In the past, Intune was only able to deploy a predefined set of device settings…
In this blog I will show you how to enable Windows Defender SmartScreen in the browsers Internet Explorer 11, Edge and Google Chrome. SmartScreen is a feature built-in the browsers IE11 and Edge to protect the user against malicious websites and since a few months you can get SmartScreen as an extension for the Google Chrome browser.
Enable SmartScreen for the Edge Browser
For the Edge Browser it is pretty simple to enable SmartScreen via Intune. We can use a Windows 10 device restrictions policy for this job. Logon to the Azure portal, open Intune en browse to Device Configuration. Here you need to open Profiles and choose Create Profile. As platform pick Windows 10 and later and as Profile type Device Restrictions. On the right site choose Windows Defender SmartScreen which opens the available options to set for this feature. Click on Require located behind SmartScreen for Microsoft Edge. Click two times OK and Create and the policy will be created. Don`t forget to assign the newly created policy to a (device) group).
Now switch over to a Windows 10 device and perform a sperform a sync with Intune from the Account settings location. When the sync is finished start Edge and open the Settings. The setting we are looking for is located under the Advanced settings, the very last setting. We now see Windows Defender SmartScreen is enabled and the option to switch it off is greyed out.
Next is Internet Explorer.
Enable Smartscreen for Internet Explorer
Like I have shown in my previous blogposts about managing Internet Explorer settings with Intune, we have no predefined setting in the Intune portal to enable SmartScreen in IE. For IE we need to use a CSP Policy to configure this setting. Because I have described in the previous posts in more detail how the CSP policies need to be used, I will only show in short which setting to use to enable SmartScreen in IE.
In the Intune portal create another Windows 10 profile, this time of the profile type Custom. Click Add to add a new row. Fill in the information like below:
Add the OMA-URI: ./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnhancedProtectedMode
As data type you choose string.
And in the value field you enter: <enabled/><data id=”Advanced_EnableEnhancedProtectedMode” value=”PMEM”/>
Create the new profile and assign it to a group.
Switch over to your Windows 10 device and perform another Intune sync. In IE when you click the tools button and click on Safety, you see the option to turn off SmartScreen is greyed out. Which means SmartScreen is turned on and you are not able to turn it off.
Install the SmartScreen extension in the Google Chrome browser
For the Google Chrome browser we have no policies In Intune we can use to install the extension in the browser so we have to use another feature from Intune.
By setting a registry entry it is possible to force the installation of the browser extension. The entry we need to set is a String with value bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx which we need to create at this location HKLM:\Software\Policies\Google\Chrome\ExtensionInstallForcelist
We can set this entry using a PowerShell script and deploy that script with Intune. For some reason the script I created to set the entry was never deployed to my devices (it didn`t even get a device status for one device), so I decided to put this entry in a msi file and deploy it as a mobile app.
To create the msi, I used the Express edition of Advanced Installer. You just need to created a new project, below Resources choose Registry and add the keys and value I mentioned.
After adding the value you need to perform a default build to create a msi file which is ready for deployment with Intune.
Open the Intune portal and switch to the Mobile apps section. Here you need to add a new Line-of-business app. Pick your msi file, enter the required information and click Add to upload the file and create your LOB app. When the file is finished uploading you need to assign the app to a group as assignment type required.
Again, perform a Intune sync from you Windows 10 device (which has Google Chrome installed). The registry entry is set and in a few minutes the extension is visible on the right next to the address bar.
If you want to test SmartScreen in those three browsers visit https://demo.smartscreen.msft.net