How to manage URL whitelist for SmartScreen in Microsoft Edge

vdrjrmylair 20 Reputation points
2023-05-03T14:51:20.7633333+00:00

Hi,

I am trying to set up the Group Policy setting "SmartScreenAllowListDomains" for Microsoft Edge (112.X) to avoid showing SmartScreen warnings on certain websites for file downloads.

The group policy setting is located "Computer Configuration\Administrative Templates\Microsoft Edge\SmartScreen settings" - "Configure the list of domains for which Microsoft Defender SmartScreen won't trigger warnings"

I have added the required domains within the settings of this parameter (like "mywebiste.com") but I still continue to get warnings while downloading my item (flagged as "not commonly downloaded")

SmartScreen is enforced in Microsoft Edge due to security reasons so there is no way to disable it to bypass this warning and get the file (which is good a thing...)

Microsoft Defender APT is not used on my device

Thank you for your help,

Microsoft Edge
Microsoft Edge
A Microsoft cross-platform web browser that provides privacy, learning, and accessibility tools.
2,127 questions
Accepted answer
  1. ShiJieLi-MSFT 7,391 Reputation points Microsoft Vendor
    2023-05-05T03:27:25.9+00:00

    Hi @vdrjrmylair ,

    Thanks for that screenshot. It looks like everything's fine regarding the policy value. There's another potential barrier according to the doc:

    This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, Windows 10 Pro or Enterprise instances that enrolled for device management, or macOS instances that are that are managed via MDM or joined to a domain via MCX. Also note that this policy does not apply if your organization has enabled Microsoft Defender Advanced Threat Protection. You must configure your allow and block lists in Microsoft Defender Security Center instead.

    Please check whether you have met the prerequisites above to make this policy work.

    Actually, you can replace this policy with SmartScreenForTrustedDownloadsEnabled. To achieve the same goal, you need to:

    1. Add the target URL/download source into Internet Options --> Security -->Trusted sites.
    2. Disable SmartScreenForTrustedDownloadsEnabled.

    This policy works well as I've tested. You can consider it as a workaround.

    UPDATE

    There're various reasons for this, such as the implementation of each group policy. Enabling SmartScreenAllowListDomains and disabling SmartScreenForTrustedDownloadsEnabled almost work in the same way, but the difference lies in the implementation. Disabling SmartScreenForTrustedDownloadsEnabled simply ignores the download's reputation, while SmartScreenPuaEnabled helps protect users from adware, coin miners, bundleware, and other low-reputation apps. The demo app may not (only) be the low-reputation one. But SmartScreenAllowListDomains mainly deals with warnings, so it is expected to work in this case.

    Let's go back to the "not commonly downloaded" warning. You can have a test below at "Unknown Program". In this case, SmartScreenForTrustedDownloadsEnabled works while SmartScreenAllowListDomains fails. That's why I recommend SmartScreenForTrustedDownloadsEnabled as a workaround. As to why SmartScreenAllowListDomains fails, I think it is designed for "Potentially unwanted app" warning.

    User's image

    To conclude, you can apply SmartScreenAllowListDomains for "Potentially unwanted app" warning, and SmartScreenForTrustedDownloadsEnabled for "not commonly downloaded" warning.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best Regards,

    Shijie Li

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest