Tip
For an overview of Smart App Control, see App & Browser Control in the Windows Security App. For an overview on App Control in Windows, see Application Control for Windows.
How does Smart App Control work?
When you try to run an app on Windows, Smart App Control will check to see if our intelligent cloud-powered security service can make a confident prediction about its safety. If the service believes the app to be safe, Smart App Control will let it run. If the app is believed to be malicious or potentially unwanted, then Smart App Control will block it.
If the security service is unable to make a confident prediction about the app, then Smart App Control checks to see if the app has a valid signature. If the app has a valid signature, Smart App Control will let it run. If the app is unsigned, or the signature is invalid, Smart App Control will consider it untrusted and block it for your protection.
What makes somebody a good candidate for Smart App Control?
Essentially, we're looking to see if Smart App Control is a good fit for your device or if it is going to get in your way too often. In most cases Smart App Control will automatically turn on to protect againt untrusted or malicious apps. However, there are some legitimate tasks that corporate users, developers, or others may do regularly that may not be a great experience with Smart App Control running. If we detect that you're one of those users, we'll automatically turn Smart App Control off so you can work with fewer interruptions.
Can I turn Smart App Control on manually?
Yes, if it's available for your device, you are able to turn on Smart App Control in the Windows Security App settings. Recent Windows updates allow Smart App Control to be enabled without requiring a clean installation.
Why is Smart App Control turned off?
There are multiple reasons why Smart App Control could be turned off, for example:
- Your device is enterprise-managed or developer-mode has been configured.
- During evaluation mode we determined that you weren't a good candidate for Smart App Control.
- It was turned off manually by you or another user signed into your machine.
- Your device is running Windows in S mode. You'll need to turn S mode off, then reset your PC, to enter evaluation mode.
- You have optional diagnostic data in Windows turned off. If you want to turn Smart App Control on, you'll need to reset this PC, or reinstall Windows, and select Send optional diagnostic data during the setup process.
Recent Windows updates allow Smart App Control to be enabled within the Windows Security App without requiring a clean installation.
When should I disable Smart App Control?
You are able to disable Smart App Control in the Windows Security App settings. You may need to disable if:
- You’re installing, updating, or uninstalling apps that rely on Windows Installer Transform (MST) files. MST files can’t currently be digitally signed, and if Smart App Control is unable to obtain a confident cloud reputation verdict for the files, it may result in a block. In these cases, Smart App Control may need to be temporarily disabled to complete the process.
You can turn Smart App Control back on after the installation is complete. Recent Windows updates allow Smart App Control to be re‑enabled without requiring a clean installation.
Does Smart App Control replace my antivirus software?
Smart App Control works alongside your other security software, such as Microsoft Defender or non-Microsoft antivirus tools, for added protection.
How can I tell Smart App Control to let this one specific app through?
There is currently no way to bypass Smart App Control protection for individual apps. You can turn Smart App Control off, or (better yet), contact the developer of the app and encourage them to sign their app with a valid signature.
What does untrusted mean?
When a developer creates an app, they are encouraged to "sign" the app using a digital certificate that verifies their identity, that the app is really published by them, and that the app hasn't been tampered with by somebody else after the developer published it. You can think of it a bit like a painter signing a piece of art, except harder to fake.
Signing is one part of what can make an app trusted or untrusted. The other part is experience. Our intelligent cloud-powered security service sees a huge number of apps every day and uses that knowledge to predict if an app is safe or not safe — even apps we've never seen before. However, in some cases, the service is unable to make a confident prediction either way.
If the security service can't make a confident prediction about the app, and the app doesn't have a valid signature, it's considered untrusted.
I'm an app developer, how can I get Smart App Control to not block my app?
The simple answer is, sign your app with a valid certificate.
For more information see:
How can I provide feedback about Smart App Control?
We'd love your feedback on Smart App Control. To let us know what you think or offer feature suggestions:
- In Windows, go to the Feedback Hub. (from the Start menu or press Windows key + F)
- When you get to Step 2 - Choose a category, select Security and Privacy - Smart App Control