Microsoft Defender SmartScreen Deep Dive

Microsoft Defender SmartScreen is the frontline defense against all threats. Did I put that right? It truly is the frontline protector in the Windows computer and the Edge browser on any OS platform. I’ve been dealing with a lot of SmartScreen configuration tasks, and troubleshooting scenarios when working with customers and I wanted to write about my experience with it.

I believe everyone has seen some sort of a SmartScreen by now. It can be something that pops up when you try to install an unverified app or when trying to download a file that you may think it’s safe but in reality, is not, or try to access a website that is either malicious or blocked by the Defender web content filtering policy. Either way, it is the Microsoft 365 Defender understanding that the user is trying to install or access an untrusted location and blocks it with a warning.

SmartScreen settings can be overwhelming sometimes as the same settings are available in different policies and often there can be a question of what settings to be applied. While the answer is “it depends”, my goal for this blog post is to do a deep dive into SmartScreen and make sure to clear some air 🙂

What I will be Covering 👇🏽

How SmartScreen Helps to Protect from Bad Actors?

SmartScreen will work with Security policies to enhance their protection capabilities. If I simplify that statement, what it means is imagine you have Network Protection policies setup and SmartScreen will help by coming in the middle and protecting the user/ network from malicious activities.

I will be referencing the Microsoft Learn document as it has mentioned the benefits that capture all scenarios

Anti-phishing and anti-malware support

Helps to block sites that host phishing attacks or attempt to distribute malicious software. Also help protect against fake advertisements, scam sites, and drive-by attacks

Reputation-based URL and app protection

Defender SmartScreen evaluates website URLs to determine if they are known to distribute or host unsafe content. Checks reputation for apps, checking downloaded programs and digital signatures.

Operating system integration

Integrated into the Windows 10/11 OS and checks any files and apps (including 3rd party browsers and email clients) that attempt to download and run.

Improved heuristics and diagnostic data

Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files.

Management through group policy and Microsoft Intune

Microsoft Defender SmartScreen supports using both group policy and Microsoft Intune settings

Blocking URLs associated with potentially unwanted applications

In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications or PUAs. For more information on blocking URLs associated with PUAs

Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files

Examples of SmartScreen types

This article outlines the GPO and MDM related SmartScreen settings. I will be looking at the MDM settings specifically and converting them to the Intune UI setting and providing the recommended setting.

These settings can be found in the settings catalog as well as in Security Baselines as well as in Device Restriction policies as well. I will be looking at the Settings Catalog in this scenario.

If you look for Smart Screen in the Settings Catalog search, you will see below.

The main SmartScreen settings are mainly for Browser and Windows SmartScreen. Check the Related Policy CSP Area section as I have linked the related setting details.

SectionSettingRecommended SettingRelated Policy CSPSupported OS version
BrowserPrevent Smart Screen Prompt Override For FilesEnabledBrowser/PreventSmartScreenPromptOverrideForFilesWindows 10, Version 1511, Windows 11
BrowserPrevent Smart Screen Prompt OverrideEnabledBrowser/PreventSmartScreenPromptOverride
Windows 10, Version 1511, Windows 11
BrowserAllow Smart ScreenAllowBrowser/AllowSmartScreenWindows 10
Smart ScreenPrevent Override For Files In ShellEnabledSmartScreen/PreventOverrideForFilesInShellWindows 10, version 1703
Smart ScreenEnable Smart Screen In ShellEnabledSmartScreen/EnableSmartScreenInShellWindows 10, version 1703
Smart ScreenEnable App Install ControlEnabledSmartScreen/EnableAppInstallControlWindows 10, version 1703

Different Settings Names – Same CSP

This is the tricky part because there can be policy settings that have 2 different wordings in 2 separate policies that connect to the same CSP (Configuration Service Provider) which leads to possible policy conflicts or errors if you have

I have 3 examples below from 3 different policies. Each policy has got a SmartScreen section.

Have a look at the highlighted boxes to understand the meaning of it so you can refer back to This article to see what’s the CSP.

  1. Endpoint Protection policy using a template, you will see below.

In there,
SmartScreen for apps and files = EnableSmartScreenInShell
Unverified files execution = PreventOverrideForFilesInShell

Please check the same article to find out what are the URI details of each setting.

  1. SmartScreen settings in the Device Restriction policies you will see below

In there,
Unverified file download = PreventSmartScreenPromptOverrideForFiles
Malicious site access = PreventSmartScreenPromptOverride

  1. MDM Security Baseline policy’s SmartScreen section as below

In there,
Turn on Windows SmartScreen = EnableSmartScreenInShell
Block users from ignoring SmartScreen warnings = PreventOverrideForFilesInShell

Apart from the above settings, there are other SmartScreen related policies that helps to cover the threat landscape.

Edge Browser related settings

MDM Security Baseline Policy – Internet Explorer Section

Network Protetcion Policies https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide

Windows Defender App Control https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control#wdac-and-smart-app-control

The rule of thumb is to make sure the same SmartScreen settings are not used in multiple policies for the same device/ user group that will end up with policy conflicts and errors.

Where to Find SmartScreen Policies/ Settings

Below section is a list of the locations where SmartScreen settings are available

Main Locations

Main Locations
– Group Policy
– Microsoft Intune

Policies
Defender Security Baselines
MDM Security Baseline
Microsoft Defender for Endpoint baseline
Microsoft Edge baseline
Windows 365 Security Baseline
Device restriction Policies
Endpoint protection
Settings Catalog
Web Content Filtering Policy
IOC?

Bypassing SmartScreen Warnings?? 🚩🚩

While it can be a way to reduce the calls to your IT Helpdesk users complaining about SmartScreen issues, it is highly recommended to block bypassing the SmartScreen warnings. There is always a 50/50 chance of the user misjudging the SmartScreen and selecting Run Anyway as they want to get the work done.

If you don’t want your users to bypass the warning, make sure you have the below setting selected.

Block users from ignoring SmartScreen warnings = Block

OR

OMA URI: ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
Data type: Integer
Allowed values:
0. Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
1. Employees can’t ignore Microsoft Defender SmartScreen warnings and run malicious files.


Whitelisting of URLs to enable SmartScreen

The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.

If you have proxy or firewall setup, you need to allow/ whitelist the below URLs.

*smartscreen.microsoft.com
SmartScreen-sn3p.smartscreen.microsoft.com
unitedstates.smartscreen-prod.microsoft.com

End User Configuration

When SmartScreen is activated via the policies, as you can see below, end user’s Defender AV will show the App & Browser Control feature will be activated.

Test Your SmartScreen Implementation

I found 2 good ways to test your environment and fine-tune the whitelisted URLs and policy settings.

Windows Defender SmartScreen connectivity test

I found this wonderful tool in a GitHub repo from NSA Cybersecurity Directorate and

🔗 Windows Defender SmartScreen connectivity test

Defender Demos Page

This is a good way to test SmartScreen scenarios by launching demo websites and downloading apps.

🔗 Microsoft Defender Demos

SmartScreen event logs are not automatically generating unless you go and enable them in the workstation.

Event Logs location: Microsoft-Windows-SmartScreen/Debug

To enable logs: run below in an elevated CMD

wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true

Look for the below EventIDs

Edge Browser SmartScreen Events (Version 77 or higher)

Event 1035 – Anti-Phishing – More Info

Enhanced SmartScreen notifications in Microsoft Defender SmartScreen

Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps. I wrote about this some time ago and you can find more below.

Configure “Enhanced Phishing Protection in Microsoft Defender SmartScreen” in Windows 11 22H2 via Endpoint Manager

🔗Microsoft Learn Documentation can be found here

KQL to Hunt SmartScreen Events

Advanced hunting using KQL is always interesting. Hope the below will help you to start looking for events.

Table to query: DeviceEvents

Action Type Values:
SmartScreenAppWarning
SmartScreenExploitWarning
SmartScreenUrlWarning
SmartScreenUserOverride

Wrapping Up

I think I have covered pretty much everything related to SmartScreen. As I said, it can be a bit overwhelming to digest all the info. Start with the basics. Understanding how it works and what it blocks will be the 1st step and maybe a pilot rollout and understanding the challenges will greatly help you to cover your fleet faster and make them secure.

This is a quick FAQ which can come in handy – https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx

Advertisement

6 thoughts on “Microsoft Defender SmartScreen Deep Dive

  1. Really great overview here Shehan!
    Whilst I knew most of the information that was from a lot of testing and I wish I would have read this before I started – keep up the great work. 😀

    Like

    Reply

    1. Glad you found the post useful Joel. Your comments made my day 🙂 Yeah, I’ve been doing some Defender related work and wanted to properly understand the ins and outs of SmartScreen as well as to write my findings on it at the same time.

      Like

      Reply
  2. Pingback: Intune Newsletter - 16th December 2022 - Andrew Taylor

  3. Do you happen to know anyone on the Smart Screen product team? I have an issue with 3 users where they cannot send anything via onedrive as the recipient gets blocked by smartscreen. All of my other users (same tenant, same email domain, same file) can send just fine. This is spreading as it started with one. Then a backup user was delivering the financial data to the third party. Eventually they were blocked….. now a third.

    Like

    Reply
  4. Pingback: Intune Policy Conflicts – EMS Route – Shehan Perera

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.