Policy CSP - WebThreatDefense

Note

In Microsoft Intune, this CSP is listed under the Enhanced Phishing Protection category.

AutomaticDataCollection

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 24H2 [10.0.26100] and later
./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/AutomaticDataCollection

This policy setting determines whether Enhanced Phishing Protection can collect additional information-such as content displayed, sounds played, and application memory-when your users enter their work or school password into a suspicious website or app. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious.

  • If you enable this policy setting, Enhanced Phishing Protection may automatically collect additional content for security analysis from a suspicious website or app when your users enter their work or school password into that website or app.

  • If you disable this policy setting, Enhanced Phishing Protection won't collect additional content for security analysis when your users enter their work or school password into a suspicious site or app.

  • If this policy isn't set, Enhanced Phishing Protection automatic data collection will honor the end user's settings.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Disabled.
1 Enabled.

Group policy mapping:

Name Value
Name AutomaticDataCollection
Friendly Name Automatic Data Collection
Location Computer Configuration
Path Windows Components > Windows Defender SmartScreen > Enhanced Phishing Protection
Registry Key Name Software\Policies\Microsoft\Windows\WTDS\Components
Registry Value Name CaptureThreatWindow
ADMX File Name WebThreatDefense.admx

NotifyMalicious

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyMalicious

This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a Microsoft login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a Microsoft login URL with an invalid certificate.

  • If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.

  • If you disable or don't configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen won't warn your users if they type their work or school password into one of the malicious scenarios described above.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Disabled.
1 Enabled.

Group policy mapping:

Name Value
Name NotifyMalicious
Friendly Name Notify Malicious
Location Computer Configuration
Path Windows Components > Windows Defender SmartScreen > Enhanced Phishing Protection
Registry Key Name Software\Policies\Microsoft\Windows\WTDS\Components
Registry Value Name NotifyMalicious
ADMX File Name WebThreatDefense.admx

NotifyPasswordReuse

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyPasswordReuse

This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they reuse their work or school password.

  • If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns users if they reuse their work or school password and encourages them to change it.

  • If you disable or don't configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen won't warn users if they reuse their work or school password.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Disabled.
1 Enabled.

Group policy mapping:

Name Value
Name NotifyPasswordReuse
Friendly Name Notify Password Reuse
Location Computer Configuration
Path Windows Components > Windows Defender SmartScreen > Enhanced Phishing Protection
Registry Key Name Software\Policies\Microsoft\Windows\WTDS\Components
Registry Value Name NotifyPasswordReuse
ADMX File Name WebThreatDefense.admx

NotifyUnsafeApp

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyUnsafeApp

This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school passwords in Notepad, Winword, or M365 Office apps like OneNote, Word, Excel, etc.

  • If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they store their password in text editor apps.

  • If you disable or don't configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen won't warn users if they store their password in text editor apps.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Disabled.
1 Enabled.

Group policy mapping:

Name Value
Name NotifyUnsafeApp
Friendly Name Notify Unsafe App
Location Computer Configuration
Path Windows Components > Windows Defender SmartScreen > Enhanced Phishing Protection
Registry Key Name Software\Policies\Microsoft\Windows\WTDS\Components
Registry Value Name NotifyUnsafeApp
ADMX File Name WebThreatDefense.admx

ServiceEnabled

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled

This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen is in audit mode or off. Users don't see notifications for any protection scenarios when Enhanced Phishing Protection in Microsoft Defender is in audit mode. Audit mode captures unsafe password entry events and sends telemetry through Microsoft Defender.

  • If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen is enabled in audit mode and your users are unable to turn it off.

  • If you disable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen is off and it won't capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on.

  • If you don't configure this setting, users can decide whether or not they will enable Enhanced Phishing Protection in Microsoft Defender SmartScreen.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
0 Disabled.
1 (Default) Enabled.

Group policy mapping:

Name Value
Name ServiceEnabled
Friendly Name Service Enabled
Location Computer Configuration
Path Windows Components > Windows Defender SmartScreen > Enhanced Phishing Protection
Registry Key Name Software\Policies\Microsoft\Windows\WTDS\Components
Registry Value Name ServiceEnabled
ADMX File Name WebThreatDefense.admx

Policy configuration service provider