Microsoft Defender SmartScreen is the frontline defense against all threats. Did I put that right? It truly is the frontline protector in the Windows computer and the Edge browser on any OS platform. I’ve been dealing with a lot of SmartScreen configuration tasks, and troubleshooting scenarios when working with customers and I wanted to write about my experience with it.
I believe everyone has seen some sort of a SmartScreen by now. It can be something that pops up when you try to install an unverified app or when trying to download a file that you may think it’s safe but in reality, is not, or try to access a website that is either malicious or blocked by the Defender web content filtering policy. Either way, it is the Microsoft 365 Defender understanding that the user is trying to install or access an untrusted location and blocks it with a warning.
SmartScreen settings can be overwhelming sometimes as the same settings are available in different policies and often there can be a question of what settings to be applied. While the answer is “it depends”, my goal for this blog post is to do a deep dive into SmartScreen and make sure to clear some air 🙂
What I will be Covering 👇🏽
- How SmartScreen Helps to Protect from Bad Actors?
- Available SmartScreen Settings in MDM and the Recommended Options
- Different Settings Names – Same CSP
- More SmartScreen Related Settings
- Where to Find SmartScreen Policies/ Settings
- Bypassing SmartScreen Warnings?? 🚩🚩
- Whitelisting of URLs to Enable SmartScreen
- End User Configuration
- Test Your SmartScreen Implementation
- SmartScreen Related Windows Event Logs
- Enhanced SmartScreen notifications in Microsoft Defender SmartScreen
- KQL to Hunt SmartScreen Events
- Wrapping Up
How SmartScreen Helps to Protect from Bad Actors?
SmartScreen will work with Security policies to enhance their protection capabilities. If I simplify that statement, what it means is imagine you have Network Protection policies setup and SmartScreen will help by coming in the middle and protecting the user/ network from malicious activities.
I will be referencing the Microsoft Learn document as it has mentioned the benefits that capture all scenarios
Anti-phishing and anti-malware support
Helps to block sites that host phishing attacks or attempt to distribute malicious software. Also help protect against fake advertisements, scam sites, and drive-by attacks
Reputation-based URL and app protection
Defender SmartScreen evaluates website URLs to determine if they are known to distribute or host unsafe content. Checks reputation for apps, checking downloaded programs and digital signatures.
Operating system integration
Integrated into the Windows 10/11 OS and checks any files and apps (including 3rd party browsers and email clients) that attempt to download and run.
Improved heuristics and diagnostic data
Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files.
Management through group policy and Microsoft Intune
Microsoft Defender SmartScreen supports using both group policy and Microsoft Intune settings
Blocking URLs associated with potentially unwanted applications
In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications or PUAs. For more information on blocking URLs associated with PUAs
Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files
Available SmartScreen Settings in MDM and the Recommended Options
This article outlines the GPO and MDM related SmartScreen settings. I will be looking at the MDM settings specifically and converting them to the Intune UI setting and providing the recommended setting.
These settings can be found in the settings catalog as well as in Security Baselines as well as in Device Restriction policies as well. I will be looking at the Settings Catalog in this scenario.
If you look for Smart Screen in the Settings Catalog search, you will see below.
The main SmartScreen settings are mainly for Browser and Windows SmartScreen. Check the Related Policy CSP Area section as I have linked the related setting details.
|Section||Setting||Recommended Setting||Related Policy CSP||Supported OS version|
|Browser||Prevent Smart Screen Prompt Override For Files||Enabled||Browser/PreventSmartScreenPromptOverrideForFiles||Windows 10, Version 1511, Windows 11|
|Browser||Prevent Smart Screen Prompt Override||Enabled||Browser/PreventSmartScreenPromptOverride|
Windows 10, Version 1511, Windows 11
|Browser||Allow Smart Screen||Allow||Browser/AllowSmartScreen||Windows 10|
|Smart Screen||Prevent Override For Files In Shell||Enabled||SmartScreen/PreventOverrideForFilesInShell||Windows 10, version 1703|
|Smart Screen||Enable Smart Screen In Shell||Enabled||SmartScreen/EnableSmartScreenInShell||Windows 10, version 1703|
|Smart Screen||Enable App Install Control||Enabled||SmartScreen/EnableAppInstallControl||Windows 10, version 1703|
Different Settings Names – Same CSP
This is the tricky part because there can be policy settings that have 2 different wordings in 2 separate policies that connect to the same CSP (Configuration Service Provider) which leads to possible policy conflicts or errors if you have
I have 3 examples below from 3 different policies. Each policy has got a SmartScreen section.
Have a look at the highlighted boxes to understand the meaning of it so you can refer back to This article to see what’s the CSP.
- Endpoint Protection policy using a template, you will see below.
SmartScreen for apps and files = EnableSmartScreenInShell
Unverified files execution = PreventOverrideForFilesInShell
Please check the same article to find out what are the URI details of each setting.
- SmartScreen settings in the Device Restriction policies you will see below
Unverified file download = PreventSmartScreenPromptOverrideForFiles
Malicious site access = PreventSmartScreenPromptOverride
- MDM Security Baseline policy’s SmartScreen section as below
Turn on Windows SmartScreen = EnableSmartScreenInShell
Block users from ignoring SmartScreen warnings = PreventOverrideForFilesInShell
More SmartScreen Related Settings
Apart from the above settings, there are other SmartScreen related policies that helps to cover the threat landscape.
Edge Browser related settings
MDM Security Baseline Policy – Internet Explorer Section
Network Protetcion Policies – https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide
Windows Defender App Control – https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control#wdac-and-smart-app-control
The rule of thumb is to make sure the same SmartScreen settings are not used in multiple policies for the same device/ user group that will end up with policy conflicts and errors.
Where to Find SmartScreen Policies/ Settings
Below section is a list of the locations where SmartScreen settings are available
– Group Policy
– Microsoft Intune
Defender Security Baselines
MDM Security Baseline
Microsoft Defender for Endpoint baseline
Microsoft Edge baseline
Windows 365 Security Baseline
Device restriction Policies
Web Content Filtering Policy
Bypassing SmartScreen Warnings?? 🚩🚩
While it can be a way to reduce the calls to your IT Helpdesk users complaining about SmartScreen issues, it is highly recommended to block bypassing the SmartScreen warnings. There is always a 50/50 chance of the user misjudging the SmartScreen and selecting Run Anyway as they want to get the work done.
If you don’t want your users to bypass the warning, make sure you have the below setting selected.
Block users from ignoring SmartScreen warnings = Block
OMA URI: ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
Data type: Integer
0. Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
1. Employees can’t ignore Microsoft Defender SmartScreen warnings and run malicious files.
Whitelisting of URLs to enable SmartScreen
The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.
If you have proxy or firewall setup, you need to allow/ whitelist the below URLs.
End User Configuration
When SmartScreen is activated via the policies, as you can see below, end user’s Defender AV will show the App & Browser Control feature will be activated.
Test Your SmartScreen Implementation
I found 2 good ways to test your environment and fine-tune the whitelisted URLs and policy settings.
Windows Defender SmartScreen connectivity test
I found this wonderful tool in a GitHub repo from NSA Cybersecurity Directorate and
🔗 Windows Defender SmartScreen connectivity test
Defender Demos Page
This is a good way to test SmartScreen scenarios by launching demo websites and downloading apps.
SmartScreen Related Windows Event Logs
SmartScreen event logs are not automatically generating unless you go and enable them in the workstation.
Event Logs location: Microsoft-Windows-SmartScreen/Debug
To enable logs: run below in an elevated CMD
wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true
Look for the below EventIDs
Edge Browser SmartScreen Events (Version 77 or higher)
Event 1035 – Anti-Phishing – More Info
Enhanced SmartScreen notifications in Microsoft Defender SmartScreen
Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps. I wrote about this some time ago and you can find more below.
🔗Microsoft Learn Documentation can be found here
KQL to Hunt SmartScreen Events
Advanced hunting using KQL is always interesting. Hope the below will help you to start looking for events.
Table to query: DeviceEvents
Action Type Values:
I think I have covered pretty much everything related to SmartScreen. As I said, it can be a bit overwhelming to digest all the info. Start with the basics. Understanding how it works and what it blocks will be the 1st step and maybe a pilot rollout and understanding the challenges will greatly help you to cover your fleet faster and make them secure.
This is a quick FAQ which can come in handy – https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx
6 thoughts on “Microsoft Defender SmartScreen Deep Dive”
Really great overview here Shehan!
Whilst I knew most of the information that was from a lot of testing and I wish I would have read this before I started – keep up the great work. 😀
Glad you found the post useful Joel. Your comments made my day 🙂 Yeah, I’ve been doing some Defender related work and wanted to properly understand the ins and outs of SmartScreen as well as to write my findings on it at the same time.
Do you happen to know anyone on the Smart Screen product team? I have an issue with 3 users where they cannot send anything via onedrive as the recipient gets blocked by smartscreen. All of my other users (same tenant, same email domain, same file) can send just fine. This is spreading as it started with one. Then a backup user was delivering the financial data to the third party. Eventually they were blocked….. now a third.
Not sure, but check OS versions of the devices affected by the issue, and patch levels, try to capture the SmartScreen events, and see if you can find any reason why.