Started off thinking the idea was stupid because it would break everything, but the ability to manual trust something makes it work. Most applications would come signed by Microsoft (a la MacOS Gatekeeper), and the ones that don't trigger a pop-up asking the user if it's okay that they're accessing so many files.
That means you can both make your non-signed apps work, _and_ be alerted about the ones that aren't legit.
What organization exists that allows running unsigned code if they can help it, if they have even a moderate semblance of a security team?
None. Windows Defender makes it difficult to run unsigned code in Windows out-of-the-box. It already exists and doesn’t stop all ransomware, or at least is not used properly.
Also, it’s getting even stronger in recent updates. It’s called “Smart App Control.”
I've never worked anywhere that _doesn't_ allow their engineers to run unsigned code. It's good practice for non-techs, but if your engineers need to be babysat like that, get better engineers.
That means you can both make your non-signed apps work, _and_ be alerted about the ones that aren't legit.
I like it :)