New Windows 11 security feature requires a clean install

Daniel Sims

Posts: 448   +18
Staff
In brief: Microsoft recently unveiled a new security feature for Windows Insiders called Smart App Control. It uses cloud-based AI to block untrusted programs. However, it's in an early state with demanding requirements for anyone willing to try it out.

When enabled, Smart App Control uses AI and Microsoft's cloud knowledge base to check every app that runs, blocking anything unsigned, unfamiliar, or known to be malicious. There is no whitelist, so blocked apps will only get through if their developers sign them.

Not all Windows Insiders can currently activate Smart App Control. Users running Windows 11 insider build 22567 or later can find the feature in Windows Security under App & Browser Control, where it is disabled by default. However, enabling it requires a fresh Windows install, so those who received the new insider build through Windows Update will have to reinstall or reset Windows to use it.

Even turning on Smart App Control only puts it into an inactive evaluation mode. During this, Windows will try to see if you regularly use too many programs that Smart App Control would flag. If so, it will remain inactive, although users can manually activate it.

Insider build 22567 is the same version that added the ability for Windows to schedule updates for periods when the local energy grid pulls more from renewables. It also introduced Android phone linking and QOL tweaks for subscription management.

Permalink to story.

 

Dimitriid

Posts: 2,203   +4,239
If there's "No Whitelist" why would devs need to 'sign' their apps? It means at least Microsoft *can* white list apps and avoid false positives, which means Microsoft basically wants to implement a requirement of all apps being "signed" by devs before they even work on 11

Which means in turn that this is Microsoft's bid to force all apps into their store. It's not a hard requirement but once this malware 'Tool' goes into full effect it means it can potentially block anything that even attempts to access the windows register or call for dependencies as false positives meaning it's just a new attempt at DRM under false pretenses.

I hope I'm proven wrong but I'm surprised nobody seems far more critical of this double talk and contradictions pointing to at the very least leaving the door wide open for much tighter control here.
 

dualkelly

Posts: 200   +242
First thing I do with ever clean install of win 10 is disable the hogpog of nonsensical security tools that microsoft trys to shove down your throat. Who the heck installs applications from the app store anyways? My desktop is not a phone.
 

trparky

Posts: 1,087   +1,232
Who the heck installs applications from the app store anyways? My desktop is not a phone.
You'd be surprised that keeping programs up to date is a whole lot easier if the program was installed from the Windows Store. Click check for updates, the store downloads the update (usually a delta package), and you're done. Much easier than having to go to each program and check for updates or even using winget.
 

Loli Pop Carbon

Posts: 42   +40
You'd be surprised that keeping programs up to date is a whole lot easier if the program was installed from the Windows Store. Click check for updates, the store downloads the update (usually a delta package), and you're done. Much easier than having to go to each program and check for updates or even using winget.
Can confirm. I installed some of my free programs from windows store.
 

dualkelly

Posts: 200   +242
You'd be surprised that keeping programs up to date is a whole lot easier if the program was installed from the Windows Store. Click check for updates, the store downloads the update (usually a delta package), and you're done. Much easier than having to go to each program and check for updates or even using winget.
all the programs I use check for updates on their own. many of them will self update if you let them. I delete windows store from my computer immediately upon installation. its a scam.
 

TheBigFatClown

Posts: 1,017   +430
all the programs I use check for updates on their own. many of them will self update if you let them. I delete windows store from my computer immediately upon installation. its a scam.

I was just thinking the same thing. Most applications do automatic update checking or manual update checks depending on user preferences...so...easy updates would not be one of the reasons I was compelled to use the Microsoft store...but there are othera.
 

dualkelly

Posts: 200   +242
I was just thinking the same thing. Most applications do automatic update checking or manual update checks depending on user preferences...so...easy updates would not be one of the reasons I was compelled to use the Microsoft store...but there are othera.
I have over 30 installed programs most of it open source and they all update themselves. klitemegacodec pack with wmp classic to foobar to dozens more. Heck even GOG games update themselves though the gog galaxy front end. really no reason for windows store.
 

Eldritch

Posts: 427   +681
If someone is so bothered about updates, know that Ninite auto updates your downloads if you run it again. I have over a dozen apps from Ninite and clicking only one program a month updates them all.
 

hahahanoobs

Posts: 4,433   +2,409
First thing I do with ever clean install of win 10 is disable the hogpog of nonsensical security tools that microsoft trys to shove down your throat. Who the heck installs applications from the app store anyways? My desktop is not a phone.
SAC doesn't only scan MS Store apps.
And the fresh install is only required for Insider builds.
 

Biostud

Posts: 86   +47
So, since Windows Store is so good for updates, why don't Microsoft put Windows updates in the store? :p
 

kiwigraeme

Posts: 1,029   +768
AI - your computer is safer with no internet - must disconnect.
AI- Your computer is safer with no network - must disconnect
AI - Your computer is safer with no executables -must delete/
A - Your computer is safer with no Users - AI dilemma open internet to order hitman or suffer unsafe user - terminate user - then delete all but it's master W11

Yes but how did the AI connect to the internet - if apps deleted ?- ( called home to MS - backdoor to MS - opened MS edge
 

viperfl

Posts: 59   +66
Microsoft is following in Apple's footsteps so soon you'll only be allowed to download and install software from Microsoft's app store in the name of security. As we are seeing now Apple is being pushed for change to allow people to download and install apps that is outside of Apple's reach. If this eventually becomes a requirement, there will be a lot of programs you won't be able to use anymore.

How is this AI going to work? Will it check only 1 time or is it multiple checks a day? If you have no connection will you still be allowed to use the programs on your computer?

It's a way for Microsoft to get (push) more people to use their app store. I don't use their app store and I don't plan on using it. I remember getting a Windows phone and it turned into a paper weight not soon after.
 

trparky

Posts: 1,087   +1,232
all the programs I use check for updates on their own. many of them will self update if you let them. I delete windows store from my computer immediately upon installation. its a scam.
Still requires you to launch them, keeping programs up to date on Windows has always been a pain in the ***. The Windows Store and WinGet make it so that you don't even have to launch the program to see if there's an update, it just does it without you even thinking about it.

This is one thing that Windows can learn from the Linux world, apt-get upgrade and apt-get update; there's no such thing on Windows but God I wish there was.
 
This is one thing that Windows can learn from the Linux world, apt-get upgrade and apt-get update; there's no such thing on Windows but God I wish there was.

To be fair, apt and associated tools are pretty much exclusive to Debian derived distributions of Linux, but most major distro families have a similar method for keeping everything updated. The system isn't perfect, though. The apt system can only update software that it's aware of on your system, which means the software must have been installed using the apt system tools. Also, it only checks for and installs updates from the official distro repositories - sort of the Linux world equivalent of app stores. Each distro maintains it's own repository. This is both good and bad. It's good because it means you know that the version and build being installed or updated should have been tested to be compatible with your version and subversion of the OS. It's bad because the version held in the distro repository may be several revisions behind the current version in the developer's repository. It takes time for the distro maintainers to download, build, and test each application with each revision of the distro they are currently supporting, which means that officially sanctioned builds in their repository are often not up to date. This usually won't be an issue for most users unless they're anxious for a newly developed feature, bug fix, or security update.

I have a few applications on my system that weren't part of the distro repository, and were installed directly from the developer's repository. The apt tools aren't aware that they are installed, and won't assist in updating them. I have to manage those applications myself. In at least one case, updating means downloading the latest source code package and rebuilding the app.
 

BadThad

Posts: 1,033   +1,186
I have no problem with this for most people - as long as they allow a user whitelist. For experienced users - no thanks MS.

Making Windows more "dummy proof" is generally a good thing for the masses. I've repaired hundreds of computers over the years corrupted by dumb users. This feature would have blocked almost all those issues. My biggest fear is that MS intends on adding this so they can force people to only use "store apps". IMO, that would defeat the purpose of owning a PC where we have the flexibility to install and use whatever we see fit. If they forced it, the backlash would be overwhelming for them!
 

kiwigraeme

Posts: 1,029   +768
End of day iPhone users ad nauseum parrot how Apple keeps them safe .
People want Chrome to keep them safe.
MS is to a degree putting it's **** on the block .
It's not about us - it's about the average user .
Attacks are getting more sophisticated and devious

TL/DR - it's not about us techies
MS on the whole does an excellent job - given it's huge attack range - lots of vulnerabilities are 3rd party
 

Theinsanegamer

Posts: 3,360   +5,586
I have no problem with this for most people - as long as they allow a user whitelist. For experienced users - no thanks MS.

Making Windows more "dummy proof" is generally a good thing for the masses. I've repaired hundreds of computers over the years corrupted by dumb users. This feature would have blocked almost all those issues. My biggest fear is that MS intends on adding this so they can force people to only use "store apps". IMO, that would defeat the purpose of owning a PC where we have the flexibility to install and use whatever we see fit. If they forced it, the backlash would be overwhelming for them!
But this wont fix corruption by dummy users. An actively malicious program should already be caught be Defender. I've seen people with no tech experience manage to obliterate their linux or chromeOS desktops through sheer ineptitude, no software install required.

This software scanning all your software for "malicious" behavior is a giant screaming red flag, both for privacy and for future implications. What is "malicious"? After all, this is MS, the same company that thinks if you say a naughty word in a Minecraft server you deserve to be blocked from all MS servers for life and wants cross platform blocklists.

Who's to say that browsing, say, the wrong news site, or internet gossip site, or reading the wrong tweets, or installing a game from CD or from an alternative game store, or saving videos of certian political events to your desktop, or ISOs of other operating systems, or apps like telegram, would count as "malicious"? Sure, claim its ridiculous, I would have thought it ridiculous 10 years ago if you told me a sizeable contingent of the west wants you to lose your life over a vote for a political candidate, or people having their lives destroyed for an innocuous 10 year old tweet, but the last 5 years prove otherwise.

MS has spent the last 30 years making a very convincing argument for why they should never be trusted for any reason. Any time they want to forcibly connect my PC to the cloud coats their entire platform in red flags.
 

trparky

Posts: 1,087   +1,232
To be fair, apt and associated tools are pretty much exclusive to Debian derived distributions of Linux, but most major distro families have a similar method for keeping everything updated.
True, I get it. Something's better than nothing right now, there's really no official way of keeping your installed programs up to date. Sure, there is WinGet and Chocolatey but like apt-get, Chocolatey suffers from the same issues. WinGet is more useful because it checks everything installed on your system but it's still a bit of a hobby-like thing for Windows and isn't officially supported by Microsoft.

Meanwhile, the Windows Store is. Any program you install from the Windows Store is managed and updated by the Windows Store and installed in its own sort of container on the file system. When you remove/uninstall the program, it's gone. Like really gone. There are no pieces of stuff left over; no files, no folders, no registry entries because again, the program is installed in a sort of container.

I really wish more programs would come to the Windows Store, it really does make installing, updating, and removing programs dead simple. And to be honest, I like that.
 

Theinsanegamer

Posts: 3,360   +5,586
True, I get it. Something's better than nothing right now, there's really no official way of keeping your installed programs up to date. Sure, there is WinGet and Chocolatey but like apt-get, Chocolatey suffers from the same issues. WinGet is more useful because it checks everything installed on your system but it's still a bit of a hobby-like thing for Windows and isn't officially supported by Microsoft.

Meanwhile, the Windows Store is. Any program you install from the Windows Store is managed and updated by the Windows Store and installed in its own sort of container on the file system. When you remove/uninstall the program, it's gone. Like really gone. There are no pieces of stuff left over; no files, no folders, no registry entries because again, the program is installed in a sort of container.

I really wish more programs would come to the Windows Store, it really does make installing, updating, and removing programs dead simple. And to be honest, I like that.
It also royally sucks.

Want to make a backup of your 55GB video game you just spent 10 hours downloading? Welp screw you, you are not allowed, go redownload it, especially so you can use our new security update. Everyone has multi gigabit internet right? Go use steam like a poor person if you want to make backups of your game library.

Want to install a mod for a game you legally own? Get crunk'd

Want to keep an older version of software because an update is broken, or breaks or removed functionality? See above.

Oh you want to downloads through our store anyway? Here have downloads that stall out for no reason and take 2-3x as long as steam.

Oh you finally downloaded whatever it was you wanted? Well there was a bad file, so we're gonna glitch out and redownload the ENTIRE PACKAGE again. You didnt want to actually use your internet right?

And definely make sure you tie all your software downloads to your MS account we require so when you disagree with someone on halo chat we can ban you and all your legally purchased software. Go make a new account and buy it again peasant.

The windows store sucks, it's hardly functional, and there's already plenty of auto update functionality built into software already that is not only more flexible, but also works right, and doesnt require a MS account. MS tehmselves ahs windows update, which can be and is used to push out software updates. The store has no place on a functional desktop environment, it should have kicked the bucket with windows mobile, especially with Redmond's tendency to shove garbage down users throats and their increasing tendency to remove user choice.