How to Configure Windows Defender SmartScreen Using PowerShell

Key Takeaways

• The script configures Windows Defender SmartScreen settings via local GPO.
• Designed for use on Windows systems from Windows 8.1 and Windows Server 2012 onwards.
• Provides options to turn the SmartScreen “On” or “Off” and set its level to “Warn” or “Block.”
• PowerShell automation streamlines and standardizes SmartScreen configurations across multiple systems.
• Proper execution requires administrative privileges; otherwise, it returns an error.
• Before deploying, always backup registry states and test the script in controlled settings.
• Using NinjaOne can further simplify and enhance such configuration tasks in enterprise environments.

In the realm of enterprise IT security, configuring the settings and preferences of tools is pivotal to ensuring airtight security. One of these tools that often require meticulous setting configurations is the Windows Defender SmartScreen. In this post, we delve into a PowerShell script designed to easily configure Windows Defender SmartScreen via local GPO.

Background

The Windows Defender SmartScreen is a critical element in the Windows ecosystem, providing warnings to users about potentially harmful sites, files, apps, and more. The need for a PowerShell script to adjust the settings across all users in an organization arises as IT professionals and Managed Service Providers (MSPs) aim to standardize settings and avoid potential loopholes in security.

The Script

#Requires -Version 2.0

<#
.SYNOPSIS
    Changes the SmartScreen state for all users via local GPO.
.DESCRIPTION
    Changes the SmartScreen state for all users via local GPO.
    Effected registry entries that are set:
    HKLM:SoftwarePoliciesMicrosoftEdgeSmartScreenEnabled = 1
    HKLM:SoftwarePoliciesMicrosoftWindowsSystemEnableSmartScreen = 1
    HKLM:SoftwarePoliciesMicrosoftWindowsSystemShellSmartScreenLevel = Warn
    HKLM:SoftwarePoliciesMicrosoftMicrosoftEdgePhishingFilterEnabledV9 = 1
    HKLM:SoftwarePoliciesMicrosoftMicrosoftEdgePhishingFilterPreventOverride = 1
    HKLM:SoftwarePoliciesMicrosoftMicrosoftEdgePhishingFilterPreventOverrideAppRepUnknown = 1
.EXAMPLE
     -Off
    Turn off SmartScreen
.EXAMPLE
     -On
    Turn on SmartScreen and Warn.
.EXAMPLE
     -On -Level Block
    Turn on SmartScreen and Block when it normally warns.
.EXAMPLE
    PS C:> Set-SmartScreen.ps1 -Off
    Turn off SmartScreen
.OUTPUTS
    None
.NOTES
    Minimum OS Architecture Supported: Windows 8.1, Windows Server 2012
    Release Notes:
    Fixes bug where registry wasn't being set correctly.
By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. 
    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. 
    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. 
    Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. 
    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. 
    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. 
    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
.COMPONENT
    OSSecurity
#>

[CmdletBinding(DefaultParameterSetName = "On")]
param (
    [Parameter(Mandatory = $true, ParameterSetName = "On")]
    [Switch]
    $On,
    [Parameter(Mandatory = $true, ParameterSetName = "Off")]
    [Switch]
    $Off,
    [Parameter(Mandatory = $false, ParameterSetName = "On")]
    [ValidateSet("Block", "Warn")]
    [String]
    $Level = "Warn"
)

begin {
    function Test-IsElevated {
        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
        $p = New-Object System.Security.Principal.WindowsPrincipal($id)
        if ($p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator))
        { Write-Output $true }
        else
        { Write-Output $false }
    }
    function Set-ItemProp {
        param (
            $Path,
            $Name,
            $Value,
            [ValidateSet("DWord", "QWord", "String", "ExpandedString", "Binary", "MultiString", "Unknown")]
            $PropertyType = "DWord"
        )
        New-Item -Path $Path -Force | Out-Null
        if ((Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue)) {
            Set-ItemProperty -Path $Path -Name $Name -Value $Value -Force -Confirm:$false | Out-Null
        }
        else {
            New-ItemProperty -Path $Path -Name $Name -Value $Value -PropertyType $PropertyType -Force -Confirm:$false | Out-Null
        }
    }
}
process {
    if (-not (Test-IsElevated)) {
        Write-Error -Message "Access Denied. Please run with Administrator privileges."
        exit 1
    }
    # Set $State to 1 if -On was used or to 0 if -Off was used
    $State = if ($On) { 1 }
    elseif ($Off) { 0 }
    else {
        Write-Error ""
    }
    try {
        Set-ItemProp -Path "HKLM:SoftwarePoliciesMicrosoftWindowsSystem" -Name "EnableSmartScreen" -Value $State
        Set-ItemProp -Path "HKLM:SoftwarePoliciesMicrosoftWindowsSystem" -Name "ShellSmartScreenLevel" -Value $Level -PropertyType String
        Set-ItemProp -Path "HKLM:SoftwarePoliciesMicrosoftMicrosoftEdgePhishingFilter" -Name "EnabledV9" -Value $State
        Set-ItemProp -Path "HKLM:SoftwarePoliciesMicrosoftMicrosoftEdgePhishingFilter" -Name "PreventOverride" -Value $State
        Set-ItemProp -Path "HKLM:SoftwarePoliciesMicrosoftMicrosoftEdgePhishingFilter" -Name "PreventOverrideAppRepUnknown" -Value $State
        # Uses: https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SmartScreenEnabled
        Set-ItemProp -Path "HKLM:SoftwarePoliciesMicrosoftEdge" -Name "SmartScreenEnabled" -Value $State
    }
    catch {
        Write-Error $_
        exit 1
    }
    Write-Host "Values change in Registry:"
    # Output Proof of Work
    @(
        [PSCustomObject]@{
            "Registry Entry" = "HKLM:SoftwarePoliciesMicrosoftEdgeSmartScreenEnabled"
            Value            = "$(Get-ItemPropertyValue -Path "HKLM:SoftwarePoliciesMicrosoftEdge" -Name "SmartScreenEnabled" -ErrorAction SilentlyContinue)"
        }
        [PSCustomObject]@{
            "Registry Entry" = "HKLM:SoftwarePoliciesMicrosoftWindowsSystemEnableSmartScreen"
            Value            = "$(Get-ItemPropertyValue -Path "HKLM:SoftwarePoliciesMicrosoftWindowsSystem" -Name "EnableSmartScreen" -ErrorAction SilentlyContinue)"
        }
        [PSCustomObject]@{
            "Registry Entry" = "HKLM:SoftwarePoliciesMicrosoftWindowsSystemShellSmartScreenLevel"
            Value            = "$(Get-ItemPropertyValue -Path "HKLM:SoftwarePoliciesMicrosoftWindowsSystem" -Name "ShellSmartScreenLevel" -ErrorAction SilentlyContinue)"
        }
        [PSCustomObject]@{
            "Registry Entry" = "HKLM:SoftwarePoliciesMicrosoftMicrosoftEdgePhishingFilterEnabledV9"
            Value            = "$(Get-ItemPropertyValue -Path "HKLM:SoftwarePoliciesMicrosoftMicrosoftEdgePhishingFilter" -Name "EnabledV9" -ErrorAction SilentlyContinue)"
        }
        [PSCustomObject]@{
            "Registry Entry" = "HKLM:SoftwarePoliciesMicrosoftMicrosoftEdgePhishingFilterPreventOverride"
            Value            = "$(Get-ItemPropertyValue -Path "HKLM:SoftwarePoliciesMicrosoftMicrosoftEdgePhishingFilter" -Name "PreventOverride" -ErrorAction SilentlyContinue)"
        }
        [PSCustomObject]@{
            "Registry Entry" = "HKLM:SoftwarePoliciesMicrosoftMicrosoftEdgePhishingFilterPreventOverrideAppRepUnknown"
            Value            = "$(Get-ItemPropertyValue -Path "HKLM:SoftwarePoliciesMicrosoftMicrosoftEdgePhishingFilter" -Name "PreventOverrideAppRepUnknown" -ErrorAction SilentlyContinue)"
        }
    )
    gpupdate.exe /force
    Write-Host "A reboot, or three, will be needed for this policy to take affect."
}
end {}

 

Detailed Breakdown

The provided script aims to change the SmartScreen state for all users. It works by adjusting specific registry entries. Here’s a step-by-step breakdown of the script’s mechanics:

• Initial Setup: The script begins by specifying the required version and gives a brief synopsis of its operation.
• Cmdlet Binding and Parameters: The user can execute the script with either -On or -Off parameters. Additionally, a -Level parameter lets users decide between a “Warn” or “Block” state for the SmartScreen.
• Support Functions:
• Test-IsElevated checks if the script is run with administrative privileges.
• Set-ItemProp creates or modifies registry entries.
• Main Process:
• The script first checks if it’s executed with the necessary permissions.
• Depending on user input, the script then sets the state of SmartScreen and modifies the relevant registry entries.
• An output displaying changed registry values is shown to the user.
• Finally, the script invokes gpupdate.exe to force a Group Policy update, reminding users that a reboot might be needed.

Potential Use Cases

Imagine an enterprise where a new security policy dictates that all computers should have the Windows Defender SmartScreen enabled and set to “Block.” Instead of manually configuring each machine, an IT professional can deploy this script to adjust the settings en masse, ensuring uniformity and compliance across all devices.

Comparisons

While Group Policy Objects (GPO) from the Group Policy Management Console (GPMC) can also configure SmartScreen settings, this PowerShell script streamlines the process. Instead of navigating through multiple windows and settings in GPMC, IT professionals can execute a single script, saving time and reducing potential errors.

FAQs

• Can this script run on any machine?
  The script is tailored for Windows systems, starting from Windows 8.1 and Windows Server 2012.
• What happens if I don’t run the script as an administrator?
  The script will provide an “Access Denied” error message, prompting users to execute with proper permissions.

Implications

Successfully configuring the SmartScreen state across the organization bolsters IT security, reducing risks associated with harmful downloads or websites. However, wrongly configuring can either expose systems to threats or lead to too many false warnings, hindering work.

Recommendations

• Always backup your current registry state before making changes.
• Thoroughly test the script in a controlled environment before rolling it out organization-wide.
• Continually monitor and adjust settings based on organizational needs.

Final Thoughts

For IT professionals seeking a seamless solution for such configurations, tools like NinjaOne can provide enhanced capabilities. By integrating scripts like the one discussed, NinjaOne can assist in automating, managing, and monitoring IT tasks across an enterprise, ensuring optimized and secure operations.