How to Toggle Smart App Control Without Reinstalling Windows 11

Quick fix: Once Smart App Control is set to Off, Windows blocks toggling it back to On until a clean install. Workaround: edit registry HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy → VerifiedAndReputablePolicyState = 1, then reboot — SAC re-enables in evaluation mode without reinstall.

Smart App Control (SAC) is Windows 11’s app-reputation layer that blocks untrusted EXE files. It runs in three states: Evaluating (the default for new installs, Windows watches your usage to decide whether to turn it on), On (blocks unsigned/unverified apps), or Off. Microsoft designed the toggle as one-way: once you turn it Off, the Settings UI hides the toggle to prevent re-enabling, on the assumption that re-enabling would compromise the evaluation guarantee. A registry edit reverses that.

What causes this

Smart App Control’s decision logic is stored in a single registry value: VerifiedAndReputablePolicyState under HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy. Three valid values: 0 = Off, 1 = Evaluation, 2 = Enforcement (On). The Settings UI normally drives this value, but only allows transitions from Evaluation to On or Off, and from On to Off — never back. Writing the value directly bypasses the UI restriction.

Caveat: re-enabling SAC after extensive use of unsigned apps will cause those apps to fail to run, because SAC trusts only signed code and Microsoft’s reputation cloud. Plan to test SAC on apps you actually use before committing.

Method 1: Registry edit to re-enable Smart App Control

The direct route. Works on any Windows 11 22H2+ install regardless of previous SAC state.

1. Press Win + R, type regedit, press Enter.
2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy.
3. Find VerifiedAndReputablePolicyState (DWORD).
4. Double-click. To re-enable in Evaluation mode (recommended for first re-attempt): set value 1. For full Enforcement: set value 2.
5. Click OK. Close Registry Editor.
6. Reboot. The change requires a restart because SAC initializes during boot.
7. After reboot, open Settings → Privacy & security → Windows Security → App & browser control → Smart App Control settings. The status should show Evaluation or On matching your registry value.

This works without a clean install. The toggle in Settings UI may still appear hidden, but the underlying SAC enforcement is active per the registry value.

Method 2: Reset Windows Security app and let Evaluation start fresh

For when Method 1 doesn’t take effect due to corrupted security state.

1. Open Settings → Apps → Installed apps. Search for Windows Security.
2. Click the three-dot menu → Advanced options.
3. Scroll down to Reset. Click Reset → confirm.
4. Open Terminal (Admin) and run:

   Get-AppxPackage Microsoft.SecHealthUI | Reset-AppxPackage

5. Reboot.
6. Apply Method 1’s registry edit again.
7. Reboot one more time.

This resets the Security UI’s internal state in case stale settings are blocking the registry change from being reflected in the UI.

Method 3: Clean install with SAC Evaluation enabled (last resort)

If Methods 1 and 2 fail. Use this if you need the canonical SAC behavior with full UI integration.

1. Back up data: documents, OneDrive sync state, browser bookmarks, app license keys.
2. Download Windows 11 ISO from microsoft.com via the Media Creation Tool or the direct download.
3. Boot from the ISO and choose Custom: Install Windows only (advanced). This wipes the existing install rather than upgrading.
4. During OOBE setup, SAC is automatically enabled in Evaluation mode for new installs.
5. After install, verify in Settings → Privacy & security → Windows Security → App & browser control → Smart App Control settings. Status: Evaluation.
6. Use the PC normally for 1–2 weeks. SAC silently observes which apps you launch.
7. If SAC determines your usage is compatible, it auto-promotes to On. If it determines you run too many unsigned apps, it auto-disables itself.

The trade-off: full data wipe and re-install. Only use if SAC integration matters more than data preservation.

How to verify the fix worked

• Open Settings → Privacy & security → Windows Security → App & browser control → Smart App Control settings. Status shows Evaluation or On, not Off.
• Run Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\CI\Policy" in PowerShell. VerifiedAndReputablePolicyState should be 1 or 2.
• Try launching an unsigned app you have available. SAC should either prompt you to confirm or block silently (depending on Evaluation vs Enforcement mode).

If none of these work

If the registry value resets back to 0 after reboot, a security service is overwriting it. Common cause: third-party AV products (Norton, McAfee, Kaspersky) have policies that disable SAC because they want their own scanner to be primary. Uninstall the third-party AV temporarily, repeat Method 1, and verify the value persists. For corporate-managed PCs, Group Policy may enforce SAC off — check via gpresult /h C:\gpresult.html → Computer Settings → Windows Components → Smart App Control. If a policy is listed, IT manages this setting; you can’t override without admin escalation. For PCs that upgraded from Windows 10 rather than clean-installing Windows 11, SAC may never have been provisioned at all — the registry key may not exist, and SAC genuinely is unavailable without a clean install.

Bottom line: One registry value controls Smart App Control’s state — set VerifiedAndReputablePolicyState to 1 for Evaluation or 2 for On, reboot, and you bypass the “clean install required” restriction.