This blog article covers the new Windows 11 22H2 security feature Smart App Control (SAC) and gives first impressions as well as recommendations.
- What is Smart App Control (SAC)?
- How does Smart App Control (SAC) work?
- How do I activate and configure Smart App Control (SAC)?
- What are the first impressions?
- My recommendations
What is Smart App Control (SAC)?
Smart App Control (SAC) is a new Windows 11 security feature that was rolled out with the latest September 2022 Feature Update (22H2) and blocks malicious, untrusted or unsigned applications. The new feature is designed to help prevent scripting attacks and protect users from running untrusted or unsigned applications that are often associated with malware or attack tools. The target audience are private individuals and small businesses.
How does Smart App Control (SAC) work?
Smart App Control (SAC) works with an AI model that predicts whether an app is safe based on 43 trillion security signals collected daily. If the AI model believes the app is safe, it is allowed to run. If the app is believed to be malicious or potentially unwanted, it is blocked. A very important impact on whether an app can be trusted is that it comes with a valid signature. Assuming the AI model cannot make a confident prediction about the app, SAC checks whether the app has a valid signature. When the app has a valid signature, it is allowed to run. In case the app is not signed or the signature is invalid, it is considered untrusted and will therefore be blocked.
How do I activate and configure Smart App Control (SAC)?
The most important thing first: Smart App Control (SAC) can only be used for new Windows 11 22H2 installations. If you have received the 22H2 feature update on a device that is already running, you can only enable SAC by resetting your Client or reinstalling Windows 11.
The second most important afterwards: Currently, there is no way to bypass SAC protection for individual apps, so no exclusions can be added. The policy and rules are determined by Microsoft alone, you have no influence on it and can only activate, deactivate or set SAC to evaluation mode.
You can find the settings for SAC in the App & browser control panel of the Windows Security app or you can simply enter “Smart App Control” in the windows search.
Settings – Privacy & security – Windows Security – App & browser control – Smart App Control – Smart App Control settings.
SAC knows only three possible states and setting options: On, Evaluation and Off.
|On||SAC is enabled. Malicious or untrusted applications are blocked. You cannot go back to the evaluation state. Only the “Off” state can be selected after the feature has been switched on.|
|Evaluation||Default setting for a newly installed device. With the Evaluation State, Windows will determine if you are a good candidate. For Microsoft, a good candidate is someone who doesn’t get their applications blocked all the time by SAC. If you are a good candidate, it is automatically enabled. If not, it is turned off. Smart App Control does not block anything while it is in evaluation mode. Once the evaluation is complete, or if you manually switch Smart App Control On or Off, you won’t be able to return to evaluation mode unless you reinstall or reset Windows 11.|
|Off||SAC is disabled. Once deactivated, it cannot be reactivated unless you reinstall or reset Windows 11.|
When SAC is switched on, other already known “Reputation-based protection” components are automatically activated. This is indicated by the “This setting is managed by Smart App Control” remarks.
What are the first impressions?
Smart App Control (SAC) sounds like a very exciting evolution of AppLocker and Windows Defender Application Control (WDAC) that can be used by both individuals and small businesses. Although you can use Windows Defender Application Control (WDAC) and especially AppLocker for years, I have rarely found both technologies in companies. The main reason was always that the implementation takes a lot of time and resources and that you have to maintain a whitelist continuously. Which is actually a pity, because the security gain is huge when such a solution is in use. SAC’s security concept brings both benefits and disadvantages. Advantages are certainly that you no longer have to invest time and resources in a whitelist. However, since you cannot currently define any exceptions, you are forced to sign all self-developed applications with a valid certificate and you are dependent on Microsoft, who alone determine the rules. SAC is certainly appropriate for users who need to download and work with a large number of files on a daily routine.
I evaluated SAC on two test clients over a period of several days. For both clients, I started with the “Evaluation” mode as recommended by Microsoft. After that, I performed everyday tasks on both clients, such as surfing the Internet and working in Office. One day later I checked the status and the evaluation on both clients. The state was set to “Off” without any feedback. The evaluation mode is unfortunately not really transparent at the moment (yet), because you can’t really track why Microsoft thinks you are not a good candidate, since there is neither a log, report or any documentation about it. So I reinstalled both clients and set SAC to “On” right after the fresh setup to see which applications are blocked to understand why the evaluation was negative (not a good candidate) during the first test. I was enlightened after the first few seconds, because the first block message from Smart App Control appeared. SAC immediately reported itself because of unknown “dll’s” used by the Microsoft Defender for Endpoint Service. I set up both test clients with Autopilot and Microsoft Intune and I always use Microsoft Defender for Endpoint. However, I did not expect that one of Microsoft’s own services would be blocked. Surprisingly, other Microsoft products such as Windows Terminal and Paint.Net were also blocked. The Windows Terminal could still be used despite messages, but Paint.Net could not be started at all. If you take a look at the Microsoft Feedback Hub and filter for problem reports regarding “Smart App Control”, you will see that other trusted applications such as an Intel driver update, WSL (Windows Subsystem for Linux) or Oracle are currently blocked as well. It was also interesting to observe that the admin tool MakeMeAdmin could be used at first, but not anymore a few days later.
SAC is certainly one of the most important and interesting new Microsoft security features and has a lot of potential for the future. Currently, however, too many trustworthy applications and even Microsoft’s own components are blocked, so that the new feature cannot be used productively in my opinion at this time. For enterprises, the better strategy is currently to use Microsoft Intune in combination with Windows Defender Application Control (WDAC) or AppLocker to better control which applications are allowed to run on workplace devices.
If you want to test SAC as well, I recommend to use a test client and to activate the feature right at the beginning. This way you can immediately see which applications are blocked and have a quick overview of whether the use of SAC currently makes sense. Using the evaluation mode first doesn’t make sense to me, because you have no idea which applications are blocked and are left completely in the dark.
If you already know that you are using several third-party applications that do not have a valid digital certificate (code signing), then the first step would be to sign all applications first, before that the use of SAC makes no sense in any case.
I would like to conclude by summarizing the 5 most important key takeaways:
- Smart App Control (SAC) blocks malicious, untrusted, or unsigned applications and uses AI model and code signing to verify that processes are safe to run.
- A newly installed Windows 11 22H2 is required to use Smart App Control (SAC). For existing installations, you won’t be able to turn SAC on unless you re-install or reset Windows 11.
- Currently, no application exclusion rules can be defined. The set of rules is determined by Microsoft.
- SAC knows only three possible states and setting options: On, Evaluation and Off. From my point of view it makes the most sense to start with the “On” mode right at the beginning, so that you know immediately which applications are blocked.
- With too many trusted applications currently being blocked by SAC, the better strategy for enterprises is to use Microsoft Intune in combination with Windows Defender Application Control (WDAC) or AppLocker to better control which applications are allowed to run on workplace devices.
Now I would be interested in your experience with Smart App Control (SAC)? Feel free to ask me questions or share your personal experiences in the comments.
Pingback: Security: Application Whitelisting with Microsoft Intune and AppLocker | Gobisweb