This is an automatic and optional feature whose purpose is to block applications running on the system if they are not trusted by the (security) analysis of Microsoft's cloud-powered backend. Microsoft evaluates the trust of an application based on two criteria:

1. Verification of the application's digital certificate
2. Use of the information already available about the application

An application that does not contain a digital signature or is deemed untrustworthy by the cloud service will be blocked. The function cannot be configured by the user, so it is not possible to add user or administrator exceptions. Your only option is to provide feedback to Microsoft and possibly disclose the blocked application or sign (or have signed) that application with a certificate accepted by Microsoft.

Users can only decide whether SAC is deactivated or not, as the deactivation process is final and there is therefore no way back to the activated state. It should be noted that SAC can no longer be activated if it is already deactivated. The new security feature is also disabled if the computer is running Windows in S mode. If the sending of optional diagnostic data (so-called telemetry data) was deactivated during the installation process or during the evaluation phase of Windows 11, SAC will also be deactivated automatically. Because the function is inextricably linked to the telemetry data, it is important to consider in advance whether the information should be shared with the manufacturer. This decision can, for example, vary greatly depending on the operating environment and the data processed there or the use in a private or professional environment.

The company ERNW GmbH (Enno Rey Netzwerk GmbH) has carried out a study on behalf of the BSI, which, based on the analyzes carried out, makes it possible to better understand how the function works and to share the results with technical experts. Although for practical reasons it is not possible to carry out a cloud-powered analysis of the learning models used by Microsoft, the only option left for the present analysis was to evaluate this new feature "in a black box context". Public information was evaluated and our own questions were functionally examined. These include, for example:

• What kind of executable files are in the applications concerned by SAC?
• Where is the initial entry point of the SAC function?
• What do the different SAC modes mean, and how is it possible to pass from one to another?

The result of the analysis is available in an report "Smart App Control".