You configure App and Browser Control in Windows Security to the Off or Warn setting, then after installing a cumulative update, the setting reverts to On. This forces SmartScreen to block unrecognized apps and files again, which can interrupt your workflow. The cause is a deliberate behavior in Windows 11 that Microsoft uses to restore security defaults after a major update payload. This article explains why the reset occurs and shows you how to prevent it from happening after every cumulative update.
Key Takeaways: Preventing App and Browser Control Reset After Updates
- Group Policy: Computer Configuration > Administrative Templates > Windows Components > Windows Security > App and Browser Control: Disables the automatic reset by enforcing a specific SmartScreen setting that persists across updates.
- Registry: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser Control: Stores the same policy as a DWORD value to lock the setting when Group Policy is unavailable.
- Windows 11 Cumulative Update Payload: Each cumulative update includes a security baseline that resets App and Browser Control to On to protect users who may have turned it off inadvertently.
Why Windows 11 Resets App and Browser Control After Each Cumulative Update
App and Browser Control is part of Windows Security and uses Microsoft Defender SmartScreen to check apps, files, and websites against a reputation database. When set to On, SmartScreen blocks unknown or potentially malicious content with a warning. When set to Off, SmartScreen does not check files or apps, which can expose the system to malware.
Each cumulative update for Windows 11 contains a security baseline that Microsoft applies to restore certain security settings to their recommended defaults. This baseline includes the App and Browser Control setting. Microsoft does this because many users disable SmartScreen temporarily and forget to re-enable it, leaving the system vulnerable. The update payload overwrites the local configuration regardless of the user’s previous choice.
The reset is not a bug. It is a deliberate design decision to ensure that after a system update, the device returns to a known secure state. The behavior affects all editions of Windows 11, including Pro and Enterprise, unless a Group Policy or registry value is configured to override it.
The Specific Settings That Reset
The following three options inside App and Browser Control revert to On after a cumulative update:
- Check apps and files: SmartScreen checks downloaded apps and files against a reputation list. When On, it blocks unrecognized items. When Off, it skips the check.
- SmartScreen for Microsoft Edge: Protects against phishing and malicious websites. When On, Edge shows a warning for suspicious sites. When Off, no warning appears.
- Phishing protection: Checks links and downloads in other browsers and apps. When On, it warns about dangerous content. When Off, it does not.
Steps to Prevent App and Browser Control From Resetting After Updates
You have two methods to lock the App and Browser Control setting so cumulative updates do not change it. The Group Policy method works for Windows 11 Pro, Enterprise, and Education editions. The Registry method works for all editions, including Windows 11 Home.
Method 1: Use Group Policy to Lock App and Browser Control
- Open the Local Group Policy Editor
Press Win + R, typegpedit.msc, and press Enter. If the command is not found, your edition does not include Group Policy. Use Method 2 instead. - Navigate to the App and Browser Control policy
Go to Computer Configuration > Administrative Templates > Windows Components > Windows Security > App and Browser Control. - Open the Configure App and Browser Control policy
Double-click the setting named Configure App and Browser Control. - Enable the policy and set the desired behavior
Select Enabled. In the Options section, choose Off to disable SmartScreen completely, or Warn to show a warning without blocking. Click OK. - Apply the change immediately
Open a Command Prompt as administrator and rungpupdate /force. The setting is now locked and will not reset after a cumulative update.
Method 2: Use Registry to Lock App and Browser Control
- Open Registry Editor
Press Win + R, typeregedit, and press Enter. Click Yes if prompted by User Account Control. - Navigate to the App and Browser Control key
Go toHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser Control. If the path does not exist, right-click the Windows Defender Security Center key, select New > Key, and name it App and Browser Control. - Create the EnableSmartScreen policy value
Right-click in the right pane, select New > DWORD (32-bit) Value. Name it EnableSmartScreen. Set the value data to 0 to disable SmartScreen or 2 to set it to Warn. Click OK. - Create the BlockAtApp policy value
Right-click again, select New > DWORD (32-bit) Value. Name it BlockAtApp. Set the value data to 0 to allow unrecognized apps or 1 to block them. Click OK. - Close Registry Editor and restart the computer
The changes take effect after a restart. The App and Browser Control setting will now persist through cumulative updates.
What to Do If App and Browser Control Still Resets After Applying the Fix
Windows 11 Home Edition Does Not Apply Registry Values Correctly
If you use Windows 11 Home and the registry method did not work, verify that the registry keys are in the correct path. A common mistake is creating the keys under HKEY_CURRENT_USER instead of HKEY_LOCAL_MACHINE. The policy for App and Browser Control is a machine-wide setting and must be in the HKLM hive. Also confirm that both the EnableSmartScreen and BlockAtApp DWORD values exist and have the correct data.
Antivirus Software Overrides the Windows Security Setting
Third-party antivirus software often disables Windows Security and controls SmartScreen independently. If you have an antivirus program installed, check its own settings for SmartScreen or reputation-based protection. The antivirus may be resetting the Windows Security configuration after each update to match its own policy.
Windows 11 Feature Updates Reset Group Policy Temporarily
A feature update, such as upgrading from Windows 11 22H2 to 23H2, can reset Group Policy objects that were applied locally. After a feature update, run gpupdate /force again to reapply the policy. If the setting still resets, re-edit the Group Policy object and confirm it is still set to Enabled with your chosen option.
| Item | Group Policy Method | Registry Method |
|---|---|---|
| Edition support | Windows 11 Pro, Enterprise, Education | All editions including Windows 11 Home |
| Requires reboot | No, gpupdate /force applies immediately | Yes, restart required |
| Persistence across cumulative updates | Yes, fully persistent | Yes, fully persistent |
| Persistence across feature updates | May reset temporarily, reapply with gpupdate /force | Yes, persistent |
| Complexity | Moderate | Low to moderate |
You can now prevent App and Browser Control from resetting to On after each cumulative update. Use Group Policy if your edition supports it, or the Registry method for Windows 11 Home. After applying either method, verify the setting by opening Windows Security > App and Browser Control and confirming it shows your chosen state. As an advanced tip, export the registry key as a .reg file and apply it with a startup script or Group Policy logon script to enforce the setting across multiple devices in a domain environment.