Tip: For an overview of Smart App Control, see App & Browser Control in the Windows Security App​​​​​​​. For an overview on App Control in Windows, see Application Control for Windows.
When you try to run an app on Windows, Smart App Control will check to see if our intelligent cloud-powered security service can make a confident prediction about its safety. If the service believes the app to be safe, Smart App Control will let it run. If the app is believed to be malicious or potentially unwanted, then Smart App Control will block it.
If the security service is unable to make a confident prediction about the app, then Smart App Control checks to see if the app has a valid signature. If the app has a valid signature, Smart App Control will let it run. If the app is unsigned, or the signature is invalid, Smart App Control will consider it untrusted and block it for your protection.
Essentially, we're looking to see if Smart App Control is a good fit for your device or if it is going to get in your way too often. In most cases Smart App Control will automatically turn on to protect againt untrusted or malicious apps. However, there are some legitimate tasks that corporate users, developers, or others may do regularly that may not be a great experience with Smart App Control running. If we detect that you're one of those users, we'll automatically turn Smart App Control off so you can work with fewer interruptions.
Yes, if it's available for your device, you are able to turn on Smart App Control in the Windows Security App settings. Recent Windows updates allow Smart App Control to be enabled without requiring a clean installation.
There are multiple reasons why Smart App Control could be turned off, for example:
-
Your device is enterprise-managed or developer-mode has been configured.
-
During evaluation mode we determined that you weren't a good candidate for Smart App Control.
-
It was turned off manually by you or another user signed into your machine.
-
Your device is running Windows in S mode. You'll need to turn S mode off, then reset your PC, to enter evaluation mode.
-
You have optional diagnostic data in Windows turned off. If you want to turn Smart App Control on, you'll need to reset this PC, or reinstall Windows, and select Send optional diagnostic data during the setup process.
Recent Windows updates allow Smart App Control to be enabled within the Windows Security App without requiring a clean installation.
You are able to disable Smart App Control in the Windows Security App settings. You may need to disable if:
-
You’re installing, updating, or uninstalling apps that rely on Windows Installer Transform (MST) files. MST files can’t currently be digitally signed, and if Smart App Control is unable to obtain a confident cloud reputation verdict for the files, it may result in a block. In these cases, Smart App Control may need to be temporarily disabled to complete the process.
You can turn Smart App Control back on after the installation is complete. Recent Windows updates allow Smart App Control to be re‑enabled without requiring a clean installation.
Smart App Control works alongside your other security software, such as Microsoft Defender or non-Microsoft antivirus tools, for added protection. Â
There is currently no way to bypass Smart App Control protection for individual apps. You can turn Smart App Control off, or (better yet), contact the developer of the app and encourage them to sign their app with a valid signature.
When a developer creates an app, they are encouraged to "sign" the app using a digital certificate that verifies their identity, that the app is really published by them, and that the app hasn't been tampered with by somebody else after the developer published it. You can think of it a bit like a painter signing a piece of art, except harder to fake.
Signing is one part of what can make an app trusted or untrusted. The other part is experience. Our intelligent cloud-powered security service sees a huge number of apps every day and uses that knowledge to predict if an app is safe or not safe — even apps we've never seen before. However, in some cases, the service is unable to make a confident prediction either way.
If the security service can't make a confident prediction about the app, and the app doesn't have a valid signature, it's considered untrusted.
The simple answer is, sign your app with a valid certificate.
For more information see:
We'd love your feedback on Smart App Control. To let us know what you think or offer feature suggestions:
-
In Windows, go to the Feedback Hub. (from the Start menu or press Windows key + F)
-
When you get to Step 2 - Choose a category, select Security and Privacy - Smart App Control
