How to configure Microsoft Defender SmartScreen via Microsoft Intune?

The purpose of this blog post is to inform you how to configure Microsoft Defender SmartScreen in Windows, Edge, and Google Chrome via Microsoft Intune.

In this blog post, I will use the Endpoint Protection and Administrative Templates configuration profile to configure SmartScreen. Some of those Microsoft Defender SmartScreen settings are also part of the Microsoft Security baseline, but I like to have all the configuration of a feature in one profile instead of configuration in multiple profiles and configured in different places in the Intune portal.  

Requirements:

  • Windows 10 Pro/Enterprise
  • Microsoft Intune license

What is Microsoft Defender SmartScreen, why should I configure it?

Microsoft Defender is a Windows built-in security solution that helps your user to be protected against phishing or malware websites and malicious applications and protects your user to download (potentially) malicious files.

Microsoft Defender SmartScreen provides a warning page against e.g., websites that might engage in phishing attacks or attempt to distribute malware through a socially engineered attack.

When Microsoft Defender SmartScreen is configured, you will have the following benefits:

  • Anti-phishing and anti-malware support
  • Reputation-based URL and app protection
  • Fully integrated into Windows 10 and 11
  • Management via Microsoft Intune
  • Microsoft Defender SmartScreen is constantly learning
  • Blocking URLs associated with potentially unwanted applications

Microsoft Defender SmartScreen checks the reputation of any website, application, or web-based app the first time it’s run. Microsoft Defender SmartScreen will check the digital signatures and some other factors against a Microsoft-maintained service. If an app or website has no reputation or is known to be malicious, Microsoft Defender SmartScreen will warn the user or block the app from running entirely.

So, Microsoft Defender SmartScreen is a security layer that needs to be implemented in my opinion to protect your users against the dark part of the internet.

Which configuration profile setting should I configure?

In this blog post, I will configure SmartScreen via Microsoft Intune Administrative templates.  So, I will configure only the required settings for Microsoft Intune on Windows 10/11.

Administrative template Microsoft Edge

Configure Microsoft Defender SmartScreen

This policy needs to be enabled so Microsoft Defender SmartScreen is turned on and the end-user cannot disable Microsoft Defender SmartScreen.


Configure Microsoft Defender SmartScreen to block potentially unwanted apps

This policy needs to be enabled to block potentially unwanted apps like adware, coin miners, bundleware, and other low-reputation apps that are hosted by websites


Enable Microsoft Defender SmartScreen DNS requests

This policy needs to be enabled. Microsoft Defender SmartScreen will made DNS requests to get the IP address and these IP addresses will be used for IP-based protection.


Enable new SmartScreen library

This policy needs to be enabled. Microsoft Edge will load the new SmartScreen library (libSmartScreenN) for all checks on site URLs or application downloads.


Force Microsoft Defender SmartScreen checks on downloads from trusted sources

This policy needs to be enabled. Microsoft Defender SmartScreen will also check the download reputation from files that are downloaded from a trusted source.


Prevent bypassing Microsoft Defender SmartScreen prompts for sites

This policy needs to be enabled. Users cannot bypass the Microsoft Defender SmartScreen warnings about potentially malicious websites.


Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads

This policy needs to be enabled. Users cannot bypass the Microsoft Defender SmartScreen warnings about unverified downloads.

Administrative template Google Chrome

Configure the list of force-installed apps and extensions

This policy needs to be enabled. Microsoft Defender extension will be automatically installed and cannot be turned off.


Note:
This policy doesn’t apply to Incognito mode.


Incognito mode availability

This policy needs to be enabled and set to disable incognito mode. So, SmartScreen is also enforced in Google Chrome because incognito is disabled.

Endpoint Protection Policy

SmartScreen for apps and files

This policy needs to be set to enable, SmartScreen will be enabled on Windows 10/11 and will check files on execution and running apps


Unverified files execution

This policy needs to be set to block, so it will block users from running unverified and malicious files.

How to configure Microsoft Defender SmartScreen

Microsoft Edge
  • Select Windows 10 and later as the platform
  • Select Templates as the profile type and select Administrative Templates
  • Click on Create
  • Provide a policy name, e.g., EndpointCave-PRD-W10-MicrosoftEdge
  • Set a description, so that everyone with access to the portal knows the purpose
  • Click on Next and select the needed configuration settings.
  • Click on Microsoft Edge
  • And now you click on SmartScreen settings
  • Configure all required Configuration settings
SmartScreen Setting nameValue
Configure Microsoft Defender SmartScreenEnabled
Configure Microsoft Defender SmartScreen to block potentially unwanted appsEnabled
Enable Microsoft Defender SmartScreen DNS requestsEnabled
Enable new SmartScreen libraryEnabled
Force Microsoft Defender SmartScreen checks on downloads from trusted sourcesEnabled
Prevent bypassing Microsoft Defender SmartScreen prompts for sitesEnabled
Prevent bypassing of Microsoft Defender SmartScreen warnings about downloadsEnabled
  • Click on Next
  • Enter a scope tag if needed and click on Next
  • Assign the profile to a group and click on Next
  • Check the configuration at the Review + Create page and click on Create
Google Chrome
  • Select Windows 10 and later as the platform
  • Select Templates as the profile type and select Administrative Templates
  • Click on Create
  • Provide a policy name, e.g., EndpointCave-PRD-W10-GoogleChrome
  • Set a description, so that everyone with access to the portal knows the purpose
  • Click on Next and select the needed configuration settings.
  • Click on Google
  • And now you click on Google Chrome
  • Enable the setting Configure the list of force-installed apps and extensions
  • Set the Extension/App ID, So Microsoft Defender SmartScreen will be silently installed.
bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx
  • Go back to Google Chrome and search for Incognito mode availability
  • Enable Incognito mode availability and set the incognito mode availability to Incognito mode disabled
  • Click on Ok
  • Now it is time to save the configuration and click on Next
  • Enter a scope tag if needed and click on Next
  • Assign the profile to a group and click on Next
  • Check the configuration at the Review + Create page and click on Create
Endpoint protection
  • Select Windows 10 and later as the platform
  • Select Templates as the profile type and select Endpoint Protection
  • Click on Create
  • Provide a policy name, e.g., EndpointCave-PRD-W10-EndpointProtection
  • Set a description, so that everyone with access to the portal knows the purpose
  • Click on Next click on Microsoft Defender SmartScreen
  • Configure all required Configuration settings
SmartScreen Setting nameValue
SmartScreen for apps and filesEnabled
Unverified files executionEnabled
  • Click on Next
  • Enter a scope tag if needed and click on Next
  • Assign the profile to a group and click on Next
  • At the applicability rules page, configure some rules or click on next
  • Check the configuration at the Review + Create page and click on Create

Test your Microsoft Defender SmartScreen configuration

If you want to check if your configuration is successfully applied to your device. You can check the policy page in Microsoft Edge or Google Chrome via the following URL:

Edge:Edge://policy
Chrome:Chrome://policy

To validate if SmartScreen is working correctly, you can use Defender testground until the 15th of June via UrlRep – Microsoft Defender Testground and select one of the demos scenarios

Results

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.