About monitoring user operations for apps that SmartScreen warned

%3CLINGO-SUB%20id%3D%22lingo-sub-3368818%22%20slang%3D%22ja-JP%22%3EAbout%20monitoring%20user%20operations%20for%20apps%20that%20SmartScreen%20warned%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3368818%22%20slang%3D%22ja-JP%22%3E%3CP%3EEven%20if%20SmartScreen%20determines%20that%20the%20app%20is%20dangerous%2C%20if%20the%20operator%20determines%20that%20it%20is%20safe%2C%20the%20installation%20will%20continue.%3CBR%20%2F%3E%20However%2C%20I%20would%20like%20to%20check%20the%20operation%20history%20at%20that%20time%20as%20an%20administrator.%3CBR%20%2F%3E%20The%20operation%20history%20is%20whether%20it%20was%20installed%2C%20blocked%2C%20and%20so%20on.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUpon%20examination%2C%20I%20found%20that%20the%20log%20was%20saved%20in%20the%20Windows%20Event%20Viewer.%20However%2C%20I%20have%20more%20than%20100%20PCs%20to%20manage%2C%20so%20I'm%20looking%20for%20a%20way%20to%20check%20them%20all%20at%20once.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%2C%20the%20following%20method.%3CBR%20%2F%3E%20-Alerts%20are%20raised%20only%20when%20the%20installation%20is%20executed%20after%20the%20warning%20on%20the%20management%20center%20screen%20of%20the%20endpoint%20manager.%3CBR%20%2F%3E%20-You%20can%20identify%20the%20device%20by%20displaying%20the%20logs%20of%20all%20PCs%20at%20once%20and%20filtering%20only%20the%20logs%20that%20executed%20the%20installation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20good%20way%20or%20feature%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*%20According%20to%20company%20rules%2C%20it%20is%20prohibited%20to%20install%20apps%20that%20are%20not%20approved.%20The%20goal%20is%20to%20find%20someone%20who%20has%20installed%20an%20app%20that%20is%20not%20approved%20by%20the%20company.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20SmartScreen%20can%20force%20the%20installation%20to%20be%20blocked.%20But%20if%20you%20do%20that%2C%20you%20won't%20be%20able%20to%20install%20apps%20that%20you%20know%20are%20safe.%20I%20don't%20want%20to%20use%20the%20forced%20blocking%20feature%20because%20Microsoft%20has%20a%20long%20time%20to%20approve%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEnvironment%3CBR%20%2F%3E%E3%83%BBAzureAD%3CBR%20%2F%3E%20(Joined)%2C%20Microsoft365%20E3%2C%20Intune%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Even if SmartScreen determines that the app is dangerous, if the operator determines that it is safe, the installation will continue.
However, I would like to check the operation history at that time as an administrator.
The operation history is whether it was installed, blocked, and so on.

 

Upon examination, I found that the log was saved in the Windows Event Viewer. However, I have more than 100 PCs to manage, so I'm looking for a way to check them all at once.

 

For example, the following method.
-Alerts are raised only when the installation is executed after the warning on the management center screen of the endpoint manager.
-You can identify the device by displaying the logs of all PCs at once and filtering only the logs that executed the installation.

 

Is there any good way or feature?

 

* According to company rules, it is prohibited to install apps that are not approved. The goal is to find someone who has installed an app that is not approved by the company.

 

I know SmartScreen can force the installation to be blocked. But if you do that, you won't be able to install apps that you know are safe. I don't want to use the forced blocking feature because Microsoft has a long time to approve it.

 

Environment
・ Windows10 Enterprise
・ AzureAD (Joined), Microsoft365 E3, Intune

0 Replies