Your company’s internal application is suddenly blocked by Windows Defender SmartScreen, displaying a warning that the app is unrecognized or might be unsafe. This occurs because SmartScreen compares downloaded files against a cloud-based reputation database, and internal apps signed with a self-signed or non-public certificate often lack sufficient reputation. This article explains why SmartScreen blocks legitimate internal applications and provides two reliable methods to bypass the block while maintaining security.
Key Takeaways: Unblocking Internal Apps Blocked by SmartScreen
- File Properties > Unblock checkbox: Removes the Mark of the Web from a single downloaded file to allow it to run without the SmartScreen warning.
- Group Policy > Windows Defender SmartScreen > Configure Windows Defender SmartScreen: Disables SmartScreen for all users on the device when you must run multiple internal apps without prompts.
- Sign the app with a trusted code-signing certificate: The permanent solution that prevents SmartScreen from blocking future versions of your internal application.
Why SmartScreen Blocks Internal Apps
Windows Defender SmartScreen protects your system by checking downloaded files and executables against Microsoft’s reputation database. Files downloaded from the internet receive a hidden NTFS data stream called the Mark of the Web. When SmartScreen sees this mark, it queries Microsoft’s cloud service to determine the file’s reputation. Internal applications that are not widely distributed across the internet have little to no reputation data, so SmartScreen labels them as unrecognized and blocks execution.
The block is not a virus detection. It is a reputation-based decision. If your internal app is signed with a self-signed certificate or a certificate from an internal CA that is not trusted by Microsoft’s root store, SmartScreen cannot verify the publisher. The warning message says “Windows protected your PC” and offers a “Don’t run” button. The “More info” link reveals a “Run anyway” option, but this is a per-execution bypass that can be inconvenient for repeated use.
SmartScreen runs in Microsoft Edge and Windows itself. The block can appear when you download the app via Edge, copy it from a network share, or receive it as an email attachment. The root cause is always the same: the file carries the Mark of the Web and lacks sufficient reputation in Microsoft’s cloud.
Steps to Unblock an Internal App Blocked by SmartScreen
You have three options depending on your environment and how often the app needs to run. The first method unblocks a single file. The second method disables SmartScreen on the device. The third method is the proper long-term fix for enterprise deployment.
Method 1: Unblock the File Using File Properties
This method removes the Mark of the Web from a single executable or installer file. It works immediately and does not require administrative rights if the file is on your local drive.
- Locate the blocked file
Open File Explorer and navigate to the folder containing the internal app installer or executable file. The file may show a SmartScreen warning message when you try to run it. - Open File Properties
Right-click the file and select Properties from the context menu. The Properties dialog opens. - Check the Unblock checkbox
On the General tab, look at the bottom of the dialog for the Security section. If the file was downloaded from the internet, you will see a checkbox labeled Unblock. Check this box. - Apply the change
Click Apply then OK. The Mark of the Web is removed from the file. - Run the application
Double-click the file to launch it. SmartScreen should no longer block it. If the warning reappears, the file may have been re-downloaded or copied from a source that reapplies the mark.
Method 2: Disable SmartScreen via Group Policy
Use this method on a domain-joined device or a Windows 11 Pro, Enterprise, or Education edition. Disabling SmartScreen stops it from checking all files. Only do this on a managed device where other security controls are in place.
- Open Local Group Policy Editor
Press Win + R, type gpedit.msc, and press Enter. If the command is not found, your edition does not support Group Policy. - Navigate to SmartScreen policy
Go to Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer. - Open the Configure Windows Defender SmartScreen policy
Double-click the policy named Configure Windows Defender SmartScreen. The policy window opens. - Set policy to Disabled
Select the Disabled radio button. Click Apply then OK. - Restart the device
Restart your computer for the policy change to take effect. After restart, SmartScreen will no longer block any files.
Method 3: Sign the App with a Trusted Code-Signing Certificate
This is the recommended solution for enterprise environments. A code-signing certificate from a public CA trusted by Microsoft eliminates the SmartScreen warning permanently. The certificate must be purchased from a CA whose root certificate is included in the Microsoft Trusted Root Program, such as DigiCert, Sectigo, or GlobalSign.
- Purchase a code-signing certificate
Buy an Extended Validation or Organization Validation code-signing certificate from a trusted CA. The CA will verify your organization’s identity before issuing the certificate. - Install the certificate on your build machine
Import the certificate into the Personal certificate store of the machine that builds the internal application. Use the Certificates MMC snap-in or the certificate import wizard. - Sign the application using SignTool
Open a command prompt as Administrator. Run the command: signtool sign /fd SHA256 /a /tr http://timestamp.digicert.com /td SHA256 your_app.exe. Replace the timestamp URL with your CA’s timestamp server. - Verify the signature
Right-click the signed file, select Properties, then go to the Digital Signatures tab. You should see the certificate listed. SmartScreen will now trust the file after a short reputation-building period.
If SmartScreen Still Blocks the App After Unblocking
Unblock checkbox is missing from File Properties
The Unblock checkbox only appears when the file has the Mark of the Web. If the checkbox is missing, the file did not come from the internet or the mark was already removed. In this case, SmartScreen may be blocking based on the file’s hash reputation rather than the mark. The only fix is to sign the app with a trusted certificate or disable SmartScreen via Group Policy.
Group Policy setting does not apply after restart
If you disabled SmartScreen via Group Policy but it still blocks files, confirm that no higher-priority policy is overriding your setting. Open a command prompt as Administrator and run gpresult /h gpresult.html. Open the HTML report and look for the SmartScreen policy. If it shows “Disabled” but SmartScreen is still active, a domain-level Group Policy Object may be enforcing it. Contact your domain administrator to adjust the policy.
SmartScreen blocks the app in Microsoft Edge
The SmartScreen filter in Microsoft Edge is separate from the Windows SmartScreen. To disable it in Edge, go to Edge Settings > Privacy, search, and services > Security and turn off Microsoft Defender SmartScreen. This setting is per-user and does not require administrative rights.
File Unblock vs SmartScreen Disable vs Code Signing
| Item | File Unblock | SmartScreen Disable via Group Policy | Code Signing with Trusted Certificate |
|---|---|---|---|
| Scope | Single file | All files on the device | All versions of the signed app |
| Administrative rights needed | No | Yes | Yes |
| Persistence after file update | Must unblock each new version | Remains disabled | Must sign each new version |
| Security risk | None, only removes mark | Reduces protection for all downloads | None, uses trusted identity |
| Best for | One-time download of internal tool | Lab or test machines | Production enterprise deployment |
You now have three methods to handle internal apps blocked by Windows 11 Defender SmartScreen. For a single file, use the Unblock checkbox in Properties. For a managed lab environment, disable SmartScreen via Group Policy. For ongoing enterprise use, sign your internal application with a trusted code-signing certificate. As an advanced tip, combine code signing with a timestamp to ensure the signature remains valid after the certificate expires, which prevents SmartScreen from blocking older versions of your app.