diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index b22ded8a4f..207acd7b9a 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -60,7 +60,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable or don't configure this policy setting (default), it can be turned on and configured by the employee in the Clear browsing data options area, under Settings. ### Allow Developer Tools -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Description:** This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge. - If you enable or don’t configure this setting (default), the F12 Developer Tools are available in Microsoft Edge. @@ -68,7 +68,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable this setting, the F12 Developer Tools aren’t available in Microsoft Edge. ### Allow Extensions -- **Supported versions:** Windows 10, Version 1607 or later +- **Supported versions:** Windows 10, version 1607 or later - **Description:** This policy setting lets you decide whether employees can use Edge Extensions. @@ -77,7 +77,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable this setting, employees can’t use Edge Extensions. ### Allow InPrivate browsing -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Description:** This policy setting lets you decide whether employees can browse using InPrivate website browsing. @@ -86,7 +86,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable this setting, employees can’t use InPrivate website browsing. ### Allow Microsoft Compatibility List -- **Supported versions:** Windows 10, Version 1607 or later +- **Supported versions:** Windows 10, version 1607 or later - **Description:** This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default, the Microsoft Compatibility List is enabled and can be viewed by visiting about:compat. @@ -172,7 +172,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you don’t configure this setting (default), employees can choose whether to send Do Not Track requests to websites asking for tracking info. ### Configure Favorites -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Description:** This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time. @@ -214,7 +214,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you don’t configure this setting (default), employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. ### Configure Start pages -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Description:** This policy setting lets you configure one or more Start pages, for domain-joined devices. Your employees won't be able to change this after you set it. @@ -282,7 +282,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable or don't configure this setting (default), employees can’t sync their favorites between Internet Explorer and Microsoft Edge. ### Prevent access to the about:flags page -- **Supported versions:** Windows 10, Version 1607 or later +- **Supported versions:** Windows 10, version 1607 or later - **Description:** This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. @@ -291,7 +291,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable or don’t configure this setting (default), employees can access the about:flags page. ### Prevent bypassing Windows Defender SmartScreen prompts for files -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Description:** This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. @@ -300,7 +300,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable or don’t configure this setting (default), employees can ignore Windows Defender SmartScreen warnings and continue the download process. ### Prevent bypassing Windows Defender SmartScreen prompts for sites -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Description:** This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites. @@ -327,7 +327,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable or don't configure this setting (default), employees will see the First Run page when opening Microsoft Edge for the first time. ### Prevent using Localhost IP address for WebRTC -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Description:** This policy setting lets you decide whether an employee’s Localhost IP address shows while making calls using the WebRTC protocol. By default, this setting is turned off. @@ -362,7 +362,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you don't configure this setting (default), the default search engine is set to the one specified in App settings. ### Show message when opening sites in Internet Explorer -- **Supported versions:** Windows 10, Version 1607 and later +- **Supported versions:** Windows 10, version 1607 and later - **Description:** This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. @@ -452,7 +452,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **2.** Blocks all cookies from all sites. ### AllowDeveloperTools -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Desktop @@ -486,7 +486,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1.** Employees can send Do Not Track headers to websites requesting tracking info. ### AllowExtensions -- **Supported versions:** Windows 10, Version 1607 and later +- **Supported versions:** Windows 10, version 1607 and later - **Supported devices:** Desktop @@ -537,7 +537,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1 (default).** An employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. ### AllowInPrivate -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Both @@ -730,7 +730,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U >If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.

If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one. ### Favorites -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Both @@ -752,7 +752,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U URLs must be on separate lines and aren't shared between Microsoft Edge and Internet Explorer 11. ### FirstRunURL -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Mobile @@ -771,7 +771,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U ### HomePages -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Desktop @@ -790,7 +790,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U ### PreventAccessToAboutFlagsInMicrosoftEdge -- **Supported versions:** Windows 10, Version 1607 and later +- **Supported versions:** Windows 10, version 1607 and later - **Supported devices:** Desktop @@ -841,7 +841,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1.** Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge. ### PreventSmartScreenPromptOverride -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Both @@ -858,7 +858,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1.** Turns on Windows Defender SmartScreen. ### PreventSmartScreenPromptOverrideForFiles -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Both @@ -875,7 +875,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1.** Stops employees from ignoring the Windows Defender SmartScreen warnings about unverified files. ### PreventUsingLocalHostIPAddressForWebRTC -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Desktop @@ -926,7 +926,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1.** Allows you to configure the default search engine for your employees. ### ShowMessageWhenOpeningInteretExplorerSites -- **Supported versions:** Windows 10, Version 1607 and later +- **Supported versions:** Windows 10, version 1607 and later - **Supported devices:** Desktop diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index b3dc0db5dd..239f81ce31 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -41,6 +41,9 @@ #### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) #### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) #### [Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) +## [Windows Defender SmartScreen](windows-defender-smartscreen-overview.md) +### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md) +### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen-set-individual-device.md) ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) ## [VPN technical guide](vpn-guide.md) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index ef564941db..6cd59dffcb 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -18,6 +18,9 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |---------------------|------------| |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| |[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| +|[Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md)|New | +|[Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md)|New | +|[Use Windows Defender Security Center to set Windows Defender SmartScreen for individual devices](windows-defender-smartscreen-set-individual-device.md)|New | ## February 2017 diff --git a/windows/keep-secure/images/windows-defender-security-center.png b/windows/keep-secure/images/windows-defender-security-center.png new file mode 100644 index 0000000000..a3286fb528 Binary files /dev/null and b/windows/keep-secure/images/windows-defender-security-center.png differ diff --git a/windows/keep-secure/images/windows-defender-smartscreen-control.png b/windows/keep-secure/images/windows-defender-smartscreen-control.png new file mode 100644 index 0000000000..b2700addba Binary files /dev/null and b/windows/keep-secure/images/windows-defender-smartscreen-control.png differ diff --git a/windows/keep-secure/windows-defender-smartscreen-available-settings.md b/windows/keep-secure/windows-defender-smartscreen-available-settings.md new file mode 100644 index 0000000000..936751e349 --- /dev/null +++ b/windows/keep-secure/windows-defender-smartscreen-available-settings.md @@ -0,0 +1,215 @@ +--- +title: Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows 10) +description: A list of all available setttings for Windows Defender SmartScreen using Group Policy and mobile device management (MDM) settings. +keywords: SmartScreen Filter, Windows SmartScreen +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings +**Applies to:** + +- Windows 10 +- Windows 10 Mobile + +Windows Defender SmartScreen works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Windows Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely. + +## Group Policy settings +SmartScreen uses registry-based Administrative Template policy settings. For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SettingSupported onDescription
Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

Windows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen

At least Windows Server 2012, Windows 8 or Windows RTThis policy setting turns on Windows Defender SmartScreen.

If you enable this setting, it turns on Windows Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).

If you disable this setting, it turns off Windows Defender SmartScreen and your employees are unable to turn it on.

If you don't configure this setting, your employees can decide whether to use Windows Defender SmartScreen.

Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install ControlWindows 10, version 1703This setting helps protect PCs by allowing users to install apps only from the Windows Store. SmartScreen must be enabled for this feature to work properly.

If you enable this setting, your employees can only install apps from the Windows Store.

If you disable this setting, your employees can install apps from anywhere, including as a download from the Internet.

If you don't configure this setting, your employees can choose whether they can install from anywhere or only from Windows Store.

Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

Windows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen

Microsoft Edge on Windows 10 or laterThis policy setting turns on Windows Defender SmartScreen.

If you enable this setting, it turns on Windows Defender SmartScreen and your employees are unable to turn it off.

If you disable this setting, it turns off Windows Defender SmartScreen and your employees are unable to turn it on.

If you don't configure this setting, your employees can decide whether to use Windows Defender SmartScreen.

Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files

Windows 10, Version 1511 and 1607:
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files

Microsoft Edge on Windows 10, version 1511 or laterThis policy setting stops employees from bypassing the Windows Defender SmartScreen warnings about potentially malicious files.

If you enable this setting, it stops employees from bypassing the warning, stopping the file download.

If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.

Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites

Windows 10, Version 1511 and 1607:
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites

Microsoft Edge on Windows 10, version 1511 or laterThis policy setting stops employees from bypassing the Windows Defender SmartScreen warnings about potentially malicious sites.

If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.

If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.

Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen FilterInternet Explorer 9 or laterThis policy setting prevents the employee from managing SmartScreen Filter.

If you enable this policy setting, the employee isn't prompted to turn on SmartScreen Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee.

If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on SmartScreen Filter during the first-run experience.

Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warningsInternet Explorer 8 or laterThis policy setting determines whether an employee can bypass warnings from SmartScreen Filter.

If you enable this policy setting, SmartScreen Filter warnings block the employee.

If you disable or don't configure this policy setting, the employee can bypass SmartScreen Filter warnings.

Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the InternetInternet Explorer 9 or laterThis policy setting determines whether the employee can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the employee about executable files that Internet Explorer users do not commonly download from the Internet.

If you enable this policy setting, SmartScreen Filter warnings block the employee.

If you disable or don't configure this policy setting, the employee can bypass SmartScreen Filter warnings.

+ +## MDM settings +If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SettingSupported versionsDetails
AllowSmartScreenWindows 10 +
    +
  • URI full path. ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
    • +
  • Data type. Integer
    • +
  • Allowed values:
      +
    • 0 . Turns off Windows Defender SmartScreen.
      • +
    • 1. Turns on Windows Defender SmartScreen.
+
EnableAppInstallControlWindows 10, version 1703 +
    +
  • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
    • +
  • Data type. Integer
    • +
  • Allowed values:
      +
    • 0 . Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
      • +
    • 1. Turns on Application Installation Control, allowing users to install apps from the Windows Store only.
+
EnableSmartScreenInShellWindows 10, version 1703 +
    +
  • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
    • +
  • Data type. Integer
    • +
  • Allowed values:
      +
    • 0 . Turns off SmartScreen in Windows.
      • +
    • 1. Turns on SmartScreen in Windows.
+
PreventOverrideForFilesInShellWindows 10, version 1703 +
    +
  • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
    • +
  • Data type. Integer
    • +
  • Allowed values:
      +
    • 0 . Employees can ignore SmartScreen warnings and run malicious files.
      • +
    • 1. Employees can't ignore SmartScreen warnings and run malicious files.
+
PreventSmartScreenPromptOverrideWindows 10, Version 1511 and later +
    +
  • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
    • +
  • Data type. Integer
    • +
  • Allowed values:
      +
    • 0 . Employees can ignore SmartScreen warnings.
      • +
    • 1. Employees can't ignore SmartScreen warnings.
+
PreventSmartScreenPromptOverrideForFilesWindows 10, Version 1511 and later +
    +
  • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
    • +
  • Data type. Integer
    • +
  • Allowed values:
      +
    • 0 . Employees can ignore SmartScreen warnings for files.
      • +
    • 1. Employees can't ignore SmartScreen warnings for files.
+
+ +## Recommended Group Policy and MDM settings for your organization +By default, Windows Defender SmartScreen lets employees bypass warnings. Unfortunately, this can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Windows Defender SmartScreen to block high-risk interactions instead of providing just a warning. + +To better help you protect your organization, we recommend turning on and using these specific Windows Defender SmartScreen Group Policy and MDM settings. + + + + + + + + + + + + + + + + + + + + + +
Group Policy settingRecommendation
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreenEnable. Turns on Windows Defender SmartScreen.
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sitesEnable. Stops employees from ignoring warning messages and continuing to a potentially malicious website.
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for filesEnable. Stops employees from ingnoring warning messages and continuing to download potentially malicious files.
Administrative Templates\Windows Components\File Explorer\Configure Windows Defender SmartScreenEnable with the Warn and prevent bypass option. Stops employees from ignoring warning messages about malicious files downloaded from the Internet.
+

+ + + + + + + + + + + + + + + + + + + + + + + + + +
MDM settingRecommendation
Browser/AllowSmartScreen1. Turns on Windows Defender SmartScreen.
Browser/PreventSmartScreenPromptOverride1. Stops employees from ignoring warning messages and continuing to a potentially malicious website.
Browser/PreventSmartScreenPromptOverrideForFiles1. Stops employees from ingnoring warning messages and continuing to download potentially malicious files.
SmartScreen/EnableSmartScreenInShell1. Turns on Windows Defender SmartScreen in Windows.

Requires at least Windows 10, version 1703.

SmartScreen/PreventOverrideForFilesInShell1. Stops employees from ignoring warning messages about malicious files downloaded from the Internet.

Requires at least Windows 10, version 1703.

+ +## Related topics +- [Keep Windows 10 secure](https://technet.microsoft.com/itpro/windows/keep-secure/index) + +- [Security technologies in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/security-technologies) + +- [Available Group Policy and Mobile Data Management (MDM) settings for Microsoft Edge](https://technet.microsoft.com/itpro/microsoft-edge/available-policies) + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/keep-secure/windows-defender-smartscreen-overview.md b/windows/keep-secure/windows-defender-smartscreen-overview.md new file mode 100644 index 0000000000..4df34ae566 --- /dev/null +++ b/windows/keep-secure/windows-defender-smartscreen-overview.md @@ -0,0 +1,66 @@ +--- +title: Windows Defender SmartScreen overview (Windows 10) +description: Conceptual info about Windows Defender SmartScreen. +keywords: SmartScreen Filter, Windows SmartScreen +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Windows Defender SmartScreen +**Applies to:** + +- Windows 10 +- Windows 10 Mobile + +Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files. + +>[!NOTE] +>SmartScreen completely blocks apps from the Internet from running on Windows 10 Mobile. + +**SmartScreen determines whether a site is potentially malicious by:** + +- Analyzing visited webpages looking for indications of suspicious behavior. If it finds suspicious pages, SmartScreen shows a warning page, advising caution. + +- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious. + +**SmartScreen determines whether a downloaded app or app installer is potentially malicious by:** + +- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious. + +- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, SmartScreen shows a warning, advising caution. + + >[!NOTE] + >Before Windows 10, version 1703 this feature was called the SmartScreen Filter when used within the browser and Windows SmartScreen when used outside of the browser. + +## Benefits of Windows Defender SmartScreen +Windows Defender SmartScreen helps to provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are: + +- **Anti-phishing and anti-malware support.** SmartScreen helps to protect your employees from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly-used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Microsoft SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) + +- **Reputation-based URL and app protection.** SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, your employees won't see any warnings. If however there's no reputation, the item is marked as a higher risk and presents a warning to the employee. + +- **Operating system integration.** SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run. + +- **Improved heuristics and telemetry.** SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files. + +- **Management through Group Policy and Microsoft Intune.** SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md). + +## Viewing Windows Defender SmartScreen anti-phishing events +When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/en-us/scriptcenter/dd565657(v=msdn.10).aspx). + +## Related topics +- [SmartScreen Frequently Asked Questions (FAQ)](https://support.microsoft.com/en-us/products/windows?os=windows-10) + +- [How to recognize phishing email messages, links, or phone calls](https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx) + +- [Keep Windows 10 secure](https://technet.microsoft.com/itpro/windows/keep-secure/index) + +- [Security technologies in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/security-technologies) + + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/keep-secure/windows-defender-smartscreen-set-individual-device.md b/windows/keep-secure/windows-defender-smartscreen-set-individual-device.md new file mode 100644 index 0000000000..482d88a367 --- /dev/null +++ b/windows/keep-secure/windows-defender-smartscreen-set-individual-device.md @@ -0,0 +1,80 @@ +--- +title: Set up and use Windows Defender SmartScreen on individual devices (Windows 10) +description: Steps about what happens when an employee tries to run an app, how employees can report websites as safe or unsafe, and how employees can use the Windows Defender Security Center to set Windows Defender SmartScreen for individual devices. +keywords: SmartScreen Filter, Windows SmartScreen +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Set up and use Windows Defender SmartScreen on individual devices + +**Applies to:** +- Windows 10, version 1703 +- Windows 10 Mobile + +Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files. + +## How employees can use Windows Defender Security Center to set up Windows Defender SmartScreen +Starting with Windows 10, version 1703 your employees can use Windows Defender Security Center to set up Windows Defender SmartScreen for an individual device; unless you've used Group Policy or Microsoft Intune to prevent it. + +>[!NOTE] +>If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee. + +**To use Windows Defender Security Center to set up Windows Defender SmartScreen on a device** +1. Open the Windows Defender Security Center app, and then click **App & browser control**. + + ![Windows Defender Security Center](images/windows-defender-security-center.png) + +2. In the **App & browser control** screen, choose from the following options: + + - In the **Check apps and files** area: + + - **Block.** Stops employees from downloading and running unrecognized apps and files from the web. + + - **Warn.** Warns employees that the apps and files being downloaded from the web are potentially dangerous, but allows the action to continue. + + - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. + + - In the **SmartScreen for Microsoft Edge** area: + + - **Block.** Stops employees from downloading and running unrecognized apps and files from the web, while using Microsoft Edge. + + - **Warn.** Warns employees that sites and downloads are potentially dangerous, but allows the action to continue while running in Microsoft Edge. + + - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. + + - In the **SmartScreen from Windows Store apps** area: + + - **Block** or **Warn.** Warns employees that the sites and downloads used by Windows Store apps are potentially dangerous, but allows the action to continue. + + - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. + + ![Windows Defender Security Center, SmartScreen controls](images/windows-defender-smartscreen-control.png) + +## How SmartScreen works when an employee tries to run an app +Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, SmartScreen can warn the employee or block the app from running entirely, depending on how you've configured the feature to run in your organization. + +By default, your employees can bypass SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended). + +## How employees can report websites as safe or unsafe +You can configure Windows Defender SmartScreen to warn employees from going to a potentially dangerous site. Employees can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11. + +**To report a website as safe from the warning message** +- On the warning screen for the site, click **More Information**, and then click **Report that this site does not contain threats**. The site info is sent to the Microsoft feedback site, which provides further instructions. + +**To report a website as unsafe from Microsoft Edge** +- If a site seems potentially dangerous, employees can report it to Microsoft by clicking **More (...)**, clicking **Send feedback**, and then clicking **Report unsafe site**. + +**To report a website as unsafe from Internet Explorer 11** +- If a site seems potentially dangerous, employees can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**. + +## Related topics +- [Keep Windows 10 secure](https://technet.microsoft.com/itpro/windows/keep-secure/index) +- [Security technologies in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/security-technologies) + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file