- How to install Group Policy ADMX templates for OneDrive - Mon, Mar 27 2023
- How to change the PowerShell prompt - Wed, Mar 22 2023
- Trim characters from strings in PowerShell - Tue, Mar 14 2023
With SmartScreen, Microsoft supplements the antivirus engine with reputation-based protection. While the virus scanner checks the file system periodically or in real time and looks out for suspicious activity, SmartScreen has a more preventive effect.
Warning about problematic websites
SmartScreen warns users of websites that Microsoft classifies as dangerous and blocks the download of apps that could pose a risk. To do this, the manufacturer uses lists of known phishing or malware sites. In addition, SmartScreen checks visited websites for suspicious behavior.
While protection against opening malicious websites is limited to Microsoft's own Edge browser, SmartScreen examines every Internet download for potential risks.
Defense against downloaded malware
This examination is not done by scanning the content (this is the task of the antivirus engine), but instead is based on reputation. For this, Microsoft has a list of well-known files that can pass unchallenged.
Conversely, SmartScreen may object to a harmless but relatively exotic program. To minimize such false alarms, another criterion is the reliability of the source from which a file was downloaded.
Enhanced phishing protection
Windows 11 2022 extends SmartScreen's protection against phishing attacks in that it monitors the use of passwords. In doing so, it provides the following three functions:
Entering passwords into insecure sites
If users enter their Windows passwords (Microsoft account, Active Directory, Azure AD, or one for local accounts) into fraudulent websites, SmartScreen will prompt them to change their password. All Chromium-based products are supported.
If companies use Microsoft Defender for Endpoint, this incident will appear in the MDE portal. In this way, admins find out that a password may have been compromised, and hence can force the password to be changed if the user has ignored the corresponding warning.
Reuse of passwords
Monitoring passwords entered into web applications also helps to stop the widespread bad habit of using the same password for multiple accounts.
This is particularly problematic when employees reuse the password for their company account on social media or online stores. If one of these websites gets hacked and the passwords are circulating on the Internet, attackers take advantage of such lists for brute force attacks.
Storing passwords in files
In addition, advanced phishing protection monitors whether users save their passwords in Office documents, in WordPad, or in text files and warns them about this behavior.
Interactive configuration of Defender SmartScreen
If you want to configure Defender SmartScreen interactively, the settings for it are located in the Windows Security app under App and browser Control > Reputation-based protection.
Settings for SmartScreen in the Windows Security app
The options Check apps and files and Defender SmartScreen for Microsoft Edge refer to the original SmartScreen features, which are also included in Windows 10 and 11 21H2. Here, they can only be turned on or off, while Group Policies offer more options. In addition, there is a setting at the bottom of this dialog box for checking store apps.
Blocking potentially unwanted apps refers to downloads such as adware that are not directly dangerous but are used for dubious activities.
Protection from potentially unwanted apps is also a feature of SmartScreen
The three options for the new phishing protection are also present here. They warn users when entering passwords in malicious apps and websites, when reusing passwords, and when saving them in files.
Configure Defender SmartScreen using group policies
In managed environments, SmartScreen is usually configured centrally via GPOs. The settings for this can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender SmartScreen.
There are two settings each in the Explorer and Microsoft Edge folders. Those for File Explorer are designed to prevent problematic applications from installing or running.
With the Configure App Install Control option, you can ensure that users are only allowed to add store apps. Since standard users in managed environments usually do not have permission to install programs at all, this option is rarely needed there.
On the other hand, Configure Windows Defender SmartScreen can reduce the risks of running portable applications. These can be completely blocked if they appear suspicious.
SmartScreen can warn or block potentially malicious programs from running
For Edge, on the other hand, there is only this simple choice (the only one that also exists in the User Configuration branch):
- Configure Windows Defender SmartScreen
- Prevent bypassing Windows Defender SmartScreen prompts for sites
The first setting can be used to prevent users from turning off SmartScreen (setting enabled) or to disable the feature.
Group policies to control Defender SmartScreen for Microsoft Edge
The second option allows admins to specify whether users are allowed to ignore warnings about dangerous websites (default). If you enable this setting, SmartScreen blocks the URL in question.
There are four settings in the folder for the new Advanced Phishing Protection:
- Notify Malicious: warns when visiting suspicious or potentially dangerous websites
- Notify Password Reuse: reminds users not to use their company password anywhere else
- Notify Unsafe App: detects when users save the password to a file
- Service enabled: turns on advanced phishing protection
Group policies for advanced protection against phishing
PowerShell
The Set-MpPreference cmdlet can configure many Defender settings but not those for SmartScreen. Thus, the only option here is to set the appropriate registry keys directly.
For example, to prevent SmartScreen for Explorer from blocking programs, you could use this call:
Subscribe to 4sysops newsletter!
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ -Name EnableSmartScreen -Value 0 -PropertyType DWORD
Configure Defender SmartScreen for Explorer via PowerShell
The same applies to extended phishing protection. The keys for this can be found under
HKLM:\Software\Policies\Microsoft\Windows\WTDS\Components
and are called ServiceEnabled, NotifyMalicious, NotifyPasswordReuse and NotifyUnsafeApp.
this app is blocked by your system administrator unable to find apps in taskbar clipboard.
Need to investigate below mentioned machines showing pop up as This App has been blocked by System Administrator.
When we click on windows security – action recommended – it shows display message as This App has been blocked by System Administrator. Please find the screenshot attached.