At its Windows Powers the Future of Hybrid Work event earlier this week, Microsoft revealed various new features that are coming to Windows 11. As well as additions such as tabs in File Explorer and folders in the Start menu, the company revealed a lot of upcoming security features.
One of the security highlights is Smart App Control, which works like an enhanced version of the SmartScreen filter already found in Windows. It will help to block malicious apps, but there is a serious downside that will put off a lot of people.
Writing on the Microsoft Security blog, the company’s Vice President of Enterprise and OS Security, David Weston, discusses the purpose of the security feature.
He explains: “Smart App Control is a major enhancement to the Windows 11 security model that prevents users from running malicious applications on Windows devices that default blocks untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections and is woven directly into the core of the OS at the process level”.
Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud. Model inference occurs 24 hours a day on the latest threat intelligence that provides trillions of signals.
Going on to detail how Smart App Control works, Weston says:
When a new application is run on Windows 11, its core signing and core features are checked against this model, ensuring only known safe applications are allowed to run. This means Windows 11 users can be confident they are using only safe and reliable applications on their new Windows devices. Smart App Control will ship on new devices with Windows 11 installed. Devices running previous versions of Windows 11 will have to be reset and have a clean installation of Windows 11 to take advantage of this feature.
And it is in this last sentence that Smart App Control’s potential failure is revealed. While the security feature will be enabled by default on new installations, anyone currently running Windows 11 will have to endure either a reinstallation of the operating system, or a system reset, in order to take advantage of it.
Is this something that the majority of home users will be willing to do? It seems unlikely. Microsoft must have implemented this requirement with good reason. There must surely have been no alternative for some as-yet-unrevealed technical reason, as forcing users to reset or reinstall Windows 11 in order to benefit from additional security seems like madness.