Why Smart App Control Blocks Custom Scripts on Windows 11

Quick fix: Open Windows Security → App & browser control → Smart App Control settings. If currently On, you can only switch it to Off — it can’t be turned back to On without reinstalling Windows. Once Off, custom scripts run without blocks.

Smart App Control (SAC) blocks unsigned or low-reputation apps. Your custom PowerShell script, Python build, or internal company tool gets quarantined. SAC operates on Microsoft’s reputation cloud — anything not seen by enough machines globally is blocked. The fix is to disable SAC. Important caveat: once disabled, SAC can’t be re-enabled without a clean Windows reinstall.

What causes this

Smart App Control runs apps through a Microsoft cloud reputation check. Apps signed by trusted publishers and seen on millions of PCs pass. Custom scripts, niche tools, and internal apps fail the reputation check by definition — they’re not widely deployed. SAC blocks them. The intent is malware protection; the cost is friction for developers and IT users.

Microsoft deliberately made SAC one-way (Off requires a clean install to re-enable) to prevent malware from disabling and re-enabling it.

Method 1: Disable Smart App Control

The standard fix. Permanent — you can’t turn it back on without a clean install.

1. Open Windows Security.
2. Click App & browser control.
3. Click Smart App Control settings.
4. The current state is shown:
   • On: blocking unsigned and low-reputation apps
   • Evaluation: monitoring; not blocking yet — auto-decides between On and Off based on your usage patterns
   • Off: not active
5. Click Off. Confirm.
6. SAC is now disabled. Your scripts and apps run without SAC interference.
7. Microsoft Defender real-time protection remains active — you still have AV protection just without SAC’s reputation layer.

This is the right fix for developers and power users. SAC is more aggressive than typical AV.

Method 2: Sign your scripts to make them SAC-compatible

If you want to keep SAC on but allow specific scripts.

1. For PowerShell scripts: code-sign them with a trusted certificate.
2. Get a code-signing certificate from a CA (commercial: DigiCert, GlobalSign, etc.; or self-signed for personal use only).
3. Sign your script:

   Set-AuthenticodeSignature -FilePath "C:\Scripts\my-script.ps1" -Certificate (Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)

4. For .exe files: use Microsoft’s signtool.exe with your certificate.
5. SAC trusts signed apps from known publishers. Your scripts pass.
6. This is more work but keeps SAC active for unknown apps you don’t trust.

This is the right approach for organizations that want both SAC’s protection and the ability to run internal tooling.

Method 3: Use Defender exclusions to allow specific paths

For files in trusted folders where you don’t want SAC scanning.

1. Open Windows Security → Virus & threat protection → Manage settings → Add or remove exclusions.
2. Add exclusions for trusted developer folders: C:\dev, C:\Tools, etc.
3. Note: SAC and Defender exclusions are related but not identical. Defender exclusions skip scanning; SAC may still check reputation on apps in excluded folders.
4. For SAC-specific exclusions, the only path is Method 2 (signing) or Method 1 (disable SAC entirely).
5. Defender exclusions reduce friction but don’t fully bypass SAC.

This is a partial measure. Methods 1 or 2 are the real fixes.

How to verify the fix worked

• Open Windows Security → App & browser control → Smart App Control settings. State shows Off (if Method 1).
• Run your previously-blocked script. It executes without SAC popup.
• Run Get-MpComputerStatus | Select-Object SmartAppControlState in PowerShell. Returns 0 (Off), 1 (On), or 2 (Evaluation).

If none of these work

If SAC keeps blocking despite being Off, three causes apply. App still blocked by Defender SmartScreen: a related but separate feature. Disable SmartScreen via Windows Security → App & browser control → Reputation-based protection settings → Check apps and files Off. Group Policy override: managed PCs may force SAC on. Contact IT. Custom AV interfering: third-party AV may block apps independently. Check the AV’s quarantine.

Bottom line: Smart App Control blocks custom scripts because they lack reputation — disable SAC permanently (it’s one-way), or sign your scripts with a code-signing certificate to make them SAC-compatible.