Anavem
EnglishFrancais
Anavem
Languagefr
How to Configure Microsoft Defender SmartScreen Using Microsoft Intune

How to Configure Microsoft Defender SmartScreen Using Microsoft Intune

Configure Microsoft Defender SmartScreen protection through Microsoft Intune's Settings Catalog to protect organizational devices against phishing websites, malware, and malicious file downloads.

March 30, 2026 15 min
mediumintune 9 steps 15 min

Why Configure Microsoft Defender SmartScreen Through Intune?

Microsoft Defender SmartScreen serves as a critical first line of defense against phishing websites, malware applications, and potentially malicious file downloads. In enterprise environments, managing SmartScreen through Microsoft Intune provides centralized control and consistent security policies across all organizational devices running Windows 10 and Windows 11.

SmartScreen operates as a cloud-based reputation service that evaluates websites, applications, and files against Microsoft's threat intelligence database. When users attempt to access potentially dangerous content, SmartScreen displays warnings or blocks access entirely, depending on your configuration. This protection extends beyond just web browsing to include file downloads through Windows File Explorer and application installations.

What SmartScreen Protection Methods Are Available in Intune?

Microsoft Intune offers two primary methods for deploying SmartScreen policies: the Settings Catalog and Endpoint Security profiles. The Settings Catalog provides comprehensive access to all available SmartScreen MDM settings, including granular controls for preventing user overrides of security warnings. This method supports six key configuration areas: basic SmartScreen enablement, shell protection, app installation control, and three different override prevention settings.

The alternative Endpoint Security profile method offers a more streamlined interface but provides fewer configuration options. Many organizations adopt a hybrid approach, using Endpoint Security profiles for basic enablement and supplementing with Settings Catalog policies for advanced controls. This tutorial focuses on the Settings Catalog method to provide complete SmartScreen protection coverage.

How Does SmartScreen Integration Work with Modern Windows Environments?

SmartScreen integration varies across different Windows contexts and applications. File Explorer and Windows Shell SmartScreen operate independently from browser-based SmartScreen protection in Microsoft Edge. Each requires separate configuration through Intune policies. Additionally, SmartScreen protection is not available for Google Chrome, requiring alternative security measures for organizations using Chrome browsers.

The configuration process involves deploying MDM policies that control SmartScreen behavior at the system level. These policies take precedence over local user settings and provide administrators with enforcement capabilities that prevent users from disabling critical security protections. Understanding these integration points ensures comprehensive protection across all user interaction scenarios.

Implementation Guide

Full Procedure

01

Access Microsoft Intune Admin Center and Navigate to Settings Catalog

Open your web browser and navigate to the Microsoft Intune admin center. We'll use the Settings Catalog method as it provides comprehensive SmartScreen configuration options.

https://intune.microsoft.com

Sign in with your administrative credentials. Once logged in, navigate to Devices in the left navigation pane, then select Configuration profiles. Click Create profile to start creating a new configuration policy.

In the profile creation wizard, select:

  • Platform: Windows 10 and later
  • Profile type: Settings catalog

Click Create to proceed to the configuration screen.

Pro tip: The Settings Catalog provides access to all available SmartScreen MDM settings, unlike Endpoint Security profiles which have limited options.

Verification: You should now see the Settings Catalog configuration interface with a search bar and categories panel.

02

Configure Basic SmartScreen Settings

In the Settings Catalog interface, use the search bar to find SmartScreen settings. Type SmartScreen in the search field. You'll see several SmartScreen-related settings appear.

Select and configure these essential SmartScreen settings:

1. Allow Smart Screen:

  • Setting: Allow Smart Screen
  • Value: Enabled
  • Description: This is the master switch that enables SmartScreen functionality

2. Enable Smart Screen In Shell:

  • Setting: Enable Smart Screen In Shell
  • Value: Enabled
  • Description: Activates SmartScreen protection in Windows File Explorer and Shell

3. Enable App Install Control:

  • Setting: Enable App Install Control
  • Value: Enabled
  • Description: Provides protection against potentially malicious app installations

Click Add for each setting you want to include in your policy.

Warning: Don't enable all settings at once in production without testing. Start with basic enablement and gradually add restrictions.

Verification: Your selected settings should appear in the configuration summary on the right side of the screen.

03

Configure Advanced SmartScreen Protection Settings

Now we'll add more granular SmartScreen controls to prevent users from bypassing security warnings. Continue searching for these additional settings:

1. Prevent Override For Files In Shell:

  • Setting: Prevent Override For Files In Shell
  • Value: Enabled
  • Description: Prevents users from ignoring SmartScreen warnings about malicious files in File Explorer

2. Prevent Smart Screen Prompt Override:

  • Setting: Prevent Smart Screen Prompt Override
  • Value: Enabled
  • Description: Blocks users from bypassing SmartScreen warnings for websites and applications

3. Prevent Smart Screen Prompt Override For Files:

  • Setting: Prevent Smart Screen Prompt Override For Files
  • Value: Enabled
  • Description: Specifically prevents override of file-related SmartScreen warnings

These settings create a more restrictive security posture where users cannot easily bypass SmartScreen protections.

Pro tip: Consider your organization's user experience requirements. Highly restrictive settings may generate help desk tickets from users who need to download legitimate but unrecognized files.

Verification: You should now have 6 SmartScreen settings configured in your policy. Review the summary panel to ensure all settings are correctly configured.

04

Name and Assign the Configuration Profile

Click Next to proceed to the profile naming and assignment section. Provide a clear, descriptive name for your SmartScreen policy:

Name: Microsoft Defender SmartScreen - Enhanced Protection
Description: Enables SmartScreen protection with user override prevention for enhanced security against phishing, malware, and malicious downloads

Click Next to proceed to the Assignments tab. Here you'll specify which devices or users should receive this policy.

Assignment Options:

  • All devices: Applies to all Intune-enrolled Windows devices
  • All users: Applies to devices of all enrolled users
  • Selected groups: Target specific Azure AD groups (recommended for testing)

For initial deployment, select Selected groups and choose a pilot group of devices or users. Click Select groups to include and choose your target group.

Warning: Always test SmartScreen policies with a pilot group first. Overly restrictive settings can impact legitimate business workflows.

Verification: Confirm your selected groups appear in the assignments section before proceeding.

05

Review and Create the SmartScreen Policy

Click Next to reach the Review + create section. Carefully review all your SmartScreen configuration settings:

Settings to verify:

  • Allow Smart Screen: Enabled
  • Enable Smart Screen In Shell: Enabled
  • Enable App Install Control: Enabled
  • Prevent Override For Files In Shell: Enabled
  • Prevent Smart Screen Prompt Override: Enabled
  • Prevent Smart Screen Prompt Override For Files: Enabled

Review the assignment details to ensure you're targeting the correct groups. Once satisfied with the configuration, click Create to deploy the policy.

The policy will now be created and begin deploying to assigned devices. Intune will show the policy status as "Deploying" initially.

Pro tip: Document your SmartScreen policy settings and rationale. This helps with troubleshooting and future policy updates.

Verification: Navigate to Devices > Configuration profiles and confirm your new SmartScreen policy appears in the list with a status of "Deploying" or "Succeeded".

06

Monitor Policy Deployment and Device Compliance

After creating the policy, monitor its deployment status to ensure devices are receiving and applying the SmartScreen configuration. Click on your newly created SmartScreen policy from the Configuration profiles list.

In the policy overview, you'll see deployment statistics:

  • Succeeded: Devices that successfully applied the policy
  • Error: Devices that encountered errors during policy application
  • Conflict: Devices with conflicting policies
  • Not applicable: Devices that don't meet the policy requirements

Click on Device status to see detailed per-device deployment information. This view shows:

  • Device name and user
  • Compliance status
  • Last check-in time
  • Error details (if any)

For troubleshooting, click on individual devices to view detailed error messages and resolution guidance.

Common issue: Devices running Windows 10 versions earlier than 1703 will show "Not applicable" status as they don't support all SmartScreen MDM settings.

Verification: Wait 15-30 minutes after policy creation, then check that target devices show "Succeeded" status in the device status view.

07

Test SmartScreen Functionality on Target Devices

Once the policy shows successful deployment, test SmartScreen functionality on a target device to confirm the configuration is working correctly.

Test 1: File Explorer SmartScreen

On a target device, download a test file that might trigger SmartScreen (like an unsigned executable from the internet). SmartScreen should display a warning dialog.

Test 2: Verify Override Prevention

If you enabled override prevention settings, users should not be able to bypass SmartScreen warnings by clicking "Run anyway" or similar options.

Test 3: Check SmartScreen Status via PowerShell

Run this PowerShell command on the target device to verify SmartScreen status:

Get-MpPreference | Select-Object EnableNetworkProtection, SmartScreenEnabled, SmartScreenPuaEnabled

Test 4: Registry Verification

Check the registry to confirm MDM policies are applied:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "EnableSmartScreenInShell"
Pro tip: Use the EICAR test file (a harmless test file designed to trigger antivirus) to safely test SmartScreen without downloading actual malware.

Verification: SmartScreen warnings should appear when downloading potentially malicious content, and users should not be able to bypass warnings if override prevention is enabled.

08

Configure Additional SmartScreen Settings for Microsoft Edge

Microsoft Defender SmartScreen also protects Microsoft Edge browsing. While the shell-based settings we configured protect file downloads, you should also configure Edge-specific SmartScreen settings for comprehensive protection.

Create a new configuration profile specifically for Edge SmartScreen:

Navigate to Devices > Configuration profiles > Create profile

  • Platform: Windows 10 and later
  • Profile type: Settings catalog

Search for "Microsoft Edge" settings and configure:

1. SmartScreen for Microsoft Edge:

  • Setting: Configure Microsoft Defender SmartScreen
  • Value: Enabled

2. SmartScreen for Downloads:

  • Setting: Configure Microsoft Defender SmartScreen to block potentially unwanted apps
  • Value: Enabled

3. Prevent SmartScreen Override:

  • Setting: Prevent bypassing Microsoft Defender SmartScreen prompts for sites
  • Value: Enabled

Assign this policy to the same groups as your main SmartScreen policy.

Important: Edge SmartScreen settings are separate from Windows Shell SmartScreen. Both need to be configured for complete protection.

Verification: Test by navigating to a known phishing test site in Microsoft Edge. SmartScreen should block access with an appropriate warning message.

09

Set Up Reporting and Ongoing Monitoring

Establish ongoing monitoring to track SmartScreen effectiveness and policy compliance across your organization.

1. Configure Intune Reporting:

Navigate to Reports > Device compliance to create custom reports for SmartScreen policy compliance. Set up automated reports to track:

  • Policy deployment success rates
  • Devices with policy conflicts
  • Non-compliant devices requiring attention

2. Enable Microsoft Defender for Endpoint Integration (if available):

If your organization uses Microsoft Defender for Endpoint, SmartScreen events will appear in the security dashboard. Configure alerts for:

  • SmartScreen blocks and warnings
  • Attempts to bypass SmartScreen protections
  • Malware detection events

3. Set Up Regular Policy Reviews:

Schedule monthly reviews of SmartScreen policy effectiveness:

# PowerShell script to check SmartScreen policy status across devices
$devices = Get-IntuneManagedDevice
foreach ($device in $devices) {
    Get-IntuneDeviceConfigurationPolicyStatus -DeviceId $device.id
}

4. User Training and Communication:

Develop user awareness materials explaining SmartScreen warnings and proper responses to security prompts.

Pro tip: Create a dashboard showing SmartScreen block statistics to demonstrate security value to management and justify the policy investment.

Verification: Set up a test schedule to regularly verify SmartScreen is functioning correctly across different device types and user scenarios.

Frequently Asked Questions

What's the difference between Settings Catalog and Endpoint Security profiles for SmartScreen configuration in Intune?+
Settings Catalog provides access to all six available SmartScreen MDM settings including granular override prevention controls, while Endpoint Security profiles offer a streamlined interface with fewer configuration options. Settings Catalog is recommended for comprehensive SmartScreen deployment as it supports AllowSmartScreen, EnableAppInstallControl, EnableSmartScreenInShell, PreventOverrideForFilesInShell, PreventSmartScreenPromptOverride, and PreventSmartScreenPromptOverrideForFiles settings. Many organizations use both methods together for complete coverage.
Does Microsoft Defender SmartScreen work with Google Chrome browsers in Intune-managed environments?+
No, Microsoft Defender SmartScreen is not available for Google Chrome browsers. SmartScreen only provides protection for Microsoft Edge and Windows File Explorer/Shell contexts. For Chrome protection in enterprise environments, organizations should consider Microsoft Defender Application Guard Extension or Microsoft Defender Browser Protection extension as alternatives. The SmartScreen policies configured through Intune will protect file downloads and Windows Shell interactions but won't extend to Chrome web browsing activities.
What Windows versions support Microsoft Defender SmartScreen configuration through Intune MDM policies?+
Microsoft Defender SmartScreen MDM configuration requires Windows 10 version 1703 or later, or any version of Windows 11. Devices must be running Windows 10/11 Pro or Enterprise editions and be enrolled in Microsoft Intune. Earlier Windows 10 versions will show 'Not applicable' status when SmartScreen policies are deployed. The EnableSmartScreenInShell setting specifically requires Windows 10 version 1703 or later, making this the minimum supported version for comprehensive SmartScreen policy deployment.
How can I verify that SmartScreen policies are working correctly on target devices after Intune deployment?+
Verify SmartScreen functionality through multiple methods: Check Intune policy deployment status in the admin center for 'Succeeded' status, test file downloads that trigger SmartScreen warnings, use PowerShell command 'Get-MpPreference | Select-Object SmartScreenEnabled' to check configuration, and verify registry entries at 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\EnableSmartScreenInShell'. Additionally, test override prevention by attempting to bypass SmartScreen warnings - users should not be able to click 'Run anyway' if prevention settings are enabled.
What are the most important SmartScreen settings to configure for enterprise security through Intune?+
The essential SmartScreen settings for enterprise deployment include: AllowSmartScreen (master enable switch), EnableSmartScreenInShell (File Explorer protection), EnableAppInstallControl (app installation protection), PreventOverrideForFilesInShell (prevents bypassing file warnings), PreventSmartScreenPromptOverride (blocks website warning bypasses), and PreventSmartScreenPromptOverrideForFiles (prevents file warning overrides). Start with basic enablement settings and gradually add override prevention controls after testing with pilot groups to balance security with user experience requirements.
Tags
#intune#smartscreen#endpoint-security

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Change SharePoint Domain in Microsoft 365 Without Downtime
tutorial
Cloud Computing

How to Change SharePoint Domain in Microsoft 365 Without Downtime

Deep Dive
How to Change Default Mailbox Language in Microsoft Outlook and Exchange
tutorial
General

How to Change Default Mailbox Language in Microsoft Outlook and Exchange

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account