Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Windows IT

New Windows 11 Security Feature Will Require a PC Reset (thurrott.com) 130

Microsoft has rolled out a new security feature called Smart App Control with Windows 11. From a report: "Smart App Control is a major enhancement to the Windows 11 security model that prevents users from running malicious applications on Windows devices that default blocks untrusted or unsigned applications," Microsoft vice president David Weston explains. "It goes beyond previous built-in browser protections and is woven directly into the core of the OS at the process level. Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud. Model inference occurs 24 hours a day on the latest threat intelligence that provides trillions of signals." Smart App Control is interesting because it will be enabled by default on new Windows PCs in the future. But if you upgrade to whatever version of Windows 11 that enables this feature on an existing install, you will have to use Reset this PC to reset Windows 11 and clean install it. That is, I believe, unprecedented.
This discussion has been archived. No new comments can be posted.

New Windows 11 Security Feature Will Require a PC Reset

Comments Filter:
  • no thx (Score:5, Insightful)

    by redback ( 15527 ) on Friday April 08, 2022 @02:03PM (#62429590)

    so you can only run "trusted" apps?

    Trusted by whom?

    • Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud.

      So, Sauron's Eye.

    • Re: no thx (Score:5, Insightful)

      by RegistrationIsDumb83 ( 6517138 ) on Friday April 08, 2022 @02:09PM (#62429616)
      Trusted by windows store. This is yet another subtle push to strongarm devs into using it. They're hungry for that 30% fee everyone else is getting. Ugh.
    • dev's who pay the app store fee and give 30% of sales.
      Also this means no steam.

    • Re: (Score:2, Informative)

      by dbialac ( 320955 )
      I never saw it to be particularly necessary to upgrade to Windows 11. Now I a huge red flag telling me to never upgrade. Software developers, with Apple's lead, have lost track of the fact that these are my decisions, not theirs.
      • Re:no thx (Score:5, Interesting)

        by Aristos Mazer ( 181252 ) on Friday April 08, 2022 @03:08PM (#62429934)

        You're in the minority, I find. I thought my customers would rebel when my company started pushing forced upgrades. Instead the vast majority said "thank you for not making us think about it." Customers have handed the keys to their businesses over to us, essentially. We could shut them down tomorrow by rolling out a bad patch. Or just hold them hostage. It's stunning to me. And we aren't the only company gaining this power. I can only hope there's enough mutually assured destruction (our company relies on other software businesses) to prevent abuse.

        • by swilver ( 617741 )

          Well, here's a Fuck You then for not offering an option to disable updates completely.

          • They have that option. They stop upgrading at the last non-forced upgrade. Equivalent to staying at Windows 10.

      • by vux984 ( 928602 )

        Why do you think you won't be able to sign your own apps, or trust your own certs? Why do you think you won't be able to whitelist apps it flags?

        FFS, this is pretty much the exact same thing my Sentinel One antivirus does, except baked into "windows defender".

        This is a 'huge red flag'? /eyeroll

        • by tepples ( 727027 )

          Why do you think you won't be able to sign your own apps, or trust your own certs? Why do you think you won't be able to whitelist apps it flags?

          Windows already doesn't let you trust your own certs for Kernel Mode Code Signing (KMCS) since Windows Vista 64-bit back in 2006. Nor do Microsoft's Xbox, Xbox 360, Xbox One, and Xbox Series platforms (which run variants of the Windows OS) let you sign your own games without paying a substantial fee.

    • by SirSlud ( 67381 )

      you can run any app, because you can turn it off

      i dunno how many "other peoples'" pcs you've looked at, but there are a whole class of users for which the right answer to "trusted by whom" is "anybody other than them"

    • Re:no thx (Score:5, Informative)

      by torkus ( 1133985 ) on Friday April 08, 2022 @03:46PM (#62430124)

      so you can only run "trusted" apps?

      Trusted by whom?

      We run something similar (via 3rd party) at work. While it provides some security. Probably. Maybe. What it actually does is screw up workflow for nearly everyone.

      MS forgets to sign a file in a windows update...oh great...computer spins on reboot for 15 minutes and finally removes the update.

      Logitech updates their stupid driver software and publishes...oh look thousands of flagged "bad software incidents"

      Someone wants a small utility for their workflow...nope...go spend hours justifying and getting approval.

      It's a nightmare.

    • so you can only run "trusted" apps?

      Only by default - it seems that you can turn it off. What seems more onerous is that if you upgrade to a version of Windows which has this feature you have to do a clean install i.e. no migration. So really this is just a large barrier to stop people with Windows 10 from upgrading to Windows 11.

    • M$'s war on general computing dates back to Palladium (which TPM descended from, which Windows 11 requires to run!)
    • No, you have the term "trusted" wrong: When you get a trusted app, you can trust that someone paid money to a commercial CA for a code signing certificate. OK, that someone could be the Russian mafia using your mom's credit card, but at least you can trust that money changed hands before the app will be allowed to run.
    • Comment removed based on user account deletion
  • by Dictator For Life ( 8829 ) on Friday April 08, 2022 @02:06PM (#62429602) Homepage
    If I have to be online in order to run Minesweeper, I’ll cry.
    • No.

      predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud

      If the app has a certificate that the OS trusts, the cloud is not necessary.

      • by torkus ( 1133985 )

        No.

        predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud

        If the app has a certificate that the OS trusts, the cloud is not necessary.

        Until MS forgets to sign a file in an update package. Again.

      • by tepples ( 727027 )

        Then it sounds like every program that you compile with MinGW or Visual Studio would need to get sent to Microsoft for evaluation with the "AI model".

  • Sure it is sort of that way now, but wait until every software and feature nickels and dimes you into a useless computer.
    • Sigh, Everything in the past 15 years has been one step closer to Software as a Subscription and making our computers "useless" according to Slashdot. Yet it still runs. Even when we use actual subscription software it still runs just fine.

      Just change your username from Fly Swatter to Boy Who Cried Wolf already.

    • Comment removed based on user account deletion
  • by ctilsie242 ( 4841247 ) on Friday April 08, 2022 @02:12PM (#62429628)

    Doesn't Microsoft check an executable with SmartScreen before it runs, similar to how Apple's GateKeeper works? I'm not seeing how this is much different, other than requiring a flush of everything on the OS for a clean slate.

    AI models are interesting, but that is already present. Most EDR/XDR/AV utilities have some form of AI in them for heuristics, and have had this for decades.

    More security isn't bad... but there are other places where the battle needs to be fought, and I don't see this really adding much. An app can be completely certified and trusted, but if something takes advantage of it and runs under its context, then the game is over... and with the massive amount of libraries that are used, especially in modern DevOps where someone will fetch an entire database engine to deal with some key:value pairs, supply chain attacks are inevitable no matter what.

    • by blahplusplus ( 757119 ) on Friday April 08, 2022 @02:37PM (#62429730)

      Doesn't Microsoft check an executable with SmartScreen before it runs, similar to how Apple's GateKeeper works?

      No trusted computing is about killing plaintext binaries that were the standard from 1960 to roughly 2010 before the mmo/steam generation of gamers/pc users gave up software ownership by buyin client-server infected games, operating sysmtes and apps for their PC's and iphones/androids.

      This is about turning your PC into a fully anti piracy device, for most of PC history, code wasn't "signed" they were just plaintext encrypted binaries. AKA honestly coded software. The new regime is to make new games/apps compile under a new executable model that denies you access to binary plaintext (aka when you opened a typical dos or game app in the 90's and early 2000's you could easily crack or get it up and running on emulators).

      Microsoft, the game industry and software industry more generally is finally putting the nail in the coffin for the personal computer and taking us back to mainframe computing of the 60's where you need permission from the software vendor in order to run your application, this isn't for anyone's "security" it's to hand control over the internet and our PC's to the media and content industries, so that files created by new programs will be signed/encrypted and watermarked so that they simply won't play pirated content because that content will be encrypted, aka no more ripping youtube videos, no more piracy.

      They are finally encrypting the input output of the entire system over time and windows 11 is the first big push into a totally locked down virtual environment where you the user will live under a hypervisor/os where you have no control over anything. That's why windows 10 has forced updates and why they killed BIOS and swithced to UEFI.

      UEFI was them bringing console like lockdown to the PC so they can brick your pirated software and hack your apps. You seem to be unaware that the entire software industry has been hacking our PC's since 1997 with the advent of mmo's and from 2003 onwards with steam.

      Once kids/adults started buying games/apps requiring user names and login accounts they gave every incentive to intel and microsoft to accelerate locking us out of our computing devices.

      https://www.cl.cam.ac.uk/~rja1... [cam.ac.uk]

      They are bringing denuvo the OS in a big way.

      See here, note that starcraf remastered and warcraft reforged and diablo 3 and compare them of the local apps of the 90's which you fully owned and controlled:

      https://old.reddit.com/r/Crack... [reddit.com]

      They have been in a massive war to dispossess your dumb ass of owning your own software to engage eventually in file extortion.

  • by JoeyRox ( 2711699 ) on Friday April 08, 2022 @02:14PM (#62429638)
    Rather than securing and hardening the OS against attacks they instead decided to just not let apps run at all, at least any app that doesn't have some magical pixie dust signature, which itself does nothing to prevent the app from being malicious other than making it slightly more difficult to disguise the identity of the malicious author.
    • by Junta ( 36770 )

      To be fair, the OS is reasonably hardened against attacks architecture wise (bugs come along and require fixes of course). It has at least a multi-user design and for their 'modern' applications, they have mobile-style capability permissions.

      Generally on par with a typical linux desktop setup under typical users. It has no way of knowing whether the user wanted this utility to encrypt their files or if a malicious third party is the one wanting to encrypt the files. In both Windows and Linux, there are m

      • It comes from the days with multiple users on the same computer, and wanting to protect one user from the other. Not relevant for decades.

        What is needed is protection from dubious applications. So that when I run dubious-app-X it can only access files that I explicitly let it (or its private area).

        Linux/Windows provides protection for the O/S files. But they are the least interesting files to any user. What counts is access to user files.

        iOS/Android sort of do this, but with a straight jacket.

        • by Junta ( 36770 )

          Of course, Linux has SELinux and namespaces (leveraged by flatpak for example to provide some more application isolation), so things are more sophisticated than the classical uid segregation. Also setuid has been largely replaced by more granular capabilities.

          The desktop is caught with the baggage of running applications in a way accustomed to open ended access, which has been a challenge, but decent work has gone into facilities to still carve it up in a secure way.

    • by SirSlud ( 67381 )

      the compute does things. software tells it what to do. an OS that is hardened against local software is an OS that doesn't do anything.

      "slightly more difficult"

      or significantly more difficult, depending on your parameters and how much of a barrier you deem reasonable, which is the point of security where making gaurding against maliciousness is an unachievable ideal and countermeasures are conscious decisions to strike the right balance between complexity, convenience of use, cost to implement, etc

      without t

  • by Fallen Kell ( 165468 ) on Friday April 08, 2022 @02:16PM (#62429646)
    Please, get the right terminology here. Most people will see "reset" and say, oh, you just need to hit the reboot button and it resets (remember, hardware manufacturers used "reset" for the button name on many devices for years, such as TV's, VCR's, DVD players, game consoles, etc.).

    What we really need here is a reinstallation of the entire system, including all software.
    • they are using the right terminology. type "reset" on the start menu and you will see "reset this pc". this has been going on for years.

      only really old timers will associate reset with a reboot.(because those beige pc cases had a big reset button) and these old timers are usually savvy enough to know windows had this feature

    • by dddux ( 3656447 )

      I'm all for reinstallation. Hell, I erased Windows and installed Debian instead 9 years ago and never looked back. I feel like a Joker, just laughing at all the people having new problems with Windows. They didn't notice the signs MS sent with the release of W8 and Microsoft Store and where those signs lead to. Shame is most of the people are just handcuffed to the Windows OS because they just don't know any better or haven't bothered to try [idiocracy type] and MS loves it.

    • Most people will see "reset" and say, oh, you just need to hit the reboot button and it resets

      No. Most boomers who think of computer terminology from the early 90s think that. The vast majority of people don't equate reset with reboot. They equate it with "factory reset" something they will have experienced any time they've needed a support call, any time they've updated their phone, or their latest gadget had an issue, or anytime they have done a "reset" on the now 7 year old OS that runs the overwhelming majority of devices on the market.

      I don't expect someone with a sub 7 digit UID to understand.

      • by dgatwood ( 11270 )

        Most people will see "reset" and say, oh, you just need to hit the reboot button and it resets

        No. Most boomers who think of computer terminology from the early 90s think that. The vast majority of people don't equate reset with reboot. They equate it with "factory reset" something they will have experienced any time they've needed a support call, any time they've updated their phone, or their latest gadget had an issue, or anytime they have done a "reset" on the now 7 year old OS that runs the overwhelming majority of devices on the market.

        In two decades of working in the software industry, I've literally never heard anyone use the word "reset" that way unless it was preceded by the word "factory".

        Then again, I've worked with only single-digit Windows users in all that time; almost everybody uses either Macs or Linux machines. So maybe Windows users have their own terminology that nobody else understands.

    • So, basically, what you are told to do anytime you call in with a problem where there isn't a known fix in the knowledge base? "Have you tried re-installing?"
  • by irchans ( 527097 ) on Friday April 08, 2022 @02:17PM (#62429652)

    Will I be able to compile my own code and run it? Will my code have to pass a security review before I can run it? Will I be able to give my executables to my friends so that they can run it?

    • by jenningsthecat ( 1525947 ) on Friday April 08, 2022 @02:49PM (#62429820)

      Will I be able to compile my own code and run it? Will my code have to pass a security review before I can run it? Will I be able to give my executables to my friends so that they can run it?

      I can foresee a time when you won't be able to do those things unless you're certified by Microsoft and are either an employee or are paying extort... 'scuse me, a monthly fee. BTW, by that time it won't be your code - you will have signed away some or all of your rights to it as part of your certification agreement.

      If this seems like an exaggeration, imagine how you might have reacted 15 years ago to the prospect of being subjected to advertising baked into an OS you paid for.

    • Yes, No, and Yes. The user control here is no different than Windows Smart Screen. And if you don't like it, turn it off. You can turn off every other security feature in Windows with the exception of Windows update and this one has control options in the Windows Security panel just like any other security feature.

    • by gweihir ( 88907 )

      That was my first thought as well. This sounds like they want to make all running of code not explicitly allowed by _them_ impossible. I don't think they can get away with pissing off any hobbyist and professional coder though.

    • Take a look at what happened to Java.

      I remember when Oracle made code signing mandatory, about the time I decided to start getting involved with Java (to update some old free applets). I downloaded the SDK, followed the directions exactly and compiled my first program. When I tried to run it, the runtime threw a tantrum and spit out tons of cryptic security errors. There was absolutely no information in the installation documentation that told me code signing was mandatory, how to do it, and what tools I

  • Itâ(TM)s things like this and the Trusted Platform Module that make me want to stick with Windows 10 and earlier.
  • Most Windows installations that ship with PCs are unusable out of the box anyway - they ship with unbelieveable amounts of OEM bloatware by default. The only sane way is to perform a full reset anyway. Besides, why would you ever trust someone else to install your OS?

    • by dddux ( 3656447 )

      First thing I do when I buy a new laptop - install a proper OS on it. And I try not to pay MS tax - that is buy it without an OS.

      • I was the same re the Windows tax, but buying without an OS has become nearly impossible recently, at least in Europe. The European law says that it's illegal to sell a laptop without an operating system, and only a selected few manufacturers (Dell, Lenovo) offer an option to ship with Linux, and usually only on higher-spec devices.

        • by dgatwood ( 11270 )

          I was the same re the Windows tax, but buying without an OS has become nearly impossible recently, at least in Europe. The European law says that it's illegal to sell a laptop without an operating system, and only a selected few manufacturers (Dell, Lenovo) offer an option to ship with Linux, and usually only on higher-spec devices.

          I'm pretty sure that's not correct. For example, Laptop With Linux [laptopwithlinux.com] is located in the Netherlands and sells laptops without Windows installed.

          Europe did, however, rule that consumers had no inherent right to buy computers without an operating system or to get a refund for an unused Windows license. And at least at one time, IIRC, Microsoft offered preferential pricing to companies that put Windows on all of their machines; I'm assuming that they still do. So why would manufacturers provide machines withou

          • I think the other part of the reasoning was that having an OS on a machine out of the box prevents piracy.

    • Yes and imagine you have spent a good deal of time getting not only your Windows set up the way you want as well as all your other software only for MS to hand this "F U"
  • by fahrbot-bot ( 874524 ) on Friday April 08, 2022 @02:21PM (#62429664)

    ... only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud.

    So... you'll only be able to run programs *Microsoft* deems "safe" -- and are, most likely, current enough?

    ... you will have to use Reset this PC to reset Windows 11 and clean install it.

    Ya, no. Even now, pretty sure if I have to "reset" my Windows 10 system the PC will boot into Linux -- or I'll just switch to my existing Linux system full time early, instead of waiting for Windows 10 EOL. (I'm being *really* lazy about re-doing my Lotus files/spreadsheets in Libre Office. -- yes 123 and WordPro run fine on Windows 10.)

    • LibreOffice can't import those files? I'd think that this wouldn't be nearly as difficult as dealing with Microsoft's bloated formats.
      • LibreOffice can import the files and does a pretty good job with some things, but my 123 workbooks (multi-sheet spreadsheets) have charts/graphs and those get totally borked, along with some of the formatting -- same if I try importing them into Excel (2010). I'm just being lazy and know I'll have to bite the bullet at some point and work through the imports.

        • by dddux ( 3656447 )

          Chicken or the egg? Start using LibreOffice and ditch Office365 then the problem will look reversed.

          • Start using LibreOffice and ditch Office365 ...

            I'm actually still using Office 2010 -- probably won't ever upgrade Office again, unless a local install comes free somehow.

  • by sinij ( 911942 ) on Friday April 08, 2022 @02:30PM (#62429682)
    This sounds like Win11 may refuse to run some software without giving local administrator ability to bypass this. More so, it also sounds to me like like all software usage data will be sent to MS servers for analysis without a way to opt out. Is this accurate understanding?
    • That does seem to be accurate summary.

    • by dddux ( 3656447 )

      As the good old Monthy Python sketch goes "You never expect the Spanish Inquisition!" :)

    • This sounds like Win11 may refuse to run some software without giving local administrator ability to bypass this.

      What makes you say that? Their use of the word "by default" seems to imply that you will have the ability to bypass this. Their use of the phrase is also no different to how Windows Smart Screen currently works.

      Don't overreact like every other idiot every single time Microsoft is mentioned on Slashdot.

      • Their use of the word "by default" seems to imply that you will have the ability to bypass this.

        Given that turning on Smart App Control requires a factory reset of Windows, I'm guessing that turning it off also requires a factory reset. Someone who wants to use a particular unsigned application for Windows for the first time, such as a debugging console emulator, chiptune music composition tool, or other application developed by hobbyists, might not be prepared to perform the required factory reset any time soon.

        Their use of the phrase is also no different to how Windows Smart Screen currently works.

        Relative to the status quo, it sounds like the new state of affairs will be "Windows Smart

    • Cynically I think this is a way to eventually force users to use Windows Store Apps instead of local applications. If every future update like this requires a reinstall but Windows Store Apps settings are downloaded from a MS Office 365 cloud account, MS makes it more and more inconvenient to use anything but apps that you have to get from them.
  • If this shit prevents me from using normal apps (you know, none of that app store crap), it will be the final straw for me to migrate to Linux, even with all the flaws it has as a desktop.

    That is my hardware, my rules. The operating system should be there to help, not to get in the way enforcing RIAA or MPAA rules.
    • by dddux ( 3656447 )

      I don't find any flaws with MATE desktop. On the contrary - it's so much easier to use, fast, looks tidy and normal, not like some psycho designed it.

  • by eepok ( 545733 ) on Friday April 08, 2022 @02:34PM (#62429716) Homepage

    Absent a guarantee that this REINSTALL of Windows 11 will automatically re-install all the software I've already installed and re-assert all the settings I've made, I'm probably not going to allow this on my machine. I've put *so many hours* and actual broadband bandwidth into getting to this point with my Windows 11 install, that, given my personal risk factor, it's just not worth it.

    I means seriously... a clean install is a massive ask of so many users. Games, software, registry hacks, custom this or that... jeez.

    • by SirSlud ( 67381 )

      it goes without saying that this is something that most users, and even more so power users, will not do (nor really be expected to do) .. and most power users will probably just turn it off, so .. shrug

    • by dddux ( 3656447 )

      I just wish Windows 11 will be a final nail in MS coffin. It's incredible how much can Windows users take into their behinds, though, so I don't think that's gonna be the case.

  • by jonwil ( 467024 ) on Friday April 08, 2022 @02:40PM (#62429750)

    I don't want Microsoft telling me I can't run the apps of my choice (including all the stuff I write myself and all the old software I choose to run)

  • Imagine having to reimage a machine every time something goes wrong despite your best efforts. How many hours each week will be spent reimaging machines and reinstalling software?

    Even better, home grown software may not run if it's not properly signed or if Microsoft determines it's not safe.

    • by SirSlud ( 67381 )

      it's an optional feature, which you can turn off

      to turn it on, it has to start with a fresh install

      you don't need to do a fresh install if it "flags" something, which I think is what you seem to be under the impression of

    • Imagine having to reimage a machine every time something goes wrong

      Isn't that the most efficient way to handle Windows? Just have some spares and reimage them as necessary? It certainly cuts down on the man-hours. You can never know if you've really wiped Windows' ass for it properly if you do anything else.

  • So basically they are trying to crater the one reason anyone still runs Windows - you can find an app that does what you need basically anywhere, install it, and double-click it.

    No thanks, I'll stay with a computer that does what I want, rather than asking permission to do what Microsoft wants.

  • by wakeboarder ( 2695839 ) on Friday April 08, 2022 @03:28PM (#62430046)

    Windows 11 is the thing that can't be trusted, I used to be fine with windows as a primary computing environment

    • by dddux ( 3656447 )

      Using some derivative of Linux and a nice desktop of your choice is quite liberating. You should try it sometimes. Windows is the underdog I have to use sometimes for making audio and nothing else. I get stomach cramps every time I have to make music in Windows. And I still use W7. Looking into lite and cut down alternatives of W10 currently. Just for making music. I love to cut the guts from Windows, everything that has nothing to do with making music or editing videos. Man it works so much better that way

  • It only means it hasn't been done before on consumer machines

    Oh well, kinda hope my video editing software will run on BSD some day

  • Wow, DRM built right into the OS for ya. Basically going to be scanning your computer for unauthorized stuff and also make it really hard to run whatever they say you can't.

    Pretty lame. How do developers test stuff, maybe in development mode or something? Self signing seems like it would be self-defeating.

    I'll just enjoy Linux and when I stop caring about games, BSD (unless it's finally dead by then)

    • by tepples ( 727027 )

      How do developers test stuff, maybe in development mode or something?

      If it's anything like developing for a video game console, you form an LLC, buy a development mode certificate, and remember to buy renewals therefor.

  • This is starting to sound to me like smartphones: you can't just run any apps on it, it has to come from some 'app store', which curates what you can and can't have. In this case it'll be just Microsoft and it's 'business partners', I'm sure. Just one more reason I'll never go back to Windows.
  • Still no cure for malicious Excel and Word macros.
  • This Microsoft ATP zero trust shit doesn't work unless you have a full-time surveillance team on the job. This is the correct way of doing security.

  • With each update, they add more and more anti-consumer, privacy eroding features; one at a time. Consumers are the proverbial boiling frog.
  • App allows access to "disinformation"? Sorry, you can't run this app. App uses forbidden words? Sorry, you can't run this app. App uses wrong pronouns? Sorry, you can't run this app....

If you aren't rich you should always look useful. -- Louis-Ferdinand Celine

Working...