Smart App Control Was Windows 11's Worst Restriction, and Microsoft Just Quietly Fixed It

Smart App Control (SAC) arrived with Windows 11 version 22H2 as a cloud‑backed gatekeeper, mirroring Apple’s Gatekeeper by checking digital signatures and reputation before launching binaries. Leveraging Windows code integrity and Microsoft’s app‑intelligence service, it aimed to stop malicious or untrusted executables without user intervention. For enterprises and consumers alike, the feature promised a silent, proactive layer of protection that could reduce reliance on third‑party antivirus solutions. Early adoption was strong, especially among security‑focused organizations that valued a built‑in, centrally managed control point.

The initial rollout, however, exposed a usability nightmare. SAC offered no per‑app overrides, “allow once” prompts, or clear explanations for blocks, forcing users to either accept the restriction or disable the feature entirely. Worse, once disabled, the only path to re‑enable SAC required a clean Windows installation or a full system reset, a step most users were unwilling to take. This rigidity alienated open‑source developers and power users, who frequently need to run unsigned tools, and it sparked criticism that Microsoft had traded security for inconvenience.

Microsoft’s response arrived in Insider build 26220.7070 and rolled out to Windows 11 24H2/25H2, adding a simple toggle to switch SAC on or off without reinstalling the OS. The update also introduced detailed logging in the Code Integrity Event Viewer, exposing Event ID 3076 and 3077 entries for evaluation‑mode and enforcement blocks. While the toggle resolves the reset issue, the core limitation—absence of a per‑app allow‑list—remains, leaving developers to manually parse logs for workarounds. Analysts expect further refinements, as a flexible exception model would align SAC with Microsoft’s broader Zero‑Trust strategy.