This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 39%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERC%3C/text%3E%3C/svg%3E)
I asked this question in the Microsoft Community and was directed to ask it here.
In the latest version of Windows 10 Pro (20H2 at the moment), is there a way to turn on App & browser control via LOCAL Group Policy or the registry?
I need "On" to be the default when a new user logs into a computer.
I know how to turn it on for the account that is currently logged in but not for all users and all future users.
As always, any help would be appreciated!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 32%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Group policy controls everything so yes you can turn it on via GP. The hard part is finding them. I find using the Local Computer Policy mmc applet and then using the filter option to search for settings easiest. The core settings you're looking for are under Computer Configuration\Administrative Templates\Windows Components
Microsoft Defender Exploit Guard but it requires some sort of configuration file. You'll have to research that some more.
@Michael Taylor , thanks so much for your nearly instantaneous reply.
Unfortunately, I'm not an expert at Group Policy (so much so that I didn't even know about the filter option!).
When I tried using the filter under Computer Configuration\Administrative Templates\Windows Components with Reputation as the keyword, it found nothing. I have all of the type options set to "Any" and all three Within boxes checked.
I've tried with no "Enable Requirments Filters" selected and with the Windows 10 check box checked.
Note: I'm using the local Group policy editor, gpedit.msc.
To explain further what I'm trying to do, when my users log in they see this in their tray:
Clicking on it opens this window:
Then I get calls or tickets asking if their computer is safe. I have them click on "Turn on" and all is good. (Yes, I know there's a debate about whether one needs to turn it on but the powers above me have made that decision for me.)
I'd really like to just have it turned on by default to reduce the needless calls. That's the actual thing I'm looking for, a setting in either local gpedit (that's all I have access to) or the registry that will have the same effect as clicking the turn on button. I can deal with the registry key being in HKCU since I can edit the default user registry hive. Unfortunately, I'm not aware of the appropriate key, if there is one.
Any other suggestions for me?
I see. In that case I think you'll need to read this article. Basically what MS recommends is configuring a machine with the settings you want, then export the settings to a config file and then use GP to push that configuration to the other machines. That is where GP comes into play as you configure the machine (or network) to use that configuration file that is stored on a network share somewhere.
Note that in the screenshot of the article it refers to WIndows Defender Exploit Guard but on my Win 10 machine it is called Microsoft Defender Exploit Guard. So the name may be different between Win 10 and 11.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 7.000000000000001%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Have you figured this out? I'm trying to do the same thing.
Unfortunately, no.
However, we've been quite distracted from that issue by a project to implement Intune. Intune will obviously also impact the options for this but I haven't determined in what way yet.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 39%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
It maybe worth reading this: https://superuser.com/questions/1783437/set-app-browser-control-in-windows-security-to-be-on-by-default-for-all-user if you find it's simply Reputation-based protection that needs turning on, read this: https://4sysops.com/archives/configure-protection-against-potentially-unwanted-apps-using-powershell-or-group-policy/#:~:text=The%20relevant%20setting%20can%20be,Security%20%3E%20App%20%26%20browser%20control.&text=You%20will%20see%20Reputation%2Dbased,Click%20the%20Turn%20on%20button.&text=After%20you%20turn%20on%20the,click%20Reputation%2Dbased%20protection%20settings.
Hope this helps.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 2%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
I don't know how to do it via group policy, but you can turn it on during the laptop imaging process by modifying the registry.
The registry key that gets modified is in the default user profile, this means that when any user logs into the computer for the first time and it clones the default profile it will set the protection accordingly.
You can either load the default user hive and then modify the key listed below manually or run the bellow commands in an elevated Powershell session, but remember it will only apply to accounts that have never logged in before so it's best to run it as part of your imaging process if you are mass deploying endpoints
# Loads the default user registry hive
reg load HKLM\DEFAULT c:\users\default\ntuser.dat
# Turn on app and browser control
reg add "HKLM\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_DWORD /d 1 /f
# Unload the default user registry hive
reg unload HKLM\DEFAULT
Mike, thanks for your reply.
When I look in my registry, I do not see HKLM\DEFAULT.
I'm no expert on the reg command. Is running that reg add command all that is needed to make this work or do I need to load the hive from C:\users\default\ntuser.dat?
If I do need to load the hive, what do I use for the keyname? HKLM\DEFAULT?
Hi Robert, I updated my original comment with more explanation, as for loading the hive you can name it whatever you want (without the \ ) and that name will be what the key is, I normally use "DEFAULT" so that I know what it is.
Hi Mike,
Thanks for your help so far. Unfortunately, the method above doesn't seem to work for me. It seems to create a SmartScreenEnabled entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer for users who login for the first time after the script has been run. See HKCU-Software-Microsoft-Windows-CurrentVersion-Explorer.PNG It does not create one in HKLM.....HKLM-Software-Microsoft-Windows-CurrentVersion-Explorer.PNG.
The HKCU key does not seem to affect the App & browser control status:Original Suggestion - HKLM-Software-Microsoft-Windows-CurrentVersion-Explorer in Regedit.PNG
Instead of loading the default user reg hive, I tried just creating the HKLM key manually which sort of worked. As you can see here:Windows Security Home - App & Browser Control Unknown.PNG, it changes the status to "unknown", which eliminates the pesky yellow triangle. If I dig down to Reputation-based protection, I see it looks as though it has been turned on in the App & browser control window:App & Browser Control.PNG, but it really isn't:Reputation- based protection settings.PNG
To summarize, your method does not eliminate the bothersome yellow triangle, at least for me. An analog of it does get rid of the triangle but does not actually turn on the protection.
Can you think of what I might be doing wrong?
Note that this testing was performed in Windows 10 Pro 22H2.17. I will be trying it again in Windows 11 Pro 23H2.4 in the next few days since we are now in the process of changing over to Win 11.
Thanks for your help so far.
I got the same results in Windows 11 Pro.