Policy CSP - SmartScreen

EnableAppInstallControl

Scope Editions Applicable OS
✔️ Device
❌ User
❌ Home
✔️ Pro
✔️ Enterprise
✔️ Education
✔️ Windows SE
✔️ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl

App Install Control is a feature of Windows Defender SmartScreen that helps protect PCs by allowing users to install apps only from the Store. SmartScreen must be enabled for this feature to work properly.

  • If you enable this setting, you must choose from the following behaviors:

  • Turn off app recommendations

  • Show me app recommendations

  • Warn me before installing apps from outside the Store

  • Allow apps from Store only

  • If you disable or don't configure this setting, users will be able to install apps from anywhere, including files downloaded from the Internet.

Note

This policy will block installation only while the device is online. To block offline installation too, SmartScreen/PreventOverrideForFilesInShell and SmartScreen/EnableSmartScreenInShell policies should also be enabled.

This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
1 Turns on Application Installation Control, allowing users to only install apps from the Store.

Group policy mapping:

Name Value
Name ConfigureAppInstallControl
Friendly Name Configure App Install Control
Location Computer Configuration
Path Windows Components > Windows Defender SmartScreen > Explorer
Registry Key Name Software\Policies\Microsoft\Windows Defender\SmartScreen
Registry Value Name ConfigureAppInstallControlEnabled
ADMX File Name SmartScreen.admx

EnableSmartScreenInShell

Scope Editions Applicable OS
✔️ Device
❌ User
❌ Home
✔️ Pro
✔️ Enterprise
✔️ Education
✔️ Windows SE
✔️ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell

This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious.

Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.

  • If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options:

  • Warn and prevent bypass

  • Warn

  • If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app.

  • If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app.

  • If you disable this policy, SmartScreen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet.

  • If you do not configure this policy, SmartScreen will be enabled by default, but users may change their settings.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
0 Disabled.
1 (Default) Enabled.

Group policy mapping:

Name Value
Name ShellConfigureSmartScreen
Friendly Name Configure Windows Defender SmartScreen
Location Computer Configuration
Path Windows Components > Windows Defender SmartScreen > Explorer
Registry Key Name Software\Policies\Microsoft\Windows\System
Registry Value Name EnableSmartScreen
ADMX File Name SmartScreen.admx

PreventOverrideForFilesInShell

Scope Editions Applicable OS
✔️ Device
❌ User
❌ Home
✔️ Pro
✔️ Enterprise
✔️ Education
✔️ Windows SE
✔️ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell

Allows IT Admins to control whether users can ignore SmartScreen warnings and run malicious files.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Do not prevent override.
1 Prevent override.

Group policy mapping:

Name Value
Name ShellConfigureSmartScreen
Friendly Name Configure Windows Defender SmartScreen
Element Name Pick one of the following settings
Location Computer Configuration
Path Windows Components > Windows Defender SmartScreen > Explorer
Registry Key Name Software\Policies\Microsoft\Windows\System
ADMX File Name SmartScreen.admx

Policy configuration service provider