The topic of Microsoft finally let us turn off Smart App Control, and I’m turning it off… is currently the subject of lively debate — readers and analysts are keeping a close eye on developments.
This is taking place in a dynamic environment: companies’ decisions and competitors’ reactions can quickly change the picture.
Smart App Control (SAC) helps protect your Windows system by blocking unsigned or unrecognized apps from running. When you launch an executable, SAC queries a cloud-based database to check its reputation score. If the app clears Microsoft’s reputation threshold or if it has a valid signature from a trusted certificate authority, then it’s allowed to run. Otherwise, SAC blocks it.
This is a great feature in theory and undoubtedly saves many users from unwittingly running nefarious software. But the problem with SAC is the way Microsoft chose to implement it. Three years after its debut, we’re only just now getting a way to disable SAC without turning it off permanently. Previously, it was only a one-way off switch: once you flipped it, you’d need to reinstall Windows to get SAC back on.
Whenever SAC flags an executable as questionable, there’s no “run anyway” button to dismiss the warning and proceed. It doesn’t even matter if you know for sure that the app is safe; SAC doesn’t care about your judgment, only its own. As a user encountering the warning, the next logical thought is to disable SAC temporarily, right? But that was impossible until a recent update. You’d need to disable SAC permanently, giving up future protection just so you can bypass the warning about a program you know to be safe.
Even worse, sometimes safe and widespread software gets flagged by SAC. Asus’s Armoury Crate software, which comes bundled with the manufacturer’s devices and allows users to control essential parts of their computer, was being blocked by SAC at one point. SAC’s enforcement is strict, which is great for users who don’t pay much attention to what they download and need that watchful eye to keep them out of hot water. But for anyone running custom tools, home lab software, or obscure programs that fly under Microsoft’s radar, SAC becomes more of an obstacle than a security feature.
Microsoft has finally addressed the problem by giving us a proper toggle for Smart App Control. You can find it in Windows Security under App & Browser Control -> Smart App Control settings. SAC itself, the way it works and makes decisions on what’s potentially unsafe, hasn’t changed at all. What has changed is that users can now disable SAC whenever they need to, and turn it back on afterward without the OS forcing you to perform a factory reset. In practice, that means you can disable SAC, run the installer or script you need, and re-enable it right after, without needing to make an irreversible decision. That’s conceptually much different from the original implementation, where disabling SAC meant you never got to use it again.
Bundled in the same update, Microsoft gave us a way to see everything that SAC blocks. In Event Viewer, the records are stored under Microsoft -> Windows -> CodeIntegrity. Event ID 3076 covers evaluation mode (things SAC would’ve blocked, but didn’t), and 3077 covers active enforcement blocks. It’s a subtle update compared to the new toggle, but proves handy to check what SAC has quietly blocked from running in the background. Previously, there wasn’t an easy way to audit which programs it was preventing from running.
The original no-toggle policy actually did have some logic behind it. Microsoft wasn’t just dangling the keys to our system in front of us for the fun of it, believe it or not. The thought process behind the original implementation was that once malware plants itself on your PC, re-enabling SAC isn’t going to help you. As a matter of fact, it may do just the opposite by giving you a false sense of security. Microsoft wanted you to acknowledge that opening up your computer to dubious executables is a one-way street, and the system can’t be reliably secured once you’ve permitted them to run.
Maybe that made sense on paper, but the reality is that there are plenty of users who need to run unsigned scripts and self-compiled tools that they can vouch for, and they were being forced to permanently disable an important feature that helped keep their system safe. Building a consumer feature this inflexible was shortsighted, to say the least. And in typical Microsoft fashion, they sat on three years of user feedback before finally listening. Adding the toggle was the right move, and the additional SAC logging in Event Viewer is a welcome change.
Between Defender, my custom firewall rules, and a general ethos against running potentially harmful programs from the internet, I don’t need a cloud gatekeeper second-guessing the software I’ve deliberately chosen to put on my system. What I did need was the choice to toggle features on or off, and I finally got one for SAC. Now that the toggle exists, turning it off has turned into a simple configuration decision rather than a one-way door.
Why it matters
News like this often changes audience expectations and competitors’ plans.
When one player makes a move, others usually react — it is worth reading the event in context.
What to look out for next
The full picture will become clear in time, but the headline already shows the dynamics of the industry.
Further statements and user reactions will add to the story.