Question Does anybody know if indeed SAC can be turned on without reinstalling Windows?

Please provide comments and solutions that are helpful to the author of this topic.
@devjitdutta2025

Affirmative. It's confirmed that the "sterile field" (Clean Install) requirement for Smart App Control (SAC) has been rescinded for Windows 11 versions 24H2 and 25H2.

While registry modifications (likely targeting the VerifiedAndReputablePolicyState) may now function due to this kernel-level policy shift, the official engagement protocol is exposed directly via the UI, navigate to Windows Security > App & Browser Control > Smart App Control to toggle enforcement.

Proceed with caution. Activating SAC on a "dirty" (previously used) system introduces a high probability of immediate "False Positives." Legitimate but unsigned binaries lacking global prevalence will be neutralized (blocked) by the automated Windows Defender Application Control (WDAC) policy. If your environment relies on custom tooling or niche software, anticipate significant operational friction.
 
Last edited:
  • Like
  • Applause
  • Hundred Points
Reactions: Brownie2019, piquiteco, Antimalware18 and 2 others
Yes.
1770308176256.png
Notice the On/Off switches and no Evaluation Mode (greyed out).

@Parkinsond - no registry modification needed.
 
  • Like
  • Thanks
  • +Reputation
Reactions: Brownie2019, piquiteco, Wrecker4923 and 6 others
devjitdutta2025 said:
So indeed it seems that SAC now can be turned off safely and then re-enabled again without reinstalling the OS. Good job MS.
Click to expand...
One good step, but a further one is needed.

I get blocked installer, I turn off SAC to finish installation, then turn SAC back on, then try to launch the app, then SAC blocks the app.
Exception will be a welcome addition.
 
  • Like
  • Thanks
Reactions: Wrecker4923 and oldschool
devjitdutta2025 said:
How old is the installer? Is it fairly new?
Click to expand...
Sometime SAC blocks the installer when freshly released, then allow it after days or weeks, as with media player classic.
Sometimes it blocks the installer even if old enough, as the case with peazip.

Sometimes it blocks the installer, but allows the installed app to launch; here turning off SAC is useful to bypass installation block.
Sometimes it blocks both the installer and the installed app after installation; turning off SAC will permit installation, but after turning it on again, launching app will be blocked.
 
  • Thanks
  • Like
Reactions: Wrecker4923 and devjitdutta2025
Parkinsond said:
One good step, but a further one is needed.

I get blocked installer, I turn off SAC to finish installation, then turn SAC back on, then try to launch the app, then SAC blocks the app.
Exception will be a welcome addition.
Click to expand...

Parkinsond said:
Sometime SAC blocks the installer when freshly released, then allow it after days or weeks, as with media player classic.
Sometimes it blocks the installer even if old enough, as the case with peazip.

Sometimes it blocks the installer, but allows the installed app to launch; here turning off SAC is useful to bypass installation block.
Sometimes it blocks both the installer and the installed app after installation; turning off SAC will permit installation, but after turning it on again, launching app will be blocked.
Click to expand...
Submit through the Feedback Hub and wait a few days, then try again.

@Antimalware18 - what version Windows do you have? What region do you live in? It's probably another controlled rollout by MS.
 
  • Like
Reactions: piquiteco, devjitdutta2025, Antimalware18 and 2 others

You may also like...