New Update Windows 11 24H2 and 25H2 get bit new updates with new feautres and fixes in KB5074105

[Parkinsond]

You can turn Smart App Control (SAC) on or off without any clean install requirement.

Windows Hello Enhanced Sign-in Security (ESS) now supports peripheral fingerprint sensors.

This update addresses an issue that could cause Windows Sandbox to stop responding during startup and display error 0x800705b4.

https://www.neowin.net/news/windows-11-24h2-and-25h2-get-bit-new-updates-with-new-feautres-and-fixes-in-kb5074105/

 

[oldschool]

They shipped the new SAC setting earlier than I thought. Now there is no reason for users to avoid SAC entirely without trying it out on their system. This should lead to more users with SAC protection world wide, which is a good thing.

 

[Jonny Quest]

A couple of thoughts from Gemini that may be helpful? Still not an option on my end, at least for now, on both laptops after installing the update.

Turning on Optional Diagnostic Data is usually the "secret ingredient" Microsoft requires for Smart App Control to talk to its cloud reputation service. Without it, the toggle often stays grayed out or displays that annoying "reinstall" message.

If it’s still grayed out: This means the "Controlled Feature Rollout" (CFR) hasn't fully activated the UI for you yet. Since you are on the correct build (KB5074105), you can safely use the Registry Override I mentioned earlier:

 

[Moonhorse]

SAC is so good, but it messes up with armoury crate for me so im not using it anymore. Thats great to hear you can turn it on/off whenever you want

 

[oldschool]

SAC is so good, but it messes up with armoury crate for me so im not using it anymore. Thats great to hear you can turn it on/off whenever you want

It definitely doesn't work well for users with certain software configurations, e.g. coders, gamers, etc.

 

[Parkinsond]

Now there is no reason for users to avoid SAC entirely without trying it out on their system.

There is still a reason; SAC blocks installer, I disable SAC and run the installer than reenable SAC; SAC blocks app launch

 

[Parkinsond]

A couple of thoughts from Gemini that may be helpful? Still not an option on my end, at least for now, on both laptops after installing the update.

As far as I get, to be able to turn on SAC after being tunred off following the last update, I should have optional data allowed when W was installed?

 

[Marko :)]

Can someone explain to me what Smart App Control actually does? Thanks.

 

[Parkinsond]

Achtung

In one of the reports, from the user Mark S, the new update was installed yesterday on an Acer laptop resulting in the messing up of the in-built camera.
The lock screen widget issue was reported by the user percesus, but in quite a bit less detail.
In our own comments section, user Davikar noted that everything seemed OK for them so far after installing the update, but did note that the taskbar took one minute to load after reboot. This could just be a result of Microsoft getting things into place following the update rather than a persistent issue.

https://www.neowin.net/news/windows-11-users-report-critical-bugs-in-newest-kb5074105-optional-january-update/

 

[Parkinsond]

Can someone explain to me what Smart App Control actually does? Thanks.

Almost equal to WDAC with extras, such as blocking certain file types when they have MoTW.
@Andy Ful certainly has more details.

 

[Parkinsond]

A couple of thoughts from Gemini that may be helpful? Still not an option on my end, at least for now, on both laptops after installing the update.

I have SAC enabeable again after installing the latest update, without having optional data enabled during W install!

 

[Sorrento]

Mine is greyed out so I'm leaving it until I get the option in settings, so I can turn it off it things don't go well & for me its likely to be a short lived experience, though I would image first thinking on.

 

[Parkinsond]

Mine is greyed out so I'm leaving it until I get the option in settings, so I can turn it off it things don't go well & for me its likely to be a short lived experience, though I would image first thinking on.

I like using WDAC via WHHL more; just was trying to find out if the update is working or not.

 

[Andy Ful]

Can someone explain to me what Smart App Control actually does? Thanks.

From ChatGPT (with a few my corrections):

Smart App Control (SAC)​

What it is:
A pre-execution gatekeeper. It decides whether an app is allowed to run at all.

How it works:

• Blocks apps before they launch
• Allows only:
  • Microsoft-trusted apps
  • Properly signed apps
  • Apps with a good cloud reputation
• If it’s blocked → you don’t get an override

Strengths:

• Stops malware before damage
• Zero decisions for users
• Great against brand-new threats

Weaknesses:

• Can block legit but unsigned apps
• Once turned off → can’t re-enable without reset (so far)
• Bad fit for devs / power users / gamers

Best for:
“Just work and stay safe” users

The above is slightly incomplete. In addition to smart-blocking apps (EXE, DLL, MSI files, drivers), SAC is also a non-smart blocker of some LOLBins and some file types downloaded from the Internet (such as scripts, shortcuts, some scriptlets, disk images, etc.).
SAC is very comprehensive in blocking DLLs (can block also DLL hijacking). However, this feature is a main source of blocks when gaming.
SAC is based on WDAC, but scripts restrictions are different from standard enforcement (Constrained Language mode is not enforced in PowerShell).

 

[Marko :)]

From ChatGPT (with a few my corrections):


The above is slightly incomplete. In addition to smart-blocking apps (EXE, DLL, MSI files, drivers), SAC is also a non-smart blocker of some LOLBins and some file types downloaded from the Internet (such as scripts, shortcuts, some scriptlets, disk images, etc.).
SAC is very comprehensive in blocking DLLs (can block also DLL hijacking). However, this feature is a main source of blocks when gaming.
SAC is based on WDAC, but scripts restrictions are different from standard enforcement (Constrained Language mode is not enforced in PowerShell).

Okay, now would I have any benefit from using it? I mean Windows disabled it before for me automatically.

 

[Parkinsond]

Okay, now would I have any benefit from using it? I mean Windows disabled it before for me automatically.

WHHL is more protective.
WDAC will block the same executables blocked by SAC.
Hardening (including SRP) will block all file types blocked by SAC, and even more, with the advantage that it cannot be bypassed by removing MoTW (manaully, by malware, or by usb memory transfer).

 

[Andy Ful]

Okay, now would I have any benefit from using it? I mean Windows disabled it before for me automatically.

You can wait until the update, which allows you to switch it ON/OFF, and then try.

 

[Parkinsond]

You can wait until the update, which allows you to switch it ON/OFF, and then try.

The update is here; installed and reenabled SAC; no issues.
But I will redisable SAC again and go back to WHHL WDAC (it was automatically turned off after reenabling SAC).

 

[micasayyo]

I just updated but...


I had it disabled and now I can't enable it either. I thought that with the new update it would be possible to enable and disable it.

 

[Parkinsond]

I just updated but...


I had it disabled and now I can't enable it either. I thought that with the new update it would be possible to enable and disable it.

Navigate in reg editor to
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy

Change the value date from 0 to 1 of
VerifiedAndReputablePolicyState

Restart