This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 73%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERH%3C/text%3E%3C/svg%3E)
We are using Windows 10 (1909 and 20H2) with SCCM 2010 (and a Cloud Management Gateway for remote machines) and are moving to using Defender and managing it with SCCM. We use SCCM Endpoint Protection Policies to deploy Antimalware policy to machines.
In the Antimalware policy, we enable the option to Block potentially unwanted applications. However, the Windows Security icon is showing an exclamation mark, and if we open Windows Security, under App & browser control, we see a warning that "The setting to block unwanted apps is turned off".
If we click Reputation-based protection settings, we see that Block Apps is enabled, but Block Downloads is not enabled.
The only way to get the exclamation mark warning to go away is to select Block Downloads or click Dismiss, and doing so means having to provide admin credentials (our users do not have local admin rights on their machines). As we are migrating to Defender on over 4000 machines, it is not practical to login to each machine to remove this warning, especially seeing as 90% of our machines are currently working remotely.
The only way I can think of enabling the Block Downloads option on all machines would be to use a group policy (a group policy isn't really a valid option for me, as most of our machines do not have VPN access so I can't reliably use GPOs at the moment), a registry file, or a powershell command. All my research and testing has shown that making changes to PUA (Potentially unwanted Applications) with registry, GPO or powershell only seems to affect the Block Apps setting. I read that the Block Downloads setting is controlled in Edge settings, so how can I enable this setting machine wide using a registry setting or powershell command ?
Based on my understanding, you want to enable Block Downloads option via registry or PowerShell. Please feel free to let me know if I have any misunderstanding. I am currently performing research on this and will get back to you as soon as possible. I appreciate your patience.
If you have any updates during this process, please feel free to let me know.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 65%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
I would also like to make this change to Block Downloads via registry or PowerShell, but could find a solution.
Have you been successful in your research?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 56.00000000000001%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
I have found out the following:
The Block downloads option is controlled by the Edge browser (see screenshot).
To enable blocking, the following registry key needs to be changed:
Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\SmartScreenPuaEnabled = 1 (REG_DWORD)
There are two ways to do this:
Thank you for the response. I see, however that this is a per user settings, which means each user would need to run the command / reg file, or we would need to deploy this to run under user's context. Not the tidiest solution I suppose, but anything is better than nothing.
Thanks again for the detailed info
You're welcome.
Yes, this setting is per user. I suppose the best way would be using a GPO for this setting, although I'm not aware of one.
I'll keep you posted if I find anything.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 69%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
There is a respective HKLM version of this key.
Also it is in GPO as "Configure Microsoft Defender SmartScreen to block potentially unwanted apps" in \Microsoft Edge\SmartScreen settings
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 12%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)
How can I change this setting via Intune?
How is this an answer to my question ? :-)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 7.000000000000001%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
If only it were this simple...
We manage a tenant which seems to turn this ON in Windows:
But it is OFF in Edge on the same device, same user profile:
So these seem to be DIFFERENT settings.
It gets even stranger. For the life of me, I can't identify the Intune policy that turns "Block downloads" ON. No GPOs here, devices are AAD/Intune managed only. So while someone must've solved it in this tenant some time ago - we can't repro that.
Which Intune setting controls "Block Downloads" in the Security App?
OK, found it:
Intune --> Device Profile --> Settings Catalog --> Microsoft Edge. There are a whole bunch of SmartScreen settings in there. Turn them all "on" and you'll be in the green.
It still stays "off" in my Edge Browser, but I use the Dev channel:
There is a bug in it. The release version of Edge follows the setting as expected: