none
Missing options GPO Server 2016 ADMX templates for : 'EnableSmartScreen'

    Question

  • Hello,

    When trying to configure 'EnableSmartScreen' I cannot choose the smartscreen options that probably must be configured when enabling SmartScreen in the latest GPO ADMX Templates (Server 2016)

    ADMX template used: WindowsExplorer.admx

    From 'Windows 10 and Windows Server 2016' ADMX Templates;

        <policy name="EnableSmartScreen" class="Machine" displayName="$(string.EnableSmartScreen)" explainText="$(string.EnableSmartScreen_Help)" key="Software\Policies\Microsoft\Windows\System" valueName="EnableSmartScreen">
          <parentCategory ref="windows:WindowsExplorer" />
          <supportedOn ref="windows:SUPPORTED_Windows8" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
        </policy>

    From 'Windows 10 Version 1511' ADMX templates;

        <policy name="EnableSmartScreen" class="Machine" displayName="$(string.EnableSmartScreen)" explainText="$(string.EnableSmartScreen_Help)" key="Software\Policies\Microsoft\Windows\System" valueName="EnableSmartScreen" presentation="$(presentation.EnableSmartScreen)">
          <parentCategory ref="windows:WindowsExplorer" />
          <supportedOn ref="windows:SUPPORTED_Windows8" />
          <elements>
            <enum id="EnableSmartScreenDropdown" valueName="EnableSmartScreen" required="true">
              <item displayName="$(string.SmartScreen_RequireAdmin)">
                <value>
                  <decimal value="2" />
                </value>
              </item>
              <item displayName="$(string.SmartScreen_Prompt)">
                <value>
                  <decimal value="1" />
                </value>
              </item>
              <item displayName="$(string.SmartScreen_Off)">
                <value>
                  <decimal value="0" />
                </value>
              </item>
            </enum>
          </elements>
        </policy>

    Helptext:

    <string id="EnableSmartScreen_Help">This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.
    If you enable this policy setting, Windows SmartScreen behavior may be controlled by setting one of the following options:
    • Give user a warning before running downloaded unknown software
    • Turn off SmartScreen
    If you disable or do not configure this policy setting, Windows SmartScreen behavior is managed by administrators on the PC by using Windows SmartScreen Settings in Security and Maintenance.

    Options:
    • Give user a warning before running downloaded unknown software
    • Turn off SmartScreen

    The options are missing, so configuring SmartScreen thru GPO is incomplete for now I guess.


    Hello!





    • Edited by Grimson Wednesday, November 09, 2016 10:16 AM
    Wednesday, November 09, 2016 10:09 AM

Answers

  • Hi,

    It seems that it is indeed changed on the windows server 2016 and it might be by design, and for me, I would contact to open up a case with Microsoft Technical Support to see if they could get more information from product team regarding this change: https://support.microsoft.com/en-us/contactus/?ws=support

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, November 17, 2016 1:47 AM
    Moderator

All replies

  • Hi,
    As far as I know, you could use registry to enable SmartScreen as below:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
    In the right pane, you may find DWORD value EnableSmartScreen, the values for this key are as follows:
    • 0 : To turn off SmartScreen
    • 1 : Give user a warning before running downloaded unknown software
    • 2 : Require approval from an administrator before running downloaded unknown software.
    Then we could use group policy preference to configure this registry item: https://technet.microsoft.com/en-us/library/cc753092(v=ws.11).aspx
    You could follow the article as below step by step to have a try:
    How to Configure Smart Screen Filter with Group Policy
    https://avjacobsen.wordpress.com/2014/01/13/how-to-configure-smart-screen-filter-with-group-policy/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, November 10, 2016 2:25 AM
    Moderator
  • Wendy,

    Thanks for the reply.
    The workaround is clear, thanks, but the question is why this has changed:

    When I reread my post I'm not very clear:

    Why is it that the SmartScreen configurable option 'Require approval from an administrator before running downloaded unknown software' is missing in the latest ADMX templates.

    2 configurable options in (Windows Server 2016 WindowsExplorer.admx):
    • Give user a warning before running downloaded unknown software
    This will set value to 1

    • Turn off SmartScreen
    This will set value to 0


    3 configurable options in (Win 1511 WindowsExplorer.admx):
    • Require approval from an administrator before running downloaded unknown software
    This wil set value to 2

    • Give user a warning before running downloaded unknown software
    This will set value to 1

    • Turn off SmartScreen
    This will set value to 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "EnableSmartScreen"=dword: <from Policy>

    So, the difference is that 'Require approval from an administrator before running downloaded unknown software' is missing from the Windows Server 2016 ADMX templates.

    Windows Server 2012 is still uising option 2 which is now missing from the newest ADMX templates.

    Maybe it's by design or what but the question is then why :)



    Hello!




    • Edited by Grimson Monday, November 14, 2016 9:46 AM
    Monday, November 14, 2016 9:39 AM
  • Hi,

    It seems that it is indeed changed on the windows server 2016 and it might be by design, and for me, I would contact to open up a case with Microsoft Technical Support to see if they could get more information from product team regarding this change: https://support.microsoft.com/en-us/contactus/?ws=support

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, November 17, 2016 1:47 AM
    Moderator
  • Thanks Wendy,

    For me this is a minor issue but forum worthy :)
    Maybe this will be picked up eventually or for someone else who 'Bings' the same question.

    Case closed :)


    Hello!

    Friday, November 18, 2016 6:11 PM
  • Hi,
    Ok, if so, we would appreciate to mark the reply as answers, it will be greatly helpful and clear to others who have the same question as you said. And any questions further, please feel free to contact us.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, November 21, 2016 1:30 AM
    Moderator