New Windows 11 Security Feature Will Require a PC Reset (Is this a Great Reset? Maybe...)

Thurrott.com ^ | Apr 7, 2022 | Paul Thurrott

[dayglored]

“Smart App Control is a major enhancement to the Windows 11 security model that prevents users from running malicious applications on Windows devices that default blocks untrusted or unsigned applications,” Microsoft vice president David Weston explains. “It goes beyond previous built-in browser protections and is woven directly into the core of the OS at the process level. Using code signing along with AI, ...

our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud.

...Model inference occurs 24 hours a day on the latest threat intelligence that provides trillions of signals.”

Smart App Control is interesting because it will be enabled by default on new Windows PCs in the future. But if you upgrade to whatever version of Windows 11 that enables this feature on an existing install, you will have to use Reset this PC to reset Windows 11 and clean install it. That is, I believe, unprecedented.

[freeandfreezing]

That’s one way to weed out apps that are conservative in nature.

Microsoft already does a tremendous amount of intrusive analysis of your actions on their software. As one example, if you use Microsoft Word and put images into a document that you created by taking a screenshot Word will provide an AI generated text description of the image that is associated with the image.

Supposedly it saves you time in captioning the image, but in reality the Office code is sending the image you created off to some AI based server that tries to describe what it sees in the picture. Who knows what else they do with that data.

If you are not on the internet that feature vanishes.

Some of the image analysis is quite good, which makes it even more problematical.

So basically when you add an image to a document some Microsoft server code is examining the image and determining what it is an image of.

[daniel1212]

That's just one aspect in protection (including from users acting as owners to customize):

Here’s a look at what’s coming to Windows 11 to help our customers ..Microsoft Pluton: Built on the principles of Zero Trust,..First, Pluton is the only security processor which is kept regularly up to date with key security and functionality updates coming through Windows Update just like any other Windows component....the Pluton firmware is developed by the same Windows team that builds the features that use it, like Windows Hello and Bitlocker.

Smart App Control is a major enhancement to the Windows 11...Smart App Control only allows processes to run that are predicted to be safe.. Smart App Control will ship on new devices with Windows 11 installed

Enhanced phishing detection and protection with Microsoft Defender SmartScreen:..The enhanced phishing detection and protection built into Windows with Microsoft Defender SmartScreen

Credential Guard by default: Windows 11 makes use of hardware-backed, virtualization-based security capabilities to help protect systems from credential theft attack techniques... Credential Guard will be enabled by default for organizations using the Enterprise edition of Windows 11.

Additional protection for Local Security Authority (LSA) by default:..additional LSA protection will be enabled by default in the future for new, enterprise-joined Windows 11 devices

new Personal Data Encryption coming to Windows 11..To access the data, the user must first authenticate with Windows Hello for Business, linking data encryption keys with the user’s passwordless credentials

Config Lock...This feature, already in Windows 11, monitors registry keys through mobile device management (MDM) policies.. If Config Lock detects a change in registry keys, it will automatically revert the impacted system to the IT-desired state in seconds.

In the next Windows 11 release, HVCI will be enabled by default on a broader set of devices running Windows 11..helps ensure that all drivers loaded onto the OS are signed

New security features for Windows 11 will help protect hybrid work

[dayglored]

> If today you have a Windows 11 machine you have a choice

That's entirely correct.

The point of this article is that when you buy a new computer -- it will be set up that way by default. You WON'T have a choice, at least not a pleasant one.

> today anyway

Correct.

[Revel]

Digital tech is probably what is refereed to in the bible as “The Beast”.

[algore]

The surface go 3 is a small tablet made by microsoft for win 11

I am forced to use it because many websites do not work on my RT Surface, which while it IS a total walled garden trusted device, and has a better interface it is now not supported and I cannot get a browser, nor can I root it, many have tried but :(

P.S The Surface go 3 is much worse at having a good windows touch interface, and you have to buy an upper spec one if you want to run android apps.

[Pollard]

Yeah, would seem a hardware failure. Just weird that they both had the same issue in a 24 hr span. I’ll have to download the Lenovo Hardware Maintenance Manuals for them so I can take them apart without breaking any plastic and remove modem, network card etc and keep narrowing things down. These things don’t even have consumer removable batteries so I don’t know if it’s safe to power them up without one or what it takes to remove them.

[daniel1212]

"If today you have a Windows 11 machine you have a choice You can Wipe your Machine and after that it will only run ‘trusted’ software. If you do nothing it will work the way it always has."

That is now, but just as W/11 requires TPM 2.0 (Trusted Platform Module) - even if there is still a hack around it - reading of their plans (see above post) indicates forcing renters (which is what a user is) to comply with what MS deems is best.

[algore]

Let those who have understanding calculate the numbers of the Beast, for IT are numbers of Man.

That is the correct translation as far as I can tell

[dayglored]

Windows, like Macintosh, and even some Linuxes (Ubuntu), is rushing headlong towards increasing restrictions, in the name of "security" and "safety".

I understand it, and I recognize its utility for the masses. But there are times when I prefer "the animating contest for freedom", in Samuel Adams' words, and wish they'd just leave me to care for my own defense.

[Captain Peter Blood]

Oh I am so glad I bought a Apple MacAir last year, the updates are easy and the computer works great.

[Tolerance Sucks Rocks]

our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud.

Eeeehhhhhh, ferrrrrrrk yerrrrrrrr, Microsoft. Why can't we make that choice? Will FR be "bad code" under their standards?

[Tolerance Sucks Rocks]

I’ll just stay with the version of Windows 11 that I have.

[bitt]

p

[Tolerance Sucks Rocks]

Oh, I’m sure the corporate scum will be happy to weed out conservative (and some leftist) apps, too. ESG/DEI/etc., you know.

[algore]

it was an easy choice for me, I had to go to control panel, check a box an reboot.

It will be the same for many years.

This is aimed at corporate users, and id10t users.

In an education or corp setting will be enforced by group policy.

(assuming the sysadmins know what they are doing.)

There is a lot of risk in a Corp environment

[dayglored]

> In an education or corp setting will be enforced by group policy. (assuming the sysadmins know what they are doing.) There is a lot of risk in a Corp environment

Well I know.

I'm a sysadmin (devops eng, but whatever) in a corp environment.

[daniel1212]

As one who seeks more efficient operation of the desktop, this means customizing over what MS defaults, which I think will become more difficult in the future. I am not looking to go back, but one major change after XP is the divestiture of much of the appearance settings in later OS versions. W/11 (which i just upgraded to) is no different, and as with the Start menu the interface is worse. However, per usual, there is much tested freeware to enable extensive easy customization, such as,

Like Open Shell, download Open Shell (click on Releases>Latest on middle right side) to replace the mobile device W/11 start menu, and there is Explorer Patcher that restores the Windows 11 taskbar to be exactly like Windows 10, while Windows 7+ Taskbar Tweaker (I am using the beta ver.) provides more customization.
Then there are the over 200 tweaks available in Ultimate Windows Tweaker 4 and now there is Ultimate Windows Tweaker 5 for Windows 11 from the Windows club.

Add to this the many Winaero features of the Winaero Tweaker

Add to this is Right-Click Extender (add items to many right click menus), while T-Clock Redux works in W/10 (far better than the default) but not W/11 as yet.

I think that a simple right click on the desktop should provide a visible GUI menu with submenus listing access most every setting, but instead the trajecory seems to be to make desktops more like mobile devices (though I advocate quick GUI access to most everything on these also). But which is not the case in Windows, apart from customization, nor in the many Linux distros I have found (which can be more of a problem).

But thank God for the tools we have to be used for Good and the glory of God, and for those who provide them.

W/11 Default Start menu>All apps

Versus OpenShell W/11:

Right Click Extender (some additions):

7+Taskbar Tweaker (stacks open pages from same source, etc.):

Device manager still the same (good!):

[daniel1212]

"Was it Windows?"

No: it sounds more like memory or the mobo if you cannot even got a screen.

[A Navy Vet]

Forget the power button. Some times it’s best to just pull the power cord and leave it off for a couple minutes. Most every electronic device will do a full reboot that way.

[Mr Rogers]

“Windows 11 users may configure Smart App Control by running a search for “Smart App Control” in the search box.”

I just got a new computer (old one died hard). It only took a moment to turn off smart app control. It also came with a setting that only allowed MS approved software to be installed. The box had instructions printed on the outside explaining how to remove that restriction.

Remember, a LOT of people do very, very little with a computer. My wife would be far better off using a computer with those features. She’s a computer nightmare, capable of crashing a machine just by walking near it. She isn’t allowed to use MY computer!