From 4cf65edfa0250d74029173350420dc0974d372d7 Mon Sep 17 00:00:00 2001 From: undergroundwires Date: Mon, 15 Jul 2024 12:31:34 +0200 Subject: [PATCH] win: improve disabling SmartScreen - Add more documentation with caution - Improve disabling in Internet Explorer by broadining the disable scope. - Fix wrong registry data set when disabling in Internet Explorer. - Add disabling `smartscreen.exe` #385 - Add more w#ays to disable SmartScreen. - Fix typo for registry key for Store apps. - Simplify some of the script names --- src/application/collections/windows.yaml | 718 +++++++++++++++++++++-- 1 file changed, 675 insertions(+), 43 deletions(-) diff --git a/src/application/collections/windows.yaml b/src/application/collections/windows.yaml index a96aa935..25b42fd6 100644 --- a/src/application/collections/windows.yaml +++ b/src/application/collections/windows.yaml @@ -4969,9 +4969,9 @@ actions: - `HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ConnectedSearchUseWebOverMeteredConnections` [5]. [1]: https://web.archive.org/web/20240120135419/https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::DoNotUseWebResults "Don't search the web or display web results in Search" + [2]: https://web.archive.org/web/20240120140023/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#donotusewebresults "Search Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240120135454/https://www.winhelponline.com/blog/disable-web-results-windows-10-start-menu/ "How to Disable Web Search in Windows 10 Start menu | Winhelponline | www.winhelponline.com" [3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" - [2]: https://web.archive.org/web/20240120140023/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#donotusewebresults "Search Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240120135331/https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::DoNotUseWebResultsOnMeteredConnections "Don't search the web or display web results in Search over metered connections | admx.help" call: - @@ -15163,18 +15163,159 @@ actions: grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - category: Disable SmartScreen - docs: - - https://en.wikipedia.org/wiki/Microsoft_SmartScreen - - https://web.archive.org/web/20240314131452/https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/ + docs: |- # refactor-with-variables: • SmartScreen Caution + This category focuses on disabling the SmartScreen and its features and components. + + SmartScreen is known also as "Windows SmartScreen" [1], "Windows Defender SmartScreen" [2], "Microsoft Defender SmartScreen" [3], + "Phishing Filter" [4], and "SmartScreen Filter" [4]. + + It protects users from phishing attacks, malware websites, and potentially harmful downloads by assessing webpage safety and + comparing sites and downloads against lists of known threats [3]. + However, it also sends URLs and file information to Microsoft servers [4], which raises significant privacy concerns. + + Disabling SmartScreen through this category can enhance your privacy by stopping these data transmissions [5]. + However, be aware that this action may compromise your security by removing the protections that SmartScreen provides + against malicious sites and downloads. + + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + + [1]: https://web.archive.org/web/20240709105008/https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings "Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings - Windows Security | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240708201144/https://strontic.github.io/xcyclopedia/library/smartscreen.exe-B75FA41284409A6134BF824BEAE59B4E.html "smartscreen.exe | Windows Defender SmartScreen | STRONTIC | strontic.github.io" + [3]: https://web.archive.org/web/20240709105002/https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/ "Microsoft Defender SmartScreen overview - Windows Security | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240709102216/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_Policy_Phishing_9 "Turn on SmartScreen Filter scan | admx.help" + [5]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" children: - - category: Disable SmartScreen for apps and files + name: Disable SmartScreen process (breaks Microsoft Store apps) + docs: |- # refactor-with-variables: • SmartScreen Caution + This script stops and prevents the `smartscreen.exe` from running. + + This process is officially known as *Windows Defender SmartScreen* [1] [2]. + It manages the SmartScreen functionality [3] [4]. + Its executable is located at `%WINDIR%\System32\smartscreen.exe` [1] [2] [4] [5]. + + Disabling SmartScreen improves your privacy because it stops outbound network connections + that transmit your data [5]. + This process runs in the background even when SmartScreen is disabled [3]. + It also improves system performance by reducing CPU usage [6]. + + However, disabling SmartScreen process can compromise your security by disabling its protective features. + Additionally, if SmartScreen remains partially enabled after the process is disabled, + it may impair the functionality of Microsoft Store apps [3] [5]. + + This script will: + + - **Terminate the process**: + Stops the `smartscreen.exe` process to prevent it from running. + - **Remove the executable**: + Safely deletes the `smartscreen.exe` file from the system to prevent it from restarting. + + > **Caution**: + > - Disabling SmartScreen may reduce your protection against phishing and malware. + > - Disabling this process may prevent Microsoft Store apps from loading. + + [1]: https://web.archive.org/web/20240708200821/https://www.file.net/process/smartscreen.exe.html "smartscreen.exe Windows process - What is it? | www.file.net" + [2]: https://web.archive.org/web/20240708201144/https://strontic.github.io/xcyclopedia/library/smartscreen.exe-B75FA41284409A6134BF824BEAE59B4E.html "smartscreen.exe | Windows Defender SmartScreen | STRONTIC | strontic.github.io" + [3]: https://web.archive.org/web/20240709102724/https://www.howtogeek.com/320711/what-is-smartscreen-and-why-is-it-running-on-my-pc/ "What Is \"SmartScreen\" and Why Is It Running on My PC? | www.howtogeek.com" + [4]: https://web.archive.org/web/20240715084553/https://strontic.github.io/xcyclopedia/library/clsid_a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d.html "CLSID a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d | SmartScreen | STRONTIC | strontic.github.io" + [5]: https://web.archive.org/web/20240708201153/https://answers.microsoft.com/en-us/windows/forum/all/block-apps-from-accessing-internet-by-default/44a235ce-c9a5-4612-998b-a4c100da93df "Block apps from accessing internet by default... - Microsoft Community | answers.microsoft.com" + [6]: https://web.archive.org/web/20240708200833/https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-smartscreen-using-lots-of-cpu/b795d47a-3f92-44b9-bbbc-c4439e932fc3 "Windows Defender Smartscreen Using Lots of CPU - Microsoft Community | answers.microsoft.com" + call: + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: smartscreen.exe + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\System32\smartscreen.exe' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + - + name: Disable SmartScreen libraries + docs: |- + This script disables essential SmartScreen libraries, limiting their functionality and preventing + their use by other programs. + + A *library* is a set of code and resources that help programs operate. + A *DLL (Dynamic Link Library)* contains code and data that multiple programs can use simultaneously. + + Disabling these libraries stops SmartScreen operations across applications. + This enhances your privacy by eliminating SmartScreen data collection. + It improves security by reducing the system's attack surface. + It may also improve system performance by freeing up system resources. + + However, turning off these libraries may lower your system's defenses against malware and phishing, + as it stops the identification and blocking of potentially unsafe content. + + This script targets and disables the following specific SmartScreen libraries critical to their operations: + + - `smartscreen.dll`: + This DLL enables core SmartScreen functionality [1]. + It manages essential SmartScreen tasks, such as performing security checks and evaluating the + safety and reputation of files, applications, and web content [2] [3]. + - `smartscreenps.dll`: + This DLL supports SmartScreen functionality [4]. + It facilitates SmartScreen's critical functions, including component management, registration, and + lifecycle within a COM framework [5] [6]. + + File locations: + + | File path | Windows 11 (23H2) | Windows 10 (22H2) | + |-----------|-----------------------------|-----------------------------| + | `%WINDIR%\System32\smartscreen.dll` [2] | ✅ Exists | ❌ Missing | + | `%WINDIR%\SysWOW64\smartscreen.dll` [3] | ✅ Exists | ❌ Missing | + | `%WINDIR%\System32\smartscreenps.dll` [4] [5] | ✅ Exists | ✅ Exists | + | `%WINDIR%\SysWOW64\smartscreenps.dll` [6] [7] | ✅ Exists | ✅ Exists | + + [1]: https://github.com/privacysexy-forks/10_0_22621_870/blob/8b13bab6a49d9d04990dfd78de7b39eb815dcddc/C/Windows/System32/smartscreen.exe.strings#L1090 "10_0_22621_870/C/Windows/System32/smartscreen.exe.strings at 8b13bab6a49d9d04990dfd78de7b39eb815dcddc · privacysexy-forks/10_0_22621_870 · GitHub | github.com" + [2]: https://github.com/privacysexy-forks/10_0_22621_1028/blob/3e002a687dbcd05bebe48401714021cf670c5bd8/C/Windows/System32/smartscreen.dll.coff#L5 "10_0_22621_1028/C/Windows/System32/smartscreen.dll.coff at 3e002a687dbcd05bebe48401714021cf670c5bd8 · privacysexy-forks/10_0_22621_1028 · GitHub | github.com" + [3]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/SysWOW64/smartscreen.dll.coff#L5 "10_0_22622_601/C/Windows/SysWOW64/smartscreen.dll.coff at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 · GitHub | github.com" + [4]: https://web.archive.org/web/20240715084553/https://strontic.github.io/xcyclopedia/library/clsid_a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d.html "CLSID a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d | SmartScreen | STRONTIC | strontic.github.io" + [5]: https://github.com/privacysexy-forks/10_0_22621_1028/blob/3e002a687dbcd05bebe48401714021cf670c5bd8/C/Windows/System32/smartscreenps.dll.coff#L5 "10_0_22621_1028/C/Windows/System32/smartscreenps.dll.coff at 3e002a687dbcd05bebe48401714021cf670c5bd8 · privacysexy-forks/10_0_22621_1028 · GitHub | github.com" + [6]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/SysWOW64/smartscreenps.dll.coff#L5 "10_0_22622_601/C/Windows/SysWOW64/smartscreenps.dll.coff at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 · GitHub | github.com" + [7]: https://web.archive.org/web/20240715092131/https://strontic.github.io/xcyclopedia/library/smartscreenps.dll-9C77057727E91884AA2AE5D6A85F90C5.html "smartscreenps.dll | SmartScreenPS | STRONTIC | strontic.github.io" + call: + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\System32\smartscreen.dll' + grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\System32\smartscreenps.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\SysWOW64\smartscreen.dll' + grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\SysWOW64\smartscreenps.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + - + category: Disable SmartScreen for apps and files # TODO: Add docs + docs: |- # refactor-with-variables: • SmartScreen Caution + https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview + + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. children: - - name: Disable SmartScreen for apps and files - docs: + name: Disable SmartScreen for apps and files # TODO: Add docs + docs: |- # refactor-with-variables: • SmartScreen Caution + TODO: From references: - https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsExplorer::EnableSmartScreen + - https://web.archive.org/web/20240709110302/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-smartscreen#enablesmartscreeninshell + - https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" + + This script configures `HKLM\SOFTWARE\Policies\Microsoft\Windows\System!EnableSmartScreen` registry key [1]. + + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + + [1]: https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/System32/smartscreen.exe.strings#L5187 "TODO: Snapshot and archive" call: function: SetRegistryValue parameters: @@ -15184,10 +15325,27 @@ actions: data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable SmartScreen in File Explorer - docs: - - https://winaero.com/change-windows-smartscreen-settings-windows-10/ - - https://www.technobezz.com/how-to-change-the-smartscreen-filter-settings-in-windows-10/ + name: Disable SmartScreen apps and files checks + docs: |- # refactor-with-variables: • SmartScreen Caution + This script disables SmartScreen's checks for apps and files. + + This script stops SmartScreen from alerting you about and blocking potentially malicious apps and files [1] [2] [3]. + These checks are part of SmartScreen's *reputation-based protection* feature [1]. + + It enhances privacy by stopping the data collection that SmartScreen checks require. + It It also boosts system performance by reducing the overhead required for SmartScreen checks. + This allows users more freedom in the applications they choose to run and the files they decide to download. + However, this change may increase your risk of downloading harmful apps and files by reducing the safety checks that typically stop them. + + By modifying the `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer` [2] [3] [4] registry key. + This actino simulates the action of turning off SmartScreen via the Windows user interface [2] [3]. + + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + + [1]: https://web.archive.org/web/20240709114232/https://support.microsoft.com/en-us/windows/app-browser-control-in-windows-security-8f68fb65-ebb4-3cfb-4bd7-ef0f376f3dc3 "App & browser control in Windows Security - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20240709113919/https://www.elevenforum.com/t/enable-or-disable-microsoft-defender-smartscreen-check-apps-and-files-from-web-in-windows-11.5731/ "Enable or Disable Microsoft Defender SmartScreen Check Apps and Files from Web in Windows 11 Tutorial | Windows 11 Forum | elevenforum.com" + [3]: https://web.archive.org/web/20240709114219/https://www.technobezz.com/how-to-change-the-smartscreen-filter-settings-in-windows-10/ "How To Change The SmartScreen Filter Settings In Windows 10 | www.technobezz.com" + [4]: https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/System32/smartscreen.exe.strings#L5181C51-L5181C66 "TODO: Fork and archive" call: - function: SetRegistryValue @@ -15206,23 +15364,61 @@ actions: data: 'Off' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable SmartScreen's prevention of application execution - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ShellConfigureSmartScreen - - https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685 + name: Disable SmartScreen's prevention of application execution # TODO: Rename to something simpler + docs: |- # refactor-with-variables: • SmartScreen Caution + TODO: RESEARCH DONE, REVISE DOCS + + This script disables SmartScreen app blocking without letting users to choose. + + SmartScreen helps protect PCs by warning users before running potentially malicious programs + downloaded from the Internet [3] [4]. + This warning is presented as an interstitial dialog shown before running an app that has been + downloaded from the Internet and is unrecognized or known to be malicious [3] [4]. + No dialog is shown for apps that do not appear to be suspicious [3] [4]. + + Once enabled, SmartScreen has two options [3] [4]: + + - Warn and prevent bypass: + SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app [3] [4]. + SmartScreen will continue to show the warning on subsequent attempts to run the app [3] [4]. + - Warn: + SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the + warning and run the app anyway [3] [4]. + SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app [3] [4]. + + Microsoft Defender SmartScreen helps protect systems from programs downloaded from the internet that may be malicious [2]. + Enabling Microsoft Defender SmartScreen will warn or prevent users from running potentially malicious programs [2]. + + It increases your privacy by allowing to run privacy scripts and reducing SmartScreen data collection by + limiting SmartScreen functionality. + As Microsoft collect data about files and programs run on PCs with this feature enabled [3] [4]. + + It may increase your performance by reducing the amount of processing. + This may decrease security. + DISA does not recommend what this script configures, and recommends blocking by default without allowing user to run it + as security best practice [2]. + + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + + This script configures `HKLM\SOFTWARE\Policies\Microsoft\Windows\System!ShellSmartScreenLevel` registry key [1] [2] [3]. + + [1]: https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/System32/smartscreen.exe.strings#L5188C44-L5188C65 + [2]: https://web.archive.org/web/20240713204739/https://www.stigviewer.com/stig/microsoft_windows_11/2023-09-29/finding/V-253395 "The Microsoft Defender SmartScreen for Explorer must be enabled. | www.stigviewer.com" + [3]: https://web.archive.org/web/20240713204839/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ShellConfigureSmartScreen "Configure Windows Defender SmartScreen | admx.help" + [4]: https://web.archive.org/web/20240709110302/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-smartscreen#enablesmartscreeninshell "SmartScreen Policy CSP - Windows Client Management | Microsoft Learn" call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System valueName: ShellSmartScreenLevel dataType: REG_SZ - data: Warn + data: Warn # Block: Prevent app from running | Warn: Notify user but allow continuation. deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable SmartScreen in Microsoft browsers - docs: |- + docs: |- # refactor-with-variables: • SmartScreen Caution This category provides scripts to disable SmartScreen in Microsoft browsers. - + SmartScreen is a security feature in Edge. When you visit websites or download files, SmartScreen checks the reputation of the URL or file [1]. If SmartScreen determines that the site or file is malicious, it blocks access or download [1]. @@ -15236,13 +15432,16 @@ actions: user's system and network structure. The combination of these data points could enable Microsoft to build a comprehensive profile of user activities and behavior. + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + [1]: https://web.archive.org/web/20240623123514/https://learn.microsoft.com/en-us/microsoft-edge/privacy-whitepaper/#smartscreen "Microsoft Edge Privacy Whitepaper - Microsoft Edge Developer documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240624121703/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-potentially-unwanted-apps "Use Microsoft Edge to protect against potentially unwanted applications | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240624143449/https://www.bleepingcomputer.com/news/microsoft/windows-10-smartscreen-sends-urls-and-app-names-to-microsoft/ "Windows 10 SmartScreen Sends URLs and App Names to Microsoft | www.bleepingcomputer.com" children: - name: Disable Edge SmartScreen - docs: |- # refactor-with-variables: • Chromium Policy Caution • Active Directory only • Performance + Privacy + docs: |- # refactor-with-variables: • Chromium Policy Caution • Active Directory only • Performance + Privacy • SmartScreen Caution + # TODO: Bobbylive, SmartScreenEnabled This script disables the SmartScreen feature in Edge. SmartScreen provides warning messages to help protect users from potential phishing scams and malicious software [1] [2]. @@ -15267,6 +15466,7 @@ actions: > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. + > - Disabling SmartScreen may reduce your protection against phishing and malware. [1]: https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#smartscreenenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240624143208/https://www.stigviewer.com/stig/microsoft_edge/2021-02-16/finding/V-235763 "Microsoft Defender SmartScreen must be enabled. | www.stigviewer.com" @@ -15277,7 +15477,8 @@ actions: dwordData: '0' - name: Disable Edge SmartScreen for potentially unwanted apps - docs: |- # refactor-with-variables: • Chromium Policy Caution • Active Directory only • Performance + Privacy + docs: |- # refactor-with-variables: • Chromium Policy Caution • Active Directory only • Performance + Privacy • SmartScreen Caution + TODO: SmartScreenPuaEnabled, bobylive This script disables the SmartScreen feature in Edge that specifically targets potentially unwanted applications (PUAs). Microsoft Edge's SmartScreen PUA feature protects against adware, coin miners, bundleware, and other low-reputation software [1] [2]. @@ -15299,6 +15500,7 @@ actions: > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. + > - Disabling SmartScreen may reduce your protection against phishing and malware. [1]: https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#smartscreenpuaenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240624121549/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SmartScreenPuaEnabled "Configure Microsoft Defender SmartScreen to block potentially unwanted apps | admx.help" @@ -15309,7 +15511,8 @@ actions: dwordData: '0' - name: Enable Edge SmartScreen bypass - docs: |- # refactor-with-variables: • Chromium Policy Caution • Active Directory only • Performance + Privacy + # TODO: https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf + docs: |- # refactor-with-variables: • Chromium Policy Caution • Active Directory only • Performance + Privacy • SmartScreen Caution This script allows users to bypass Edge SmartScreen warnings. SmartScreen in Edge displays warnings about potentially malicious websites [1] [2]. @@ -15333,6 +15536,7 @@ actions: > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. + > - Disabling SmartScreen may reduce your protection against phishing and malware. [1]: https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#preventsmartscreenpromptoverride "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240624152821/https://www.stigviewer.com/stig/microsoft_edge/2021-06-23/finding/V-235720 "Bypassing Microsoft Defender SmartScreen prompts for sites must be disabled. | www.stigviewer.com" @@ -15341,9 +15545,157 @@ actions: parameters: valueName: PreventSmartScreenPromptOverride # Edge ≥ 77 dwordData: '0' + - + name: Enable Edge SmartScreen bypass for files + docs: |- # refactor-with-variables: • Chromium Policy Caution • Active Directory only • SmartScreen Caution + This script allows users to bypass Edge SmartScreen warnings when downloading files. + + Microsoft Defender SmartScreen warns users about potentially unsafe downloads [1] [2] [3]. + By default, users can bypass Microsoft Defender SmartScreen warnings and complete unverified downloads [1] [2]. + This script maintains the default option, enabling users to bypass SmartScreen warnings if chosen. + + This script allows users to override these warnings. + This enhances user privacy by reducing the amount of data sent to Microsoft for file scanning. + However, this may reduce security as it allows the completion of potentially harmful, unverified downloads. + Restricting downloads to verified sources significantly lowers the risk of acquiring viruses, spyware, or other malicious software [3]. + Authorities like The Defense Information Systems Agency (DISA) [2] and The Center of Internet Security (CIS) [3] advise + against bypassing SmartScreen due to security concerns. + + This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [1]. + It is effective only on computers under organizational management, such as those in workplaces or schools. + It's not applicable to personal computers that are not managed by an organization. + + This script configures the `PreventSmartScreenPromptOverrideForFiles` policy [1] [2] [3]. + Changing this policy does not require restarting the browser to take effect [1]. + + > **Caution**: + > - This will display the message "Your browser is managed by your organization" on the settings page. + > - Disabling SmartScreen may reduce your protection against phishing and malware. + + [1]: https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#preventsmartscreenpromptoverrideforfiles "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240712112844/https://www.stigviewer.com/stig/microsoft_edge/2021-11-19/finding/V-235721 "Bypassing of Microsoft Defender SmartScreen warnings about downloads must be disabled. | www.stigviewer.com" + [3]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com" + call: + function: SetEdgePolicyViaRegistry + parameters: + valueName: PreventSmartScreenPromptOverrideForFiles # Edge ≥ 77 + dwordData: '0' + - + name: Disable Edge SmartScreen DNS requests + recommend: strict # Recommended BY CIS + docs: |- # refactor-with-variables: • Chromium Policy Caution • Active Directory only • SmartScreen Caution + This script stops Microsoft Defender SmartScreen from making DNS requests. + + By default [1] [2], Microsoft Defender SmartScreen sends DNS requests [1] [2] to identify + potentially harmful websites, like those involved in phishing or malware [2] [3]. + + Disabling DNS requests stops SmartScreen from obtaining IP addresses [1] [2], + which enhances privacy by reducing IP data sharing. + This script also improves security by reducing dependence on DNS servers. + Disabling DNS requests mitigates a security risk: if DNS fails to resolve a website, + the browser cannot isolate it through Web Isolation [2] [3]. + The Center for Internet Security (CIS) recommends this action for its security benefits [2]. + Additionally, disabling DNS requests can improve system performance by reducing processing workload. + However, this change may reduce IP-based protections [1] [2], posing a security trade-off. + + This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [2] [3]. + It is effective only on computers under organizational management, such as those in workplaces or schools. + It's not applicable to personal computers that are not managed by an organization. + + This script configures the `SmartScreenDnsRequestsEnabled` policy [1]. + Changes will take effect after restarting the browser [1]. + + > **Caution**: + > - This will display the message "Your browser is managed by your organization" on the settings page. + > - Disabling SmartScreen may reduce your protection against phishing and malware. + > - Disabling DNS requests may prevent the browser from blocking harmful sites by not checking their IP addresses. + + [1]: https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#smartscreendnsrequestsenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240712102959/https://www.syxsense.com/syxsense-securityarticles/cis_benchmarks_(ms_edge)/syx-1038-12753.html "Microsoft Defender SmartScreen DNS Requests Enabled (CIS LEVEL 1 MS Edge) | www.syxsense.com" + [3]: https://web.archive.org/web/20240712103006/https://knowledge.broadcom.com/external/article/200948/unable-to-isolate-websites-in-edge-brows.html "Unable to Isolate websites in Edge browser | knowledge.broadcom.com" + call: + function: SetEdgePolicyViaRegistry + parameters: + valueName: SmartScreenDnsRequestsEnabled # Edge ≥ 97 + dwordData: '0' + - + name: Disable Edge SmartScreen checks on downloads from trusted sources + docs: |- # refactor-with-variables: • Chromium Policy Caution • Active Directory only • SmartScreen Caution + This script lets you configure whether Microsoft Defender SmartScreen checks download reputation from a trusted source [1]. + + Edge determines a trusted source by checking its Internet zone [1]. + If the source comes from the local system, intranet, or trusted sites zone, then the download + is considered trusted and safe [1]. + + By default, if you do not run this script, Microsoft Defender SmartScreen checks the download's reputation regardless of source [1]. + Once you run this script, Microsoft Defender SmartScreen doesn't check the download's reputation when downloading from a trusted source [1]. + This increases your privacy by removing the need to send data to Microsoft about downloaded files. + It can also increase your performance by removing the processing need for the check. + However, it may reduce your security against malicious software [2]. + CIS (Center of Internet Security) discourage this script and recommend allowing the checks [2]. + This increases security because SmartScreen can verify that downloads are from a trusted source will + downloading an infected package to their machine [2]. + + This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [2] [3]. + It is effective only on computers under organizational management, such as those in workplaces or schools. + It's not applicable to personal computers that are not managed by an organization. + + This script configures the `SmartScreenForTrustedDownloadsEnabled` policy [1] [2]. + Changes will take effect after restarting the browser [1]. + + > **Caution**: + > - This will display the message "Your browser is managed by your organization" on the settings page. + > - Disabling SmartScreen may reduce your protection against phishing and malware. + + [1]: https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#smartscreenfortrusteddownloadsenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com" + call: + function: SetEdgePolicyViaRegistry + parameters: + valueName: SmartScreenForTrustedDownloadsEnabled # Edge ≥ 78 + dwordData: '0' + - + name: Disable outdated Edge SmartScreen library update + docs: |- # refactor-with-variables: • Chromium Policy Caution • Active Directory only • SmartScreen Caution + This script prevents specific versions of Microsoft Edge from updating to the newer SmartScreen library. + + This script reverts Microsoft Edge to the previous SmartScreen library, used before version 103 [1] [2]. + It blocks Edge from loading the new SmartScreen library (`libSmartScreenN`), + which is responsible for checking site URLs and application downloads [1]. + By running this script, Edge will utilize the older library (`libSmartScreen`). + + This script is effective only for Microsoft Edge versions 95 to 107 [1]. + It does not function on versions older than 95, which always use the older library [1]. + Similarly, versions newer than 107 always utilize the newer library [1] [2]. + + Disabling the updated SmartScreen library can increase privacy by limiting data collection but may reduce + security as it bypasses the latest updates that combat phishing and malware. + + This script may improve system performance since some users have reported slowdowns with the new + library [3]; these issues have probably already been resolved as the library has matured. + + This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [2] [3]. + It is effective only on computers under organizational management, such as those in workplaces or schools. + It's not applicable to personal computers that are not managed by an organization. + + This script configures the `NewSmartScreenLibraryEnabled` policy [1] [2]. + Changes will take effect after restarting the browser [1]. + + > **Caution**: + > - This will display the message "Your browser is managed by your organization" on the settings page. + > - Disabling SmartScreen may reduce your protection against phishing and malware. + + [1]: https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#newsmartscreenlibraryenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240714085347/https://blogs.windows.com/msedgedev/2022/09/29/more-reliable-web-defense/ "More reliable web defense - Microsoft Edge Blog | blogs.windows.com" + [3]: https://web.archive.org/web/20240714090327/https://answers.microsoft.com/en-us/microsoftedge/forum/all/new-smartscreen-library-kills-edge/33ed19a4-ff7d-4939-8e0c-015eab7b0ae9 "\"New SmartScreen library\" kills Edge - Microsoft Community | answers.microsoft.com" + call: + function: SetEdgePolicyViaRegistry + parameters: + valueName: NewSmartScreenLibraryEnabled # Edge ≥ 95 and ≤ 107 + dwordData: '0' - name: Disable Edge (Legacy) SmartScreen - docs: |- # refactor-with-variables: Same • Edge (Legacy) only + docs: |- # refactor-with-variables: Same • Edge (Legacy) only • SmartScreen Caution This script disables the SmartScreen feature in Edge (Legacy). Edge (Legacy) uses the Windows Defender SmartScreen by default to protect users from phishing scams and malicious software [1] [2]. @@ -15358,11 +15710,14 @@ actions: While enabling this setting may increase user autonomy and privacy, it reduces security [1]. Users should be cautious and understand the risks involved. - This script configures the `EnabledV9` policy [1] [2]. + This script configures the `EnabledV9` policy [1] [2] [3]. This script only applies to Edge (Legacy) and does not impact newer versions of Edge. + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + [1]: https://web.archive.org/web/20240624152134/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63713 "The Windows Defender SmartScreen filter for Microsoft Edge must be enabled. | www.stigviewer.com" [2]: https://web.archive.org/web/20240624133131/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/available-policies#configure-windows-defender-smartscreen "Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) | Microsoft Learn | learn.microsoft.com" + [3]: https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/System32/smartscreen.exe.strings#L5173 "TODO: Fork and archive" call: function: SetLegacyEdgePolicyViaRegistry parameters: @@ -15371,7 +15726,7 @@ actions: dwordData: "0" - name: Enable Edge (Legacy) SmartScreen bypass - docs: |- # refactor-with-variables: Same • Performance + Privacy • Edge (Legacy) only + docs: |- # refactor-with-variables: Same • Performance + Privacy • Edge (Legacy) only • SmartScreen Caution This script allows users to bypass SmartScreen warnings in Edge (Legacy). Edge (Legacy) features a SmartScreen filter that warns users about potentially malicious websites and file downloads [1]. @@ -15385,11 +15740,14 @@ actions: potentially malicious sources [2]. Users should be cautious and understand the risks involved. - This script configures the `PreventOverride` policy [1] [2]. + This script configures the `PreventOverride` policy [1] [2] [3]. This script only applies to Edge (Legacy) and does not impact newer versions of Edge. + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + [1]: https://web.archive.org/web/20240624133131/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/available-policies#configure-windows-defender-smartscreen "Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240624140451/https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-63699 "Users must not be allowed to ignore SmartScreen filter warnings for malicious websites in Microsoft Edge. | www.stigviewer.com" + [3]: https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/System32/smartscreen.exe.strings#L5174C163-L5174C178 "TODO: Fork and archive" call: function: SetLegacyEdgePolicyViaRegistry parameters: @@ -15397,31 +15755,184 @@ actions: valueName: PreventOverride dwordData: "0" - - name: Disable SmartScreen in Internet Explorer - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_Policy_Phishing_9 + name: Disable outdated Internet Explorer SmartScreen + docs: |- # refactor-with-variables: • SmartScreen Caution + This script disables SmartScreen in outdated versions of Internet Explorer. + + SmartScreen is also known as the *Phishing Filter* [1] [2] or *SmartScreen Filter* [2] [3]. + It protects users by identifying and blocking malicious web content [2] [3]. + + Disabling this feature enhances your privacy by preventing the collection of data related to your browsing habits. + It can also increase system performance by reducing the computational overhead required to scan and evaluate web content. + However, this may also lower your security, as it makes the browser more vulnerable to malicious sites and downloads [3]. + + Internet Explorer is no longer supported and has been replaced by Microsoft Edge on recent versions of Windows [1]. + However, this script remains relevant for older versions where Internet Explorer is still operational. + + The script modifies the `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\2301` registry key [1] [2] [3]. + Each zone in the registry represents a different security level [1]: + + | Security Zone | Meaning | + |---------------|-------------------------| + | `0` | My Computer | + | `1` | Local Intranet Zone | + | `2` | Trusted Sites Zone | + | `3` | Internet Zone | + | `4` | Restricted Sites Zone | + + Disabling SmartScreen is achieved by setting the value of `2301` to `3` [2]. + + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + + [1]: https://web.archive.org/web/20240709095151/https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries "IE security zones registry entries for advanced users - Browsers | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240709102216/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_Policy_Phishing_9 "Turn on SmartScreen Filter scan | admx.help" + [3]: https://web.archive.org/web/20240709102226/https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2018-06-08/finding/V-64719 "Turn on SmartScreen Filter scan option for the Internet Zone must be enabled. | www.stigviewer.com" call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 - valueName: '2301' - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 + valueName: '2301' + dataType: REG_DWORD + data: '3' # 0: Enable | 3: Disable + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 + valueName: '2301' + dataType: REG_DWORD + data: '3' # 0: Enable | 3: Disable + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 + valueName: '2301' + dataType: REG_DWORD + data: '3' # 0: Enable | 3: Disable + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + valueName: '2301' + dataType: REG_DWORD + data: '3' # 0: Enable | 3: Disable + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + valueName: '2301' + dataType: REG_DWORD + data: '3' # 0: Enable | 3: Disable + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable outdated Internet Explorer SmartScreen Filter component + docs: |- # refactor-with-variables: • SmartScreen Caution + This script disables the outdated Internet Explorer SmartScreen filter by safely removing the `ieapfltr.dll` file. + + The `ieapfltr.dll` file is also known as Microsoft SmartScreen Filter [1]. + It is mainly used by Internet Explorer [2]. + + Despite the official end of support for Internet Explorer 11 on June 15, 2022 [3], + some systems may still have this component. + + Benefits: + + - **Privacy improvement**: + By disabling the SmartScreen functionality that monitors user behavior, + this script enhances your privacy. + - **Security enhancement**: + It reduces the attack surface by removing unused components, aligning with + security best practices. + - **System performance**: + It may improve system performance by removing unnecessary components. + + Trade-offs: + + - **Reduced security**: + The absence of SmartScreen may decrease protection against malware and phishing. + - **Browser Functionality**: + If Internet Explorer is still in use, disabling the SmartScreen filter + may lead to errors, particularly with security features like phishing protection. + - **System stability**: + Internet Explorer components are integrated into Windows. + Some Windows features and third-party applications may depend on these components. + Removing the `ieapfltr.dll` file may lead to stability issues in applications that depend + on it, even if Internet Explorer is not actively used. + + File locations: + + | File path | Windows 11 (23H2) | Windows 10 (22H2) | + |-----------|-----------------------------|-----------------------------| + | `%WINDIR%\System32\ieapfltr.dll` [4] | ❌ Missing | ❌ Missing | + | `%WINDIR%\SysWOW64\ieapfltr.dll` [1] | ✅ Yes | ✅ Exists | + + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + + [1]: https://web.archive.org/web/20240715082726/https://strontic.github.io/xcyclopedia/library/ieapfltr.dll-AA14BA778D11D244316DA63EEB040D92.html "ieapfltr.dll | Microsoft SmartScreen Filter | STRONTIC | strontic.github.io" + [2]: https://web.archive.org/web/20240715082546/https://support.microsoft.com/en-us/topic/ms09-034-cumulative-security-update-for-internet-explorer-5d8e79bc-4b42-fa92-313d-d39c7b112521 "MS09-034: Cumulative security update for Internet Explorer - Microsoft Support | support.microsoft.com" + [3]: https://web.archive.org/web/20240715082553/https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge#what-is-the-lifecycle-policy-for-internet-explorer- "Lifecycle FAQ - Internet Explorer and Microsoft Edge | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240715083231/https://strontic.github.io/xcyclopedia/library/clsid_3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30.html "CLSID 3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30 | CLSID_AppRep | STRONTIC | strontic.github.io" + call: + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\System32\ieapfltr.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\SysWOW64\ieapfltr.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 - - category: Disable SmartScreen for Windows Store apps + category: Disable SmartSmartScreen for Store apps # TODO: Add doc + docs: |- # refactor-with-variables: • SmartScreen Caution + https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview + + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. children: - - name: Disable SmartScreen's "App Install Control" feature - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ConfigureAppInstallControl - - https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen - - https://web.archive.org/web/20240314103348/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-smartscreen + name: Disable SmartScreen for Store apps "App Install Control" feature + docs: |- # refactor-with-variables: • SmartScreen Caution + This script disables the "App Install Control" feature of SmartScreen. + + This feature restricts app installations exclusively to those from the Microsoft Store [1] [2]. + It displays "The app you're trying to install isn't a Microsoft-verified app" message + during app installation [3]. + By default, this feature is turned off [1] [2]. + Disabling SmartScreen automatically deactivates it as well [1] [2]. + This script explicitly deactivates the feature to guarantee it remains disabled. + Once disabled, SmartScreen permits users to install apps from any source, including the Internet [1] [2]. + + Disabling this feature enhances your privacy by limiting the data transmitted about your activities and behavior [5]. + It also improves system performance by removing the need for continuous monitoring and evaluation of app sources, + which can reduce CPU and memory usage. + However, this also introduces a security risk by potentially permitting the installation of malicious apps. + + The script specifically modifies the following registry keys to enforce these settings: + + - `HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen!ConfigureAppInstallControlEnabled` [1] [2] [5] + - `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen!ConfigureAppInstallControl` [5] [7] + - `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer!AicEnabled` [3] [4] [6] [7] + + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + + [1]: https://web.archive.org/web/20240709110302/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-smartscreen#enableappinstallcontrol "SmartScreen Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240709110349/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ConfigureAppInstallControl "Configure App Install Control | admx.help" + [3]: https://web.archive.org/web/20240713100611/https://answers.microsoft.com/en-us/windows/forum/all/i-am-having-issues-changing-my-app-recommendation/16b00c35-05fc-44bc-9e78-e9452cf8d862 "I am Having Issues Changing My App Recommendation Settings - Microsoft Community | answers.microsoft.com" + [4]: https://web.archive.org/web/20240713100920/https://www.elevenforum.com/t/choose-where-to-get-apps-in-windows-11.7370/ "Choose where to get apps in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com" + [5]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" + [6]: https://web.archive.org/web/20240713101028/https://bugzilla.mozilla.org/show_bug.cgi?id=1659157 "1659157 - Add telemetry to track Win 10 installs in related to the system's MSFT verified app setting. | bugzilla.mozilla.org" + [7]: https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/System32/smartscreen.exe.strings#L5182 "TODO: Fork and archive" call: - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen - valueName: ConfigurgeAppInstallControl + valueName: ConfigureAppInstall dataType: REG_SZ data: Anywhere deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) @@ -15433,9 +15944,47 @@ actions: dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer + valueName: AicEnabled + dataType: REG_SZ + data: 'Anywhere' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable SmartScreen's web content (URLs) checking for apps - docs: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general + name: Disable SmartScreen for Store apps web content checking + docs: |- # refactor-with-variables: • SmartScreen Caution # TODO: Research done, revise + This script disables web content checking feature of SmartScreen for Store apps. + + This feature is enabled by default [3]. + It checks web content (URLs) that Microsoft Store app use [2] [3]. + This feature is known as *SmartScreen Filter* for Microsoft Store apps [1]. + It was then renamed to "SmartScreen for Microsoft Store apps" [3]. + These checks are part of SmartScreen's *reputation-based protection* feature [1] [3] [6]. + + This script protects your privacy as this feature has privacy issues as it reads your web content. + Microsoft mentions this script to limiting the data transmitted about your activities and behavior [2]. + Polish Government recommend disabling feature prioritizing the privacy over security provided [5]. + It also increase system performance by reducing overhead of web content processing. + However, keep in mind that it may reduce security. + + This script configures: + - `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost!EnableWebContentEvaluation` [1] [2] [4] [5] [6] [7] + - `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost!EnableWebContentEvaluation` [4] [6] [7] + - `HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppHost!EnableWebContentEvaluation` [1] [3] [4] + + This key toggles the setting in the user interface [1] [2]. + + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + + [1]: https://www.thewindowsclub.com/enable-or-disable-smartscreen-filter-for-microsoft-store-apps + [2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" + [3]: https://www.anoopcnair.com/smartscreen-for-microsoft-store-apps-windows-11/ + [4]: https://github.com/WinDLLsExports/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/urlmon.dll.strings + [5]: https://web.archive.org/web/20231011231107/https://plid.obywatel.gov.pl/wp-content/uploads/2014/08/Wymagania-dla-stacji-koncowych-SRP-v-5-0.pdf "WYMAGANIA - dla stacji roboczych stanowisk obsługi dla użytkowników końcowych SRP" + [6]: https://r-pufky.github.io/docs/operating-systems/windows/10/20H2/security/app-and-browser-control/reputation-based-protection-setttings.html + [7]: https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/System32/smartscreen.exe.strings#L5180 "TODO: Fork and archive" call: - function: SetRegistryValue @@ -15451,6 +16000,89 @@ actions: code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f revertCode: |- # Has "1" value in "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" as default reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "1" /f + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppHost + valueName: EnableWebContentEvaluation + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Enable SmartScreen for Store apps bypass + docs: |- # TODO: Research done, complete docs from references + This key is not officially documented. But deriving documentation for same named Microsoft Edge policy, + it does .... + + This key configures the following registry keys: + + - `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost!PreventOverride` [1] [2] + - `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost!PreventOverride` [1] [2] + + - https://www.elevenforum.com/t/enable-or-disable-microsoft-defender-smartscreen-for-microsoft-store-apps-in-windows-11.5736/ + - https://www.tenforums.com/tutorials/81139-turn-off-smartscreen-microsoft-store-apps-windows-10-a.html + + [1]: https://r-pufky.github.io/docs/operating-systems/windows/10/20H2/security/app-and-browser-control/reputation-based-protection-setttings.html + [2]: https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/System32/smartscreen.exe.strings#L5181C51-L5181C66 "TODO: Fork and archive" + call: + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost + valueName: PreventOverride + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost + valueName: PreventOverride + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable outdated SmartScreen settings interface + docs: |- # refactor-with-variables: • SmartScreen Caution + This script disables the SmartScreen settings interface in older Windows versions. + + It specifically targets and soft-deletes the `SmartScreenSettings.exe` file [1] [2] [3] [4]. + Found only in older Windows versions [3] [4], including Windows 8 [3]. + Based on tests, this file does not exist in newer versions such as Windows 11 Pro (23H2) + or Windows 10 Pro (22H2) and beyond. + + The `SmartScreenSettings.exe` is a user interface component [1] [2] that displays settings + for the SmartScreen filter [3] [4]. + + Removing this component may enhance privacy by eliminating the possibility to modify + SmartScreen settings, which could otherwise be used to re-enable this monitoring feature [3] [4]. + It also optimizes system performance by removing this obsolete component. + + However, disabling this feature could reduce security by limiting your system's protection against + phishing and malware. + + It is located at the following paths: + + - `%WINDIR%\System32\SmartScreenSettings.exe` [1] [4] + - `%WINDIR%\SysWOW64\SmartScreenSettings.exe` [2] + + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + + [1]: https://web.archive.org/web/20240714203112/https://strontic.github.io/xcyclopedia/library/SmartScreenSettings.exe-43D69652F91822C4A0873884B829DD0A.html "SmartScreenSettings.exe | SmartScreenSettings | STRONTIC | strontic.github.io" + [2]: https://web.archive.org/save/https://strontic.github.io/xcyclopedia/library/SmartScreenSettings.exe-6B2EA6F8937B573372304CAE5F829A4D.html "SmartScreenSettings.exe | SmartScreenSettings | STRONTIC | strontic.github.io" + [3]: https://web.archive.org/web/20111013123233/https://techtrickz.com/how-to/enable-or-disable-windows-8-smartscreen-feature-how-to/ "Disable Windows 8 SmartScreen Feature | techtrickz.com" + [4]: https://web.archive.org/web/20240714203245/https://www.thewindowsclub.com/windows-smartscreen-cant-reached-right-now "Windows SmartScreen can't be reached right now | www.thewindowsclub.com" + call: + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\System32\SmartScreenSettings.exe' + grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | Does not exist on Windows 11 since 23H2 + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\SysWOW64\SmartScreenSettings.exe' + grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | Does not exist on Windows 11 since 23H2 - category: Disable automatic updates docs: |-