Smart Screen Conflict

[Dewan-Fourie]

There is a conflict when deploying both "policies/ACSC Windows Hardening Guidelines.json" and "policies/Windows Security Baseline (for use with ACSC Windows Hardening Guidelines).json" to Intune. They are both setting Smart Screen controls causing the configuration status to show as "Conflict" in Intune.

As I am deploying both of these configurations, I've opted to remove the controls from "policies/ACSC Windows Hardening Guidelines.json" with the "settingDefinitionId" of:

• device_vendor_msft_policy_config_admx_windowsexplorer_enablesmartscreen
• device_vendor_msft_policy_config_browser_allowsmartscreen
• device_vendor_msft_policy_config_browser_preventsmartscreenpromptoverride
• device_vendor_msft_policy_config_browser_preventsmartscreenpromptoverrideforfiles
• device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_smartscreenenabled
• device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverride
• device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverrideforfiles
• device_vendor_msft_policy_config_smartscreen_preventoverrideforfilesinshell

The controls in "policies/Windows Security Baseline (for use with ACSC Windows Hardening Guidelines).json" with the following "definitionId" is then used to configure Smart Screen:

• deviceConfiguration--windows10EndpointProtectionConfiguration_smartScreenEnableInShell
• deviceConfiguration--windows10EndpointProtectionConfiguration_smartScreenBlockOverrideForFiles
• deviceConfiguration--windows10GeneralConfiguration_internetExplorerPreventManagingSmartScreenFilter
• deviceConfiguration--windows10GeneralConfiguration_internetExplorerBypassSmartScreenWarnings
• deviceConfiguration--windows10GeneralConfiguration_internetExplorerBypassSmartScreenWarningsAboutUncommonFiles
• deviceConfiguration--windows10GeneralConfiguration_internetExplorerInternetZoneSmartScreen
• deviceConfiguration--windows10GeneralConfiguration_internetExplorerLockedDownInternetZoneSmartScreen
• deviceConfiguration--windows10GeneralConfiguration_internetExplorerLockedDownRestrictedZoneSmartScreen
• deviceConfiguration--windows10GeneralConfiguration_internetExplorerRestrictedZoneSmartScreen
• deviceConfiguration--windows10GeneralConfiguration_edgeRequireSmartScreen
• deviceConfiguration--windows10GeneralConfiguration_smartScreenBlockPromptOverride
• deviceConfiguration--windows10GeneralConfiguration_smartScreenBlockPromptOverrideForFiles

[midineenMSFT]

Thank you @Dewan-Fourie for reporting these conflicts with Smart Screen and how you resolved them. Have you attempted to deploy the draft policies in the 23H2-Windows-Security-Baseline, which has moved all policies to be based on Settings Catalog? This, along with a few other included improvements, should resolve all known conflicts.