Application Signed and Blocked by Smart App Control: How to Fix It on Windows 11

You just downloaded a perfectly legitimate app, double-clicked the installer, and Windows threw up a wall: "Smart App Control has blocked an app that may be unsafe." Even worse, the app is signed, you trust it, and there's no obvious "Run Anyway" button like you'd get with a normal SmartScreen warning. If that sounds familiar, you're in exactly the right place. I'm going to walk you through exactly what's happening, why even signed apps get blocked, and every practical way to get your application running again without compromising your system's security.

What Is Smart App Control, and Why Is It Different from SmartScreen?

Before we dive into the fixes, it helps to understand what you're dealing with, because Smart App Control (SAC) is not just a renamed version of Windows SmartScreen. They're fundamentally different beasts, and confusing them is why most generic advice online doesn't actually work.

Smart App Control was introduced in Windows 11 22H2 (the October 2022 update) and operates at the kernel level using Windows Defender Application Control (WDAC) policies. It intercepts applications before they even get a chance to execute. Unlike SmartScreen, which shows you a warning and lets you click through, SAC enforces a hard block. There is no "More info" link. There is no "Run anyway" button. When SAC blocks something, it stays blocked, unless you take deliberate action.

SAC works by checking every new executable, installer, and script against two sources:

  • Microsoft's cloud-based AI model, a constantly-updated reputation database that scores apps based on how widely they've been seen and whether they exhibit suspicious behavior patterns.
  • Code signing certificates, specifically, certificates that have an established positive reputation. Not just any valid certificate qualifies. The certificate must have been issued by a trusted Certificate Authority and the software publisher must have a clean track record with Microsoft's telemetry.

This is the key insight: an app can be properly signed with a valid digital certificate and still get blocked if Microsoft's cloud model hasn't seen enough of that specific application to assign it a positive reputation score. New software, niche utilities, and apps from smaller publishers are especially vulnerable to this, even when they're completely safe.

Quick Check: To confirm SAC is actually what's blocking your app (and not SmartScreen), look at the error message. SAC messages specifically say "Smart App Control has blocked an app" and don't offer a bypass option. SmartScreen messages say "Windows protected your PC" and include a "More info" link.

Why Does Smart App Control Block Signed Applications?

This is probably the most frustrating part of the whole situation, you paid attention, you checked the developer's website, the file has a valid digital signature, and SAC still blocks it. Here's the reality: a digital signature proves the file hasn't been tampered with since it was signed, but it doesn't automatically mean Microsoft trusts the app enough to let it run.

Several factors can cause a legitimately signed app to be blocked:

1. New or Rare Publisher

If a software company is small, new, or simply doesn't publish widely-distributed software, their code signing certificate won't have built up a reputation history in Microsoft's telemetry. Think of it like a credit score, a legitimate person with no credit history still can't get a loan. The publisher needs time and volume for their reputation to propagate through Microsoft's systems.

2. New Version of Known Software

Even if version 2.4 of an app has great reputation, version 2.5 starts with a clean slate. If the developer just released an update, those newly-compiled binaries haven't been seen by enough Windows machines for SAC to trust them yet. This is a common source of confusion, the app worked last month, but the fresh download doesn't.

3. EV vs. Standard Code Signing Certificates

Extended Validation (EV) certificates carry immediate high trust with Microsoft's systems because they require the publisher to go through rigorous identity verification with the Certificate Authority. Standard OV (Organization Validation) or DV (Domain Validation) code signing certificates take much longer to build reputation. If the app's developer used a standard certificate, their trust score starts low and accrues slowly.

4. SAC's Evaluation Mode

When Windows 11 is first installed (or after a reset), SAC often starts in "Evaluation" mode. In this mode, it watches your behavior and learns. Once it decides you're a user who installs things it can't confidently score, it may switch to "On" mode and start actively blocking. Apps you installed during the evaluation window might have been fine, but new installs afterward get scrutinized more aggressively.

5. File Characteristics That Trigger AI Flags

The AI model looks at more than just the certificate. Things like the app's behavior profile, what APIs it calls, whether it modifies system directories, whether it installs services, all of these feed into the reputation score. A legitimate sysadmin tool that accesses registry hives or network interfaces can look suspicious to a machine learning model even if a human would immediately recognize it as benign.

Important: Don't interpret a SAC block as definitive proof the app is safe. While false positives do happen, SAC exists because malicious software often travels this exact path, signed with a fresh certificate, never seen before, asking for broad system access. Always verify you're downloading from the official developer source before attempting any bypass.

Step-by-Step: How to Fix "Application Signed and Blocked by Smart App Control"

There are several approaches here, ranging from the least invasive (unblocking a specific file) to the more comprehensive (adjusting SAC's operating mode). I'll walk you through each one in order of preference.

1
Verify the File Is Actually Safe Before Doing Anything

This is non-negotiable. Before you attempt any bypass, take 60 seconds to verify what you're about to run:

  • Right-click the downloaded file → PropertiesDigital Signatures tab. Confirm the signer name matches the legitimate developer.
  • Copy the file's SHA256 hash (open PowerShell, run Get-FileHash "C:\path\to\file.exe") and compare it to the hash published on the developer's official website if available.
  • Upload the file to VirusTotal.com for a second opinion from 70+ antivirus engines.

If everything checks out, proceed. If anything looks off, different signer name, hash mismatch, detections on VirusTotal, do not continue.

2
Unblock the File Using File Properties

Windows marks files downloaded from the internet with a "Zone Identifier" alternate data stream, commonly called the "Mark of the Web" (MotW). Smart App Control uses this mark to know a file came from an untrusted source. Removing it can sometimes resolve the block for signed files.

  1. Right-click the executable or installer file.
  2. Select Properties from the context menu.
  3. At the bottom of the General tab, look for a message that says "This file came from another computer and might be blocked to help protect this computer."
  4. Check the Unblock checkbox next to that message.
  5. Click Apply, then OK.
  6. Try running the application again.

This works particularly well for signed applications from known publishers that are simply being flagged due to the MotW. If the Unblock checkbox isn't there, the block is being enforced through SAC's reputation policy rather than the zone identifier, and you'll need the next steps.

PowerShell Alternative: You can also unblock files from PowerShell with the command Unblock-File -Path "C:\path\to\yourfile.exe". This is faster if you're unblocking multiple files at once.
3
Switch Smart App Control to Evaluation Mode

If the file unblock didn't work, the next least-invasive option is to put SAC into "Evaluation" mode rather than turning it off completely. In Evaluation mode, SAC monitors but doesn't block, it's gathering data rather than enforcing policy. This lets you install and run the app while still keeping SAC's telemetry running.

  1. Press Windows + I to open Settings.
  2. Navigate to Privacy & SecurityWindows Security.
  3. Click Open Windows Security.
  4. Select App & Browser Control from the left sidebar.
  5. Click Smart App Control settings.
  6. Select Evaluation.

Now try running your application again. Keep in mind: once you manually change SAC from "On" to "Evaluation" or "Off," you cannot switch it back to "On" without reinstalling Windows or performing a system reset. This is by design, Microsoft wants SAC's transition to the On state to happen organically during evaluation, not via manual toggling.

4
Turn Off Smart App Control (Last Resort for That Session)

If Evaluation mode still blocks the app, or you need a reliable long-term solution for your workflow, you can turn SAC off entirely. Remember: this is a one-way door. Once off, it stays off until a Windows reset.

  1. Follow steps 1–5 from the Evaluation mode instructions above.
  2. Select Off under Smart App Control settings.
  3. You may see a UAC prompt, click Yes.
  4. Restart your PC for the change to fully take effect.
  5. After restart, try launching your application. Windows SmartScreen may still prompt you, click More infoRun anyway to proceed through that separately.
Critical Note: Turning off SAC permanently reduces your system's zero-day protection capabilities. If you do this, make sure you have another endpoint protection layer in place (Windows Defender with cloud protection, a third-party AV, or an enterprise WDAC policy). Don't turn SAC off just for convenience and then forget about it.
5
Run the Installer as Administrator from an Elevated Context

In some configurations, running the installer with elevated privileges changes how SAC evaluates it. This doesn't bypass SAC's policy, but it can work in edge cases where the block is related to UAC interaction rather than pure reputation scoring.

  1. Right-click the installer file.
  2. Select Run as administrator.
  3. Accept the UAC prompt.

If this doesn't work on its own, combine it with the file unblock step (Step 2) first, then try running as administrator.

Advanced Troubleshooting for Persistent SAC Blocks

If you've gone through the standard steps and the application is still being blocked, or you're managing a fleet of machines and need a more scalable solution, here's how to go deeper.

Use the Windows Event Viewer to Diagnose SAC Blocks

SAC logs its blocking decisions in the Windows Event Log, and reviewing these logs can tell you exactly why a specific file was blocked, which helps you determine the right remediation path.

  1. Press Windows + R, type eventvwr.msc, and press Enter.
  2. In the left panel, expand Applications and Services LogsMicrosoftWindowsCodeIntegrityOperational.
  3. Look for Event ID 3077 (enforcement block) or 3076 (audit block, when in evaluation mode).
  4. Click an event to see details including the file path, the signing certificate information, and the policy that triggered the block.

The "Failure Reason" field in these events is particularly useful. A reason code of 0xC0000428 means the file's code integrity check failed, suggesting a signing issue. A code of 0xC0000034 points to a reputation block. Knowing the difference tells you whether to contact the developer (signing issue) or just wait for reputation to build up.

Check and Verify the App's Authenticode Signature

Sometimes what looks like a reputation block is actually a corrupted or improperly formed signature. Run this PowerShell command to check:

Get-AuthenticodeSignature -FilePath "C:\path\to\yourfile.exe" | Format-List

Look at the Status field. A result of Valid means the signature is good. NotSigned, HashMismatch, or UnknownError indicates a real problem with the file's integrity, don't run it, and re-download from the official source.

Also check the SignerCertificate details. Confirm the Subject field matches the legitimate developer name, and that the certificate hasn't expired. A valid but expired certificate is a common source of SAC blocks that even the developer might not have caught yet.

Use WDAC Wizard for Enterprise Environments

If you're an IT administrator managing Windows 11 devices through Intune, Group Policy, or SCCM, Smart App Control can be managed at scale using Windows Defender Application Control policies. Microsoft provides the WDAC Policy Wizard (available free from Microsoft's GitHub) that helps you create custom policies that allow specific signed publishers or specific file hashes.

A typical enterprise workflow would be:

  1. Identify the trusted publisher's code signing certificate thumbprint from the Event Viewer logs.
  2. Use the WDAC Wizard to create a supplemental policy that explicitly allows that publisher.
  3. Deploy the policy via Intune or GPO to affected machines.

This approach lets you keep SAC's core protection intact while creating a curated allowlist for your organization's approved software catalog.

Submit the App to Microsoft for Reputation Analysis

If you're the developer of a signed application that's being blocked, or you have a business relationship with the developer, the right long-term fix is to get the application's reputation established with Microsoft. Microsoft provides a submission portal at the Microsoft Security Intelligence portal where developers can submit files for analysis. Once analyzed and cleared, the app will receive a positive reputation score and SAC will no longer block it for any user who downloads it.

As an end user, you can also use the Windows Security app to report a false positive:

  1. Open Windows SecurityVirus & Threat Protection.
  2. Click Protection history.
  3. Find the blocked item and look for a Submit for review option.

This feeds the file's details back to Microsoft's analysis pipeline and helps build a positive reputation for legitimate software.

Temporarily Disable SAC via Registry (Advanced Users Only)

There is a registry key that controls SAC's state, though Microsoft does not officially document or support modifying it directly. For advanced users who need to script this for a specific deployment scenario:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy
Value: VerifiedAndReputablePolicyState
Type: DWORD
0 = Off, 1 = Evaluation, 2 = On

After changing this value, you must restart the system. Keep in mind that certain system integrity checks can reset this value, and modifying it on a Secure Boot–enabled system with a trusted platform module may not have the expected effect if the policy is being enforced at a deeper level.

Registry Warning: Incorrect registry edits can destabilize Windows. Always back up the registry before making changes: press Windows + R, type regedit, go to File → Export, and save a full backup before editing anything.

How to Prevent Smart App Control Blocks in the Future

Prevention here works at two levels: if you're an end user trying to avoid the frustration, and if you're a developer trying to make sure your app doesn't trigger SAC for your customers.

For End Users

Install software during the Evaluation window. When setting up a new Windows 11 machine, the first thing you should do, before SAC locks into "On" mode, is install all the software you regularly use. SAC learns from your early installation behavior. If you install legitimate tools before it decides to flip to enforcement mode, those apps get grandfathered in.

Prefer software with long-established reputations. Apps from large, well-known publishers that have been around for years won't trigger SAC because their certificates and binaries have extensive positive reputation histories. The risk zone is newer, smaller, or specialized software.

Download directly from developer websites, not third-party aggregator sites. SAC's reputation model considers the download source context. Files from third-party download sites often arrive with different zone identifiers and may have been repackaged, which resets the reputation of the binary even if the original developer's version was trusted.

Keep Windows Update current. Microsoft continuously refines SAC's AI model and pushes those updates through Windows Update. The same app that was blocked last month might sail through SAC today because the model was updated to recognize it. Always try downloading the app fresh after a major Windows update before assuming you need to disable SAC.

For Developers and Software Publishers

Invest in an EV code signing certificate. Extended Validation certificates provide an immediate reputation boost with Microsoft. Yes, they cost more and require more identity verification, but for software intended for broad distribution, the cost is trivial compared to the customer frustration of SAC blocks.

Establish a consistent publisher identity. Don't change certificate providers, company names, or signing identities between versions. Consistency is how you build accumulated trust. Each time you switch certificates, you're starting from zero.

Submit your application proactively. Don't wait for users to report SAC blocks. Before releasing a new version, submit the installer to Microsoft's malware analysis system proactively. This seeds your app's reputation so it's ready when users start downloading.

Sign all components individually. SAC checks every executable in your installer, not just the installer itself. If your package contains unsigned helper executables, runtime components, or scripts, those individual files may trigger blocks even if the outer installer is properly signed.

Use timestamp signing. Always counter-sign your executables with a trusted timestamp authority when signing. This ensures the signature remains valid even after your code signing certificate expires, preventing future SAC blocks caused by expired certificate chains.

Understanding Smart App Control's Three States

One thing that catches a lot of people out is not understanding the state machine that SAC operates on. It's worth laying this out clearly because it affects which solution is appropriate for your situation.

Evaluation Mode: This is SAC's learning state, active on fresh Windows 11 installations. SAC watches what you install and monitors app behavior. It doesn't block anything, but it's building a profile of your usage patterns. If you install a lot of uncommon software during this phase, SAC may decide your usage profile isn't well-suited to full enforcement and leave itself in Evaluation permanently. If you mostly install mainstream, well-known software, it will transition to On mode automatically.

On Mode: Full enforcement. SAC actively blocks apps that don't meet its reputation threshold. This is the state most users who encounter the block message are in. There is no granular configuration, it's all-or-nothing at this level.

Off Mode: SAC is completely disabled and won't restart automatically. As mentioned earlier, getting back to either Evaluation or On mode after disabling requires a Windows reset or reinstall.

The lack of a per-app exception mechanism is a deliberate design decision by Microsoft. The whole point of SAC is to be a hard, non-bypassable control that even moderately technical users can't accidentally disable for one app and then forget about. The trade-off is inflexibility, and understanding this helps set expectations: SAC is not like a firewall where you can poke a hole for one process. You're working with the system, not configuring it.

Frequently Asked Questions

Can I re-enable Smart App Control after turning it off without reinstalling Windows?
Unfortunately, no. Once you manually switch SAC to "Off," the only supported ways to return it to "On" or "Evaluation" are to perform a Windows Reset (keeping or removing your files via Settings → System → Recovery → Reset this PC) or to do a clean Windows reinstall. This is intentional, Microsoft designed SAC so that its active enforcement state is established during initial system setup, not toggled on-demand. Some unofficial registry edits claim to restore it, but Microsoft doesn't support this path and it may not work reliably on systems with Secure Boot.
Does Smart App Control affect apps that were already installed before I updated to Windows 11 22H2?
No, SAC only evaluates apps at execution time for files that carry the Mark of the Web, meaning files that were downloaded from the internet. Applications already installed on your system before SAC was introduced, or files transferred locally from another computer without coming through a browser download, typically don't have the zone identifier that triggers SAC's evaluation. If you're seeing blocks on previously-working apps after an update, it's more likely you recently re-downloaded or updated those apps rather than SAC retroactively flagging old installs.
Why does my app work on one Windows 11 machine but get blocked on another?
There are several reasons this can happen. The most common is that one machine is in Evaluation mode while the other is in On mode, even an identical Windows version can be in different SAC states depending on installation date and usage history. Another possibility is that Windows Updates have pushed an updated AI model to some machines but not others, and the reputation scores differ. Finally, if one machine is domain-joined with an enterprise WDAC policy that supplements SAC's rules, it might have explicit allowances for certain publishers that a standalone machine doesn't have.
Is Smart App Control the same as Windows SmartScreen? Can I bypass SAC the same way?
They're related but distinct. SmartScreen is a reputation-based filter that warns you and lets you click through (via "More info" → "Run anyway"). SAC is an enforcement-layer control with no click-through option. They operate at different levels: SmartScreen is an application-layer check, while SAC uses kernel-level code integrity policies. The SmartScreen bypass (clicking "More info") does not bypass SAC. After you turn off or put SAC in Evaluation mode, you may still encounter SmartScreen prompts, which you can bypass normally.
I'm an IT admin. Can I manage Smart App Control through Group Policy or Intune?
Yes, but it requires working through Windows Defender Application Control (WDAC) policies rather than the Smart App Control UI directly. WDAC supplemental policies can be deployed via Intune's Endpoint Security blade or through Group Policy using the AppLocker/WDAC CSP. You can create policies that explicitly allow specific publishers, specific file hashes, or entire trusted directories, which effectively gives you per-app control at scale. Microsoft's WDAC Policy Wizard tool simplifies policy creation significantly. For most enterprise scenarios, deploying a supplemental publisher-allow policy is the right approach rather than disabling SAC entirely.
My app gets blocked even after I unblock it through file Properties. Why isn't Unblock working?
The "Unblock" checkbox in file Properties removes the Zone Identifier alternate data stream, which addresses one trigger for SAC blocks. However, if the block is being enforced because the app's reputation score is below SAC's threshold, not because of the zone identifier alone, removing the MotW won't be enough. You'll need to either switch SAC to Evaluation mode (Step 3 in our guide) or turn it off (Step 4). A good way to confirm which case you're in: after unblocking, if the file's Properties General tab no longer shows the "This file came from another computer" message but you still get blocked when running it, the block is reputation-based and you need the SAC mode change approach.
Does turning off Smart App Control make my PC less secure?
Yes, to a meaningful degree. SAC's primary value is blocking zero-day malware that arrives via fresh code signing certificates, a common attack vector since obtaining a code signing certificate is within reach of threat actors. Without SAC, you're relying on Windows Defender's signature-based and behavioral detection, SmartScreen's reputation warnings (which users can click through), and your own judgment. For most home users, this is an acceptable risk if you're careful about downloads. For business environments, turning off SAC on individual machines without a compensating WDAC policy is a security regression that should be documented in your risk register. At minimum, ensure Windows Defender cloud-delivered protection and automatic sample submission are enabled to partially compensate.

Wrapping Up

Smart App Control is one of Windows 11's most effective defenses against a whole category of modern malware, but its all-or-nothing enforcement model means legitimate software can get caught in its net, especially software from smaller or newer publishers. The good news is that you have a clear ladder of options: start with file unblocking, step up to Evaluation mode if needed, and reserve turning SAC off entirely for situations where the long-term tradeoff makes sense for your workflow.

If you're a developer reading this because your users are reporting blocks, the actionable takeaway is straightforward: get an EV certificate if you haven't already, timestamp-sign all your executables, sign every component in your installer individually, and proactively submit new releases to Microsoft's analysis pipeline before they hit your user base. Building reputation is a slow process, but each of those steps accelerates it significantly.

Whatever path you choose, make sure you're making an informed decision about the security tradeoff rather than just clicking through prompts to make the problem go away. SAC exists for a good reason, the compromise is real, and understanding it helps you navigate it without either accepting unnecessary risk or being blocked from tools you legitimately need.