Key Takeaways:
- It helps protect users by warning them when potentially unsafe or phishing-related apps are detected.
- Admins can ensuring consistent protection across managed devices.
- This policy reducing the risk of credential theft and malicious app execution.
- Helps organizations meet compliance requirements by proactively preventing unsafe app usage.
Let’s discuss Enable Notify Unsafe App Policy for Enhanced Phishing Protection in Defender Smart Screen using Intune. Notify Unsafe App”, is a core component of Microsoft Defender SmartScreen’s Enhanced Phishing Protection (introduced in Windows 11, version 22H2).
It is designed to change user behavior by providing real-time warnings when they handle their corporate credentials in an insecure manner. It monitors when a user types their Work or School (Entra ID/Active Directory) password into “unsafe” applications specifically text editors and office productivity tools where passwords might be stored in plain text.
Mainly this policy is applicable for Apps like Notepad, Microsoft Word, and Microsoft 365 Office apps (Excel, OneNote, etc.). By enabling this policy, A “Windows Security” dialog appears immediately if a password is typed or pasted into these apps, advising the user that storing passwords in this way is unsafe.
Storing passwords in Notepad or Word is a easy for attackers. If a device is compromised by info-stealer malware, the first things the malware looks for are .txt or .docx files on the desktop containing keywords like “password.”
Table of Contents
Enable Notify Unsafe App Policy for Enhanced Phishing Protection in Defender Smart Screen using Intune
For Example, An employee finds it difficult to remember their complex 16-character password. To make life easier, they open Notepad, type their password, and save it as “My_Logins.txt ” on their desktop. By enabling this policy The second they finish typing the password, a Windows Security popup appears stating: “It’s unsafe to store your password in this app. We recommend you delete your password from this file.“
- Intune Security Policy to Set Up Smart Screen Enhanced Phishing Protection
- How to Install Microsoft Defender Browser Protection Extension using Intune PowerShell Script
- How to Prevent Smart Screen Prompt Override for Files Policy in MS Edge Browser using M365 Admin Center
How to Start Policy Creation
As an Admin, you can quickly configure this policy on your organisation. To start the Policy Creation, open the Microsoft Intune Admin center. Then go to Devices > Configuration >+ Create > +New Policy.
Profile Creation
Profile creation is the necessary step that helps you to assign the policy to appropriate platform and Profile. Here I would like to configure the policy to Windows 10 and later platform and settings catalog profile. Then click on the Create button.
Filling the Basic Tab
Naming the policy is the primary step that help admins to identify the policy later. This is important and necessary step that allows you to know the purpose of the policy. Here is Name is mandatory and description is optional. After adding this click on the Next button.
Configure Queue Specific Files Policy
With Settings Picker, you can use the Configuration Settings Tab. On this tab, you can click on the +Add Settings hyperlink to get the Settings Picker. The settings picker shows huge number of settings. Here, I would like to select the settings by browsing by Category. I choose System. Then, I choose Smart Screen\Enhanced Phishing Protection\Notify Unsafe App.
Disable Notify Unsafe App
Disable is the default value of Notify Unsafe App policy. If you disable this policy no warning is shown if a user saves their password in M365 Office applications, Notepad, and Wordpad apps.
Enable Notify Unsafe App
If you enable this policy warning is shown if a user saves their password in M365 Office applications, Notepad, and Wordpad. Click on the Next button to continue.
Scope Tags
With scope tags, you create a restriction to the visibility of the Read Aloud feature in Microsoft Edge. It helps to organise resources as well. Here, I would like to skip this section, because it is not mandatory. Click on the Next button.
Assignments Tab for Selecting Group
To assign the policy to specific groups, you can use the Assignment Tab. Here I click, +Add groups option under Included groups. I choose a group from the list of groups and click on the Select button. Again, I click on the Select button to continue.
Review + Create Tab
Before completing the policy creation, you can review each tab to avoid misconfiguration or policy failure. After verifying all the details, click on the Create Button. After creating the policy, you will get a success message.
Monitoring Status
The Monitoring Status page shows whether the policy has succeeded or not. To quickly configure the policy and take advantage of the policy sync the assigned device on Company Portal. Open the Intune Portal. Go to Devices > Configuration > Search for the Policy. Here, the policy shows as successful.
Event Viewer Details
Event Viewer helps you check the client side and verify the policy status. Open the Client device and open the Event Viewer. Go to Start > Event Viewer. Navigate to Logs: In the left pane, go to Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.
| Event Viewer |
|---|
| MDM PolicyManager: Set policy int, Policy: (NotifyUnsafeApp), Area: (WebThreatDefense), EnrollmentID requesting merge: (EB427D85-802F-46D9-A3E2-D5B414587F63), Current User: (Device), Int: (0x1), Enrollment Type: (0x6), Scope: (0x0). |
Removing the Assigned Group from Notify Unsafe App Settings
If you want to remove the Assigned group from the policy, it is possible from the Intune Portal. To do this, open the Policy on Intune Portal and edit the Assignments tab and the Remove Policy.
To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete Notify Unsafe App
You can easily delete the Policy from the Intune Portal. From the Configuration section, you can delete the policy. It will completely remove it from the client devices.
For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.