Windows 11 KB5079391: Smart App Control AI Enhancements for 24H2
- [01] Immediate impact: Windows 11 24H2 users receive enhanced protection against untrusted applications through updated AI-driven Smart App Control models.
- [02] Affected systems: This update targets Windows 11 versions 24H2 and 25H2, specifically addressing Smart App Control and Task Manager functionality.
- [03] Remediation: Organizations should test the KB5079391 preview update in staging environments before deploying it to production Windows 11 24H2 fleets.
Overview of Windows 11 KB5079391
Microsoft has released the KB5079391 preview cumulative update for Windows 11, specifically targeting versions 24H2 and 25H2. According to BleepingComputer, this update includes 29 distinct changes and fixes. For the SOC and endpoint security teams, the most significant component of this release is the enhancement of Smart App Control (SAC), a feature designed to block potentially dangerous or untrusted applications from running on the operating system.
Technical Analysis: Smart App Control AI Enhancements
Smart App Control serves as a cloud-based security layer that leverages Microsoft’s intelligence to determine the safety of an application. It is primarily effective against Phishing campaigns that attempt to trick users into executing unsigned binaries or scripts. With the release of KB5079391, Microsoft has updated the underlying AI model that powers SAC. This Smart App Control AI model update is intended to improve the accuracy of classification, reducing the likelihood of legitimate software being blocked while increasing the detection rate for polymorphic Ransomware and other modern threats.
The update facilitates a more nuanced evaluation of application reputation. By integrating updated telemetry and machine learning algorithms, the system can better identify TTP patterns associated with malicious software. This layer of defense is particularly relevant for environments that lack a fully managed EDR solution, although it provides an additional Zero Trust barrier even in mature security environments. Windows 11 KB5079391 Smart App Control improvements ensure that the system remains resilient against evolving delivery methods for malware.
How to configure Smart App Control on Windows 11 24H2
Understanding the deployment requirements for SAC is vital for system administrators. Unlike standard CVE patches that apply globally, SAC is only available on clean installations of Windows 11. This ensures that no pre-existing malware or untrusted software is “grandfathered” into the system’s trusted state.
Security professionals investigating how to configure Smart App Control on Windows 11 24H2 should note the three operational modes:
- Evaluation Mode: The system monitors the apps used and determines if SAC can protect the user without being too disruptive. This is the ideal state for initial testing.
- On: SAC actively blocks malicious or unsigned apps. This provides the highest level of security but may interfere with specialized internal tools.
- Off: The feature is disabled, and the AI-driven protection is bypassed. Once turned off, SAC cannot be re-enabled without a fresh installation of the OS.
Defenders should prioritize testing these AI model updates in Evaluation Mode within a subset of the fleet to ensure that internal, unsigned scripts do not trigger false positives before moving to full enforcement.
Additional System and Management Fixes
Beyond security-specific enhancements, KB5079391 addresses several functional issues that impact administrative workflows. Improvements to the Task Manager, specifically fixing a bug where the process count was incorrectly displayed as zero, provide more reliable data for performance monitoring and incident response. The update also includes fixes for Jump Lists in the Taskbar and multi-tasking behaviors involving the Alt+Tab shortcut.
While these changes may seem minor, consistent performance in administrative tools is necessary for a high-functioning SOC. For example, Task Manager accuracy is essential when identifying suspicious processes that might indicate Lateral Movement or unauthorized resource consumption.
Actionable Recommendations
- Staged Deployment: Because KB5079391 is a preview update, organizations should deploy it first to a testing group to evaluate the impact of the updated AI model on specialized software.
- Review Execution Policies: Use the MITRE ATT&CK framework to map how SAC blocks specific execution techniques, such as User Execution (T1204).
- Inventory Unsigned Binaries: Identify internal tools that lack digital signatures, as these may be blocked by the enhanced SAC AI model once the update is applied.
While this update does not address a specific Zero-Day exploit, the iterative improvement of OS-level security features remains a core component of a layered defense strategy.
Advertisement