Issue with some Microsoft Defender SmartScreen settings missing under Endpoint Security in Intune

-

There are multiple ways of configuring Microsoft Defender SmartScreen settings in Intune. You can use the Device configuration, custom CSPs, Endpoint Security or even custom Powershell scripts. Microsoft recommends using Endpoint Security to configure device security policies on your endpoints. This is because the policies are specially focused around device security thus keeping the settings relevant. However, not all security settings are covered under Endpoint Security and this became evident while configuring SmartScreen.

In order to configure SmartScreen, you enable the settings under Endpoint Security->Web Protection as shown below.


While this does enable the SmartScreen, it does not configure all the way as users are allowed to disable the option if they like (That is the last thing you want).

Also, there is no setting to enable SmartScreen for IE if you are using Endpoint Security profiles. To get around this, you will need to deploy some additional settings using Device configuration profiles or scripts. I chose to use the built-in functionality and utilize Settings Catalog to deploy the following additional configurations.



Please note that there are ton of other settings, but I am only deploying specific settings according to my requirements. 

After a device sync, all was good.

On Edge, Microsoft Defender SmartScreen showed greyed out and managed.


Same on IE11.



Windows Security also showed SmartScreen for Microsoft Edge as greyed out and managed.


You can monitor the status on Intune as well.


I did notice error code 65000 with one of the settings initially, but it cleared up after a while. However, if you continue to experience the error, then Rudyooms has written an excellent blog on how to fix this. Alternatively, you have the option to configure these settings using Device Configuration profiles instead.

References

Comments

  1. Lucas MiaJune 14, 2022 at 12:29 PM

    Well stated, you have furnished the right information that will be useful to everybody. Thank you for sharing your thoughts. Cyber Security measures protect your company not only from data breaches, but also from excessive financial losses, a loss of people's trust, and potential risks to brand reputation and future benefits.
    AMC services in Bangalore
    Cyber Security Service Provider
    SIEM Service Provider
    Penetration Testing Company
    IT infrastructure services in Bangalore
    Cloud Service Provider in Bangalore

    ReplyDelete

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){              ...
Read more

Prevent users from running certain programs or applications on Windows endpoints using Intune

-
Image
  When it comes to blocking or preventing users from running an application on Windows devices, one normally uses App locker policy, Windows Defender Application Control and not so new but pretty useful method called Defender Vulnerability management within Microsoft 365 Defender Portal. A recent question on the Tech Community Microsoft forum prompted me to look for all possible alternatives. I started reminiscing over the legacy GPO policies and that is when I stumbled upon the policy  Don’t run specified Windows applications  located under User Administrative Templates - The policy setting does come with its own caveat - " This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from st...
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $P...
Read more