Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

About monitoring user operations for apps that SmartScreen warned

Copper Contributor

Even if SmartScreen determines that the app is dangerous, if the operator determines that it is safe, the installation will continue.
However, I would like to check the operation history at that time as an administrator.
The operation history is whether it was installed, blocked, and so on.


Upon examination, I found that the log was saved in the Windows Event Viewer. However, I have more than 100 PCs to manage, so I'm looking for a way to check them all at once.


For example, the following method.
-Alerts are raised only when the installation is executed after the warning on the management center screen of the endpoint manager.
-You can identify the device by displaying the logs of all PCs at once and filtering only the logs that executed the installation.


Is there any good way or feature?


* According to company rules, it is prohibited to install apps that are not approved. The goal is to find someone who has installed an app that is not approved by the company.


I know SmartScreen can force the installation to be blocked. But if you do that, you won't be able to install apps that you know are safe. I don't want to use the forced blocking feature because Microsoft has a long time to approve it.


・ Windows10 Enterprise
・ AzureAD (Joined), Microsoft365 E3, Intune

1 Reply

@S-Zinroku, a few method of fw'ing the event logs related to "Smartscreen".

Method 1) If you have an E5 license, you can use MDE's ( Advanced Hunting query to create a query for the Smartscreen Alerts.




Method 2)

Use Azure Monitor to collect the Event logs, in this case for Smartscreen.

Method 3)
Use Windows Event Forwarding (WEF), on the WEC server, create a script to ingest the event log into a excel or powerBI or sql database.

I hope this helps.

Yong Rhee [MSFT]

P.S. Additionally, if you are using Microsoft Defender Antivirus (MDAV), and you have E3/A3 license, you are able to see the AV alerts and different reports. Please take a look here:
Microsoft Defender for Endpoint Plan 1 Now Included in M365 E3/A3 Licenses
Set up and configure Microsoft Defender for Endpoint Plan 1 | Microsoft Docs