Microsoft has removed Microsoft Defender SmartScreen from Internet Explorer and from IE Mode on Windows 11, a change announced in a Microsoft support bulletin (KB5071357) that takes effect with the latest Windows updates and refocuses SmartScreen protections on modern surfaces such as Microsoft Edge and the Windows Shell.
Background
Microsoft Defender SmartScreen started as a reputation‑based safety layer to help block phishing sites, warn about suspicious downloads, and flag files that arrive from the web by applying a Mark‑of‑the‑Web (MoTW) tag. Over the years SmartScreen expanded from the original Internet Explorer (IE) implementation into Microsoft Edge and Windows Shell protections such as the “Check apps and files” control in Windows Security. Internet Explorer’s role on modern Windows has been steadily reduced: IE is no longer a supported standalone browser on Windows 11, and Microsoft advises organizations to use Microsoft Edge with IE Mode only for narrowly scoped, enterprise legacy applications. That shift is the context for Microsoft’s decision to deprecate in‑process SmartScreen checks inside the IE runtime on Windows 11.
What Microsoft actually changed
The short version
- The legacy, in‑process SmartScreen checks that used to run inside Internet Explorer or when a page is rendered in IE Mode on Windows 11 have been removed. SmartScreen will no longer pop up URL or download interstitials from inside those legacy IE contexts.
- SmartScreen continues to operate in Microsoft Edge, in the Windows Shell (the “Check apps and files” control), and in other supported experiences on Windows 11. Files downloaded in IE Mode still receive a Mark‑of‑the‑Web tag and will be evaluated by Windows Shell SmartScreen when opened from File Explorer.
- On older Windows versions (where legacy SmartScreen codepaths still exist), SmartScreen behavior in Internet Explorer and IE Mode remains unchanged. The deprecation applies specifically to Windows 11 builds updated under KB5071357.
The technical rationale Microsoft gives
Microsoft cites three overlapping engineering reasons for the removal:
- IE Mode’s intended scope is narrow and enterprise‑controlled. IE Mode exists as a compatibility bridge for managed, internal applications, not as a general purpose browsing surface; administrators control the IE Mode site list, making some URL‑based protections redundant in properly configured environments.
- Legacy binary components were removed during modernization. The IE SmartScreen implementation depended on legacy binaries Microsoft has been phasing out; keeping those components just to support in‑process SmartScreen would reintroduce old attack surface and stability concerns.
- Consolidation to modern surfaces. Microsoft wants to concentrate detection telemetry, ML improvements, and fast update cycles in Edge and platform services (Windows Shell, Defender platforms), rather than maintaining fragile integrations inside a deprecated runtime.
These points line up with Microsoft’s long‑running strategy of retiring IE as a daily browser and keeping compatibility only where strictly necessary via Edge’s IE Mode.
Precisely what remains protected — and what changes for admins
Protections that still apply
- Windows Shell SmartScreen (“Check apps and files”) continues to evaluate downloaded files that are opened from Explorer. Files that arrive with a MoTW tag (Zone.Identifier ADS) will be scanned by the platform before execution. This means that a file downloaded through IE Mode on Windows 11 will still be evaluated later by Shell‑level SmartScreen when a user opens it.
- Microsoft Defender and Defender for Endpoint continue to provide system‑level runtime detection, EDR telemetry, and behavioral blocking independent of SmartScreen’s reputation service. Enterprises relying on EDR/AV will still have those layered defenses.
- SmartScreen in Microsoft Edge remains fully functional. Edge continues to show URL reputation interstitials, block known malicious downloads, and apply Edge‑specific protections such as the scareware blocker. Administrators can still manage SmartScreen behavior in Edge by policy.
What changed for administrators and help desks
- No in‑context SmartScreen dialogs inside IE Mode on Windows 11. Administrators can no longer expect the same immediate URL reputational interstitials that used to appear when a user browsed within the legacy IE rendering engine. That in‑process user interaction is removed on Windows 11.
- The safety net moves to the platform boundary. The defensive boundary is now the Windows Shell and the platform’s Mark‑of‑the‑Web handling rather than the in‑process legacy SmartScreen checks. This changes the operational threat model for IE Mode flows: trust boundaries must be tighter and file‑handling pipelines must preserve provenance metadata.
- Policy control paths remain. Admins can still control SmartScreen globally — for Edge via the SmartScreenEnabled policy and for the Windows Shell via Windows Security controls and Group Policy/MDM. Confirming and locking these settings centrally is now higher priority.
Risks, gaps and attack surface implications
Microsoft’s move is defensible from a modernization and maintenance standpoint, but it does introduce measurable operational risks that administrators must acknowledge and mitigate.
Reliance on accurate site lists
IE Mode’s model assumes administrators maintain a precise Enterprise Site List that contains only trusted, internal hosts. Broad wildcards or overly permissive entries (for example, *.example.com) can create implicit trust that effectively allows untrusted content into a less‑protected runtime. Misconfiguration expands attack surface.
Mark‑of‑the‑Web (MoTW) is useful but not foolproof
MoTW (the Zone.Identifier alternate data stream) is a valuable provenance signal, but it can be stripped or lost by common business processes:
- Extracting files from archives on some platforms or using older extraction tools may not preserve MoTW metadata.
- Moving files across non‑NTFS filesystems, or through certain server‑side processing chains, can remove ADS metadata.
- Automated pipelines that unpack archives or re‑encode attachments may unintentionally strip zone data.
If MoTW is removed, the Windows Shell SmartScreen won’t see the file as web‑originated and may not apply the same protections until runtime detection catches suspicious behavior. Administrators should treat MoTW as
one layer in a multi‑layered defense, not the only control.
Increased opportunities for targeted attacks
Reputation systems are powerful, but not perfect. Public research and real‑world incidents have shown SmartScreen bypasses and design weaknesses in related controls — for example, Smart App Control and SmartScreen bypasses that persisted until patched. Those historical incidents underscore why treating SmartScreen as a single control is risky.
User expectation and behavior mismatch
Users or help desks accustomed to seeing Edge‑style warnings while working within IE Mode may keep taking risks if they don’t know the in‑context SmartScreen dialogs are gone. Clear communication and updated runbooks are required to avoid complacency.
Practical, prioritized checklist for administrators (ready to run)
- Audit every entry in your IE Mode Enterprise Site List. Replace wildcard and broad domain entries with precise hostnames; remove stale or unused entries.
- Enforce Edge as the default browser for internet‑facing traffic. Use Microsoft Endpoint Manager / Group Policy to make Edge the default and block IE/IE Mode for external domains where feasible.
- Verify Windows Shell protections: Ensure Windows Security → App & browser control → Check apps and files is enabled across the estate. Lock this setting via Group Policy/MDM if appropriate.
- Harden file‑ingestion and extraction pipelines:
- Test common extraction tools to confirm they preserve Zone.Identifier ADS.
- If MoTW cannot be preserved, add compensating AV/EDR scanning of extracted files immediately after extraction.
- Avoid storing web‑originated files on non‑NTFS shares unless additional scanning is enforced.
- Enable and tune Defender for Endpoint telemetry and EDR rules to correlate suspicious downloads originating from IE Mode with subsequent process behavior. Use automated rules to escalate those events for analyst review.
- Update internal documentation and help desk scripts explaining that IE Mode on Windows 11 no longer runs SmartScreen in‑process, and instruct users to use Edge for external browsing. Run user training and awareness alerts for the first wave of changes.
- If any workflows require disabling SmartScreen behavior in IE Mode temporarily for compatibility testing, do this only in controlled diagnostics and re-enable protections afterward. Microsoft documents a manual Internet Options route for this, but it is not recommended as a long‑term posture.
How to validate SmartScreen behavior in your environment
- Check Microsoft’s support bulletin (KB5071357) for the authoritative scope and publish date — the advisory lists Windows 11 versions 24H2 and 25H2 and Windows Server 2025 and shows an original publish date of November 4, 2025. Use this date as your baseline when mapping update rollouts.
- Confirm whether a file downloaded via IE Mode carries a Zone.Identifier ADS:
- In PowerShell:
- Get‑Item .\installer.exe -Stream Zone.Identifier
- Or: Get‑Content -Path .\installer.exe -Stream Zone.Identifier
- A present Zone.Identifier stream indicates MoTW tagging; absence suggests a path where MoTW was stripped. (These are standard PowerShell ADS checks many admins use; verify on a test endpoint.
- Use Event Viewer and Defender/EDR telemetry to locate SmartScreen verdict events and correlate them with user sessions. If in‑process SmartScreen warnings are expected in your logs for IE Mode sessions but missing on Windows 11 machines updated to KB5071357, that is consistent with the deprecation.
- Validate your Edge SmartScreen policy deployment (SmartScreenEnabled) for browsers managed by policy; confirm the setting in policy reporting and on target devices. The Edge policy documentation lists SmartScreenEnabled as the policy to configure SmartScreen in Edge.
Deep dive: why this is reasonable — and where it can go wrong
From an engineering view, Microsoft’s decision to remove in‑process SmartScreen from a deprecated runtime makes sense: supporting legacy binary components for a feature that is redundant (in properly configured IE Mode scenarios) costs maintenance and can re‑expose old vulnerabilities. Consolidating reputation and ML investments into Edge and platform services allows faster updates, better telemetry, and the use of newer machine learning detectors that wouldn’t have been feasible inside the old IE binaries. However, the policy shift reassigns operational responsibility:
- Previously, a user who clicked a malicious link inside an IE Mode tab might have seen an immediate SmartScreen interstitial inside the IE runtime. With the change, that in‑context block is not available on Windows 11. Administrators must now ensure the IE Mode site list truly contains only trusted sites and that other boundary controls (web gateway, secure DNS, network proxies, EDR) are in place.
- The most fragile point is file provenance. If your organization depends on Windows Shell SmartScreen to catch dangerous downloads, you must ensure workflows preserve MoTW or implement automatic scanning of any files transferred between systems. Attackers often target these second‑order dependencies (extraction tools, automation pipelines) to bypass protections. Past published research on SmartScreen and related controls shows defenders must treat reputation features as one part of a layered architecture.
Extra technical notes for operations teams
- Policy names and controls:
- Edge: SmartScreenEnabled — use Group Policy or MDM to enforce SmartScreen in Edge and prevent users from toggling it off.
- Windows Security: App & browser control → Check apps and files — ensure this is enabled and locked via centralized policy where required.
- Verification commands:
- PowerShell ADS check: Get‑Item .\downloadedfile.exe -Stream Zone.Identifier
- To list streams: Get‑Item -Path .* | Get‑AlternateDataStream (requires supplemental modules on some systems)
- Logging: Look for SmartScreen events in Event Viewer under Microsoft‑Windows‑SmartScreen or related Defender logs (naming varies by OS/patch level).
- Testing guidance:
- Use a controlled, isolated test account and endpoint to recreate common business workflows that download attachments through IE Mode. Observe whether the Zone.Identifier appears and whether Shell SmartScreen interstitials are raised when files are executed. If your pipelines touch cloud services, test end‑to‑end to confirm metadata preservation.
Final assessment — practical, measured, but requires admin attention
The deprecation of in‑process SmartScreen in Internet Explorer and IE Mode on Windows 11 is a pragmatic engineering step that reduces legacy attack surface and consolidates security investment where it yields better telemetry and faster iteration: Microsoft Edge and Windows Shell. For most modern environments that already treat IE Mode as a narrowly scoped compatibility bridge, this will be a manageable—if important—shift. That said, the change is not risk‑free. It increases reliance on correct site‑list governance, robust file‑handling hygiene, and sound EDR/AV posture. Enterprises that delay auditing IE Mode lists, fail to preserve MoTW metadata in their workflows, or neglect to enforce Edge for external browsing create gaps attackers can exploit. Historical SmartScreen bypasses and Smart App Control issues show reputation systems are necessary but not sufficient for defense. Administrators should treat KB5071357 as a call to action: audit configurations, harden file processing pipelines, confirm platform protections are enabled and centrally managed, and communicate clearly with users and support staff about the behavioral change. Taken together, those steps preserve defense‑in‑depth while organizations continue to modernize legacy web applications away from IE dependencies.
Microsoft’s bulletin and the subsequent analyst and forum coverage make the path forward clear:
use Edge for everything public, restrict IE Mode to well‑scoped, managed sites, protect the platform boundary, and monitor file provenance closely.
Source: Windows Report
Microsoft Deprecates SmartScreen in Internet Explorer and IE Mode on Windows 11