Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Smart Screen Conflict #10

Open
Dewan-Fourie opened this issue Apr 14, 2024 · 1 comment
Open

Smart Screen Conflict #10

Dewan-Fourie opened this issue Apr 14, 2024 · 1 comment

Comments

@Dewan-Fourie
Copy link

There is a conflict when deploying both "policies/ACSC Windows Hardening Guidelines.json" and "policies/Windows Security Baseline (for use with ACSC Windows Hardening Guidelines).json" to Intune. They are both setting Smart Screen controls causing the configuration status to show as "Conflict" in Intune.

As I am deploying both of these configurations, I've opted to remove the controls from "policies/ACSC Windows Hardening Guidelines.json" with the "settingDefinitionId" of:

  • device_vendor_msft_policy_config_admx_windowsexplorer_enablesmartscreen
  • device_vendor_msft_policy_config_browser_allowsmartscreen
  • device_vendor_msft_policy_config_browser_preventsmartscreenpromptoverride
  • device_vendor_msft_policy_config_browser_preventsmartscreenpromptoverrideforfiles
  • device_vendor_msft_policy_config_microsoft_edgepolicymicrosoft_edge~smartscreen_smartscreenenabled
  • device_vendor_msft_policy_config_microsoft_edgepolicymicrosoft_edge~smartscreen_preventsmartscreenpromptoverride
  • device_vendor_msft_policy_config_microsoft_edgepolicymicrosoft_edge~smartscreen_preventsmartscreenpromptoverrideforfiles
  • device_vendor_msft_policy_config_smartscreen_preventoverrideforfilesinshell

The controls in "policies/Windows Security Baseline (for use with ACSC Windows Hardening Guidelines).json" with the following "definitionId" is then used to configure Smart Screen:

  • deviceConfiguration--windows10EndpointProtectionConfiguration_smartScreenEnableInShell
  • deviceConfiguration--windows10EndpointProtectionConfiguration_smartScreenBlockOverrideForFiles
  • deviceConfiguration--windows10GeneralConfiguration_internetExplorerPreventManagingSmartScreenFilter
  • deviceConfiguration--windows10GeneralConfiguration_internetExplorerBypassSmartScreenWarnings
  • deviceConfiguration--windows10GeneralConfiguration_internetExplorerBypassSmartScreenWarningsAboutUncommonFiles
  • deviceConfiguration--windows10GeneralConfiguration_internetExplorerInternetZoneSmartScreen
  • deviceConfiguration--windows10GeneralConfiguration_internetExplorerLockedDownInternetZoneSmartScreen
  • deviceConfiguration--windows10GeneralConfiguration_internetExplorerLockedDownRestrictedZoneSmartScreen
  • deviceConfiguration--windows10GeneralConfiguration_internetExplorerRestrictedZoneSmartScreen
  • deviceConfiguration--windows10GeneralConfiguration_edgeRequireSmartScreen
  • deviceConfiguration--windows10GeneralConfiguration_smartScreenBlockPromptOverride
  • deviceConfiguration--windows10GeneralConfiguration_smartScreenBlockPromptOverrideForFiles
@midineenMSFT
Copy link
Contributor

Thank you @Dewan-Fourie for reporting these conflicts with Smart Screen and how you resolved them. Have you attempted to deploy the draft policies in the 23H2-Windows-Security-Baseline, which has moved all policies to be based on Settings Catalog? This, along with a few other included improvements, should resolve all known conflicts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@midineenMSFT @Dewan-Fourie