Microsoft is releasing a major security update to Windows 11 that could theoretically block malicious applications completely. It's such a fundamental change in the operating system that it will require a reset and clean installation of Windows.

At the moment, most of the built-in security on Windows uses two main approaches. One is to scan any files or links the user wants to open or download, then alerts the user if they match any know threats. This is referred to as file and link scanning. The other is to scan files on the hard drive to look for anything suspicious. This is usually done in an automated fashion (schedule scan) or a manual scan initiated by the user.

Smart App Control goes beyond all of that as it's built directly into Windows "at the process level", meaning it can control which applications are running at any given moment.

Smart App Control Uses AI Model

An application can get approved in two ways.

One is that it has a code certificate (a digital signature) that proves it comes from a trusted source. The other is that Microsoft gives it the thumbs up after assessing it through an artificial intelligence model. Microsoft says this model is updated "24 hours a day [based] on the latest threat intelligence that provides trillions of signals." (Source: microsoft.com)

The feature will be included automatically on all new Windows 11 machines. It's not clear yet if users can switch it off, though it would certainly be unpopular if that's not the case. As solid as this feature looks in principle, it's going to be incredibly frustrating if it blocks legitimate applications that it has mistakenly labeled a risk - especially if the user has no way to disable it.

Clean Reinstall

For machines already running Windows 11, the feature is too much of an overhaul to install through a normal update. Instead, the user will have to reset the computer and carry out a clean installation of Windows 11. (Source: pcworld.com)

That's certainly less of a hassle than with some previous versions of Windows and it's relatively straightforward to do without losing any personal documents. However, it's still a big ask for casual users, particularly the ones who might benefit the most from automated security features that work in the background without any need for active configuration.

What's Your Opinion?

Is this a smart feature to add? Do you trust it will correctly identify rogue and legitimate applications? Would you be willing to do a fresh Windows install to get the feature?