seem to find their way to him.

  • Colif
    you’ll need to reset it if you want Smart App Control.

    guess I don't really want it that much :D

    The need for a clean installation if you want Smart App Control on your existing Windows 11 PC is detailed in Weston’s blog post: “Devices running previous versions of Windows 11 will have to be reset and have a clean installation of Windows 11 to take advantage of this feature,” he writes.

    If you going to clean install, why do a reset first?
    Reply
  • USAFRet
    "reset" or "clean install" ?
    Two different things.
    Reply
  • Colif
    Smart App Control is only active on newly installed systems. Microsoft does not provide an explanation for this, but Microsoft wants to avoid issues with already installed applications probably at this stage.
    they want windows in a clean state before you can enable it. So a full reset... remove all apps.
    Clean install safer - seen too many failed resets.
    that make people happy... i am on ex insider so need to clean install one day anyway.

    it just enhances defender
    What is Smart App Control?
    Smart App Control is a security feature that blocks malicious, untrusted and potentially unwanted apps on Windows devices.

    Malicious applications are flagged by Microsoft. They may do all sorts of unwanted things on a PC, including deleting files, pushing remote control software on devices, stealing data, monitoring user activities and more.
    Untrusted applications are not necessarily malicious. Microsoft uses two main factors to determine whether an app is untrusted or not. The first determines whether the app is digitally signed, the second takes usage into account. Unsigned apps that Microsoft's cloud-based security service are not familiar with are considered untrusted.
    Potentially unwanted apps may contain unexpected ads, slow down devices, or include offers for extra software that users don't want.
    link
    So if you use defender you might want it. If you don't use defender...
    Reply
  • salgado18
    A feature that blocks harmful software, as decided by Microsoft servers, doesn't allow exceptions, and once enabled cannot be turned off...

    Everyday my urge to upgrade to Windows 11 gets lower. I believe, if things don't improve in favor of the user, when the time to abandon Windows 10 comes, I'll end up going Linux full time.
    Reply
  • hotaru251
    given tis always on means eating up resources..pass.


    also even IF I was dumb enough to use it..
    There doesn’t seem to be a way of whitelisting apps, or unblocking them in any way once they’re blocked.
    is an instant "no way". I already have issues with soem stuff I use that triggers false positives and I have to manually unblock. Disabling whitelist is instant no.
    Reply
  • hotaru.hino
    salgado18 said:
    I believe, if things don't improve in favor of the user...
    But what even is "the user"?

    Also Microsoft has tried catering to advanced users before nearly 3 decades ago. It didn't work: https://devblogs.microsoft.com/oldnewthing/20030728-00/?p=43043
    Reply
  • TerryLaze
    salgado18 said:
    A feature that blocks harmful software, as decided by Microsoft servers, doesn't allow exceptions, and once enabled cannot be turned off...

    Everyday my urge to upgrade to Windows 11 gets lower. I believe, if things don't improve in favor of the user, when the time to abandon Windows 10 comes, I'll end up going Linux full time.
    Don't get you hopes up too much with linux, if the world decides that it needs a certain degree of security then linux will either have to join or it will be left out and won't even be able to connect to most webpages because they won't have that security level the pages demand. (pages=software=things in general)
    Reply
  • USAFRet
    salgado18 said:
    when the time to abandon Windows 10 comes, I'll end up going Linux full time.
    Many say that, few actually do.
    Reply
  • Eximo
    Getting close with my media box pretty much just browser and VLC media player, old 4th gen system.

    Once I wrap up this last section of schooling, I'll consider switching to Linux on my main system as I only play a few games regularly, and what with Proton and all...Might even give SteamOS a go. Had the boot drive fail not too long ago anyway.

    Maybe pick up a new laptop to keep Windows on. That would be a decent compromise. Anyone need a 4th gen Lenovo laptop?
    Reply
  • warezme
    This doesn't bother me. I don't download or use any MS apps and remove the ones it installs by default. Don't care.
    Reply