News Windows 11's Newest Security Feature Requires Full Reset

Colif

Win 11 Master
Moderator
you’ll need to reset it if you want Smart App Control.

guess I don't really want it that much :D

The need for a clean installation if you want Smart App Control on your existing Windows 11 PC is detailed in Weston’s blog post: “Devices running previous versions of Windows 11 will have to be reset and have a clean installation of Windows 11 to take advantage of this feature,” he writes.

If you going to clean install, why do a reset first?
 

Colif

Win 11 Master
Moderator
Smart App Control is only active on newly installed systems. Microsoft does not provide an explanation for this, but Microsoft wants to avoid issues with already installed applications probably at this stage.
they want windows in a clean state before you can enable it. So a full reset... remove all apps.
Clean install safer - seen too many failed resets.
that make people happy... i am on ex insider so need to clean install one day anyway.

it just enhances defender
What is Smart App Control?
Smart App Control is a security feature that blocks malicious, untrusted and potentially unwanted apps on Windows devices.

  • Malicious applications are flagged by Microsoft. They may do all sorts of unwanted things on a PC, including deleting files, pushing remote control software on devices, stealing data, monitoring user activities and more.
  • Untrusted applications are not necessarily malicious. Microsoft uses two main factors to determine whether an app is untrusted or not. The first determines whether the app is digitally signed, the second takes usage into account. Unsigned apps that Microsoft's cloud-based security service are not familiar with are considered untrusted.
  • Potentially unwanted apps may contain unexpected ads, slow down devices, or include offers for extra software that users don't want.
link

So if you use defender you might want it. If you don't use defender...
 
given tis always on means eating up resources..pass.


also even IF I was dumb enough to use it..
There doesn’t seem to be a way of whitelisting apps, or unblocking them in any way once they’re blocked.
is an instant "no way". I already have issues with soem stuff I use that triggers false positives and I have to manually unblock. Disabling whitelist is instant no.
 
A feature that blocks harmful software, as decided by Microsoft servers, doesn't allow exceptions, and once enabled cannot be turned off...

Everyday my urge to upgrade to Windows 11 gets lower. I believe, if things don't improve in favor of the user, when the time to abandon Windows 10 comes, I'll end up going Linux full time.
Don't get you hopes up too much with linux, if the world decides that it needs a certain degree of security then linux will either have to join or it will be left out and won't even be able to connect to most webpages because they won't have that security level the pages demand. (pages=software=things in general)
 
  • Like
Reactions: david germain

Eximo

Titan
Ambassador
Getting close with my media box pretty much just browser and VLC media player, old 4th gen system.

Once I wrap up this last section of schooling, I'll consider switching to Linux on my main system as I only play a few games regularly, and what with Proton and all...Might even give SteamOS a go. Had the boot drive fail not too long ago anyway.

Maybe pick up a new laptop to keep Windows on. That would be a decent compromise. Anyone need a 4th gen Lenovo laptop?
 
Apr 7, 2022
1
0
10
Typical MS not supporting corporates. If you upgrade win10 to win11 it effectively does a fresh install and migrates your apps to the new OS, but to get this new feature you need a clean re-install?
Applying any security update or feature that better protects devices should not require a re-install. That just means it's badly written.
You can enable\disable Bitlocker without affecting your OS or data and that's pretty low level and tied into the TPM (if you have one) so this new "feature" is just a sales tactic.
 
Typical MS not supporting corporates. If you upgrade win10 to win11 it effectively does a fresh install and migrates your apps to the new OS, but to get this new feature you need a clean re-install?
Applying any security update or feature that better protects devices should not require a re-install. That just means it's badly written.
You can enable\disable Bitlocker without affecting your OS or data and that's pretty low level and tied into the TPM (if you have one) so this new "feature" is just a sales tactic.
Weeeeell, if the problem until now was that you could spoof the installation and make a malicious software indistinguishable from a legit one then what are you supposed to do?! You can't scan for it so your only choice is to use an OS image that only has verified apps by MS.
 
Typical MS not supporting corporates. If you upgrade win10 to win11 it effectively does a fresh install and migrates your apps to the new OS, but to get this new feature you need a clean re-install?
Applying any security update or feature that better protects devices should not require a re-install. That just means it's badly written.
You can enable\disable Bitlocker without affecting your OS or data and that's pretty low level and tied into the TPM (if you have one) so this new "feature" is just a sales tactic.
Most corporations are likely still on Windows 10 and will not upgrade to Windows 11 for at least another year, if not just let their computers run Windows 10 until 2029 when LTSC support stops.

And likely the reason for a reset is that this feature needs a baseline of trust established and the system to be at that baseline when the feature is enabled. If you assume that whatever you have in the system is trustworthy, if there's a rogue actor in there somewhere, then a blind eye will be turned when that rogue actor does something that's actually suspicious. But if you have some better way to do this, by all means, tell it to Microsoft.

And Bitlocker doesn't require an OS reinstall because it's an encryption/decryption feature. It doesn't need a level of trust established outside of not using a compromised private key.
 

david germain

Distinguished
Apr 14, 2013
50
17
18,535
Is it just me or does this feel like a magic button for a Gov agency under pressure from MSM.
To Black list certain apps that dont tow the line with whatever the current messaging is.
i can see developers testing new apps been screwed over as well. eg if you dont dev on MS approved cloud app authentication then no apps for you.
it sounds great - but i think its going to be abused...
 

david germain

Distinguished
Apr 14, 2013
50
17
18,535
This doesn't bother me. I don't download or use any MS apps and remove the ones it installs by default. Don't care.
this will apply to all apps at some point. like playing Steam Indi games. MS does not have a auth cod for it. app wont run/install would be my guess.
 
Is it just me or does this feel like a magic button for a Gov agency under pressure from MSM.
To Black list certain apps that dont tow the line with whatever the current messaging is.
i can see developers testing new apps been screwed over as well. eg if you dont dev on MS approved cloud app authentication then no apps for you.
it sounds great - but i think its going to be abused...
It's a feature that the user will have to enable, if you want to be safe you use it, if you just have a gaming pc that has nothing important on it then you don't enable it and run whatever you want.
If the next windows come with this enabled with no way to turn it off then yes, then we will have problems.
TyexNeTFf44C4negzoHcdh-970-80.jpg.webp
 

david germain

Distinguished
Apr 14, 2013
50
17
18,535
It's a feature that the user will have to enable, if you want to be safe you use it, if you just have a gaming pc that has nothing important on it then you don't enable it and run whatever you want.
If the next windows come with this enabled with no way to turn it off then yes, then we will have problems.
TyexNeTFf44C4negzoHcdh-970-80.jpg.webp
How long until you have to enable it to access office365 so it can scan macros or something or you on longer can get updates to defender or bug fixes. it a slippery slope.
 

USAFRet

Titan
Moderator
Also, this only applies to us early adopters. Those who have installed in the 6 months since the OS was released.

Going forward, this will just be part of the ISO from MS, or already included in whatever preinstalled thing you buy.

This is not the end of the world.
 
How long until you have to enable it to access office365 so it can scan macros or something or you on longer can get updates to defender or bug fixes. it a slippery slope.
Lots of people harp about the end of the world and how Windows is now dead to them. Take for example the FUD spreaders about how the Microsoft Store was going to kill Win32 app support and you have to get your apps from there.

That was basically 10 years ago.

Last I checked, I can still download, install, and run apps from any source.
 

TJ Hooker

Titan
Ambassador
Given that this is currently only available in an insider build, is it not at least plausible that the ability to whitelist/unblock apps will be added by the time the feature is formally rolled out?
 
Without the uproar, I seriously doubt we would still be able to. Microsoft would love to be the new Apple, with complete control over the ecosystem and their fingers in every pie.
They have complete control over the xbox and they still allow dev mode on that to anybody that has $20 so you can run a browser which allows you to run basically anything within it. This is aside from anything you can download straight away as UWP.
Given that this is currently only available in an insider build, is it not at least plausible that the ability to whitelist/unblock apps will be added by the time the feature is formally rolled out?
That would be the off mode. Either you want to be protected or not, there is no in-between. (do or do not there is no try)