How to Enable or Disable Windows SmartScreen in Batch Script

Windows SmartScreen is a cloud-based anti-phishing and anti-malware component that checks the "Reputation" of files and websites. When you try to run an unrecognized app or download a suspicious file, SmartScreen intervenes with a "Windows protected your PC" popup. While this is a critical security layer for most users, system administrators and developers often need to toggle this feature off on dedicated build servers, lab machines, or kiosk systems where it might block automated deployments.

This guide explains how to manage SmartScreen settings via the registry using a Batch script.

Why Manage SmartScreen via Script?

Deployment Automation: Preventing a Batch script from stopping and waiting for user input when it tries to install a custom, non-signed internal application.
Developer Environment Setup: Disabling the "Unrecognized App" warning on a local dev machine where developers frequently run new, experimental code.
Kiosk Mode Preparation: Ensuring that a public-facing system never displays a security warning that could confuse a customer or end-user.

Security Warning

Disabling SmartScreen significantly reduces your protection against new, "Zero-Day" malware and phishing sites. Only disable this on machines that are either offline or have other robust, documented security measures in place.

Method 1: Toggling SmartScreen for Files and Apps

The primary switch for the "Windows protected your PC" feature is stored in the local machine's Explorer settings.

Disabling SmartScreen

@echo off
setlocal

:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Administrator privileges are required.
    pause
    exit /b 1
)

set "REG_PATH=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer"

echo [PROCESS] Turning Windows SmartScreen OFF...
echo [WARNING] This reduces your protection against unrecognized threats.

reg add "%REG_PATH%" /v SmartScreenEnabled /t REG_SZ /d Off /f >nul

if %errorlevel% equ 0 (
    echo [SUCCESS] SmartScreen has been turned off.
    echo [REMINDER] Re-enable SmartScreen when your task is complete.
) else (
    echo [ERROR] Failed to update registry. Code: %errorlevel%
)
pause

Enabling SmartScreen (Recommended)

You can set SmartScreen to either "RequireAdmin" (most secure) or "Prompt" (standard).

@echo off
setlocal

:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Administrator privileges are required.
    pause
    exit /b 1
)

set "REG_PATH=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer"

echo [PROCESS] Restoring Windows SmartScreen (RequireAdmin mode^)...

reg add "%REG_PATH%" /v SmartScreenEnabled /t REG_SZ /d RequireAdmin /f >nul

if %errorlevel% equ 0 (
    echo [SUCCESS] SmartScreen protection restored.
) else (
    echo [ERROR] Failed to update registry. Code: %errorlevel%
)
pause

Method 2: Managing SmartScreen for Microsoft Store Apps

This setting controls whether Windows checks "Web Content" used by apps from the Windows Store.

@echo off
setlocal

set "REG_APPHOST=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AppHost"

echo [PROCESS] Disabling SmartScreen for App Web Content...

:: Setting to 0 disables the check, 1 enables it
reg add "%REG_APPHOST%" /v EnableWebContentEvaluation /t REG_DWORD /d 0 /f >nul

if %errorlevel% equ 0 (
    echo [SUCCESS] App web content evaluation disabled.
) else (
    echo [ERROR] Failed to update registry.
)
pause

Creating a Controlled "Maintenance Mode" Script

This script records the current state, disables SmartScreen for an automated installation, and then restores the original setting.

@echo off
setlocal EnableDelayedExpansion

echo ============================================================
echo   SmartScreen Maintenance Toggle
echo ============================================================

:: 1. Verify Admin Rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [CRITICAL] Admin rights REQUIRED to modify security registry.
    pause
    exit /b 1
)

set "REG_PATH=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer"

:: 2. Record current state before changes
set "ORIGINAL_STATE="
for /f "tokens=3" %%v in ('reg query "%REG_PATH%" /v SmartScreenEnabled 2^>nul ^| findstr /i "SmartScreenEnabled"') do set "ORIGINAL_STATE=%%v"

if not defined ORIGINAL_STATE set "ORIGINAL_STATE=Prompt"

echo [INFO] Current SmartScreen state: !ORIGINAL_STATE!

:: 3. Suspend Protection
echo.
echo [STEP 1] Suspending SmartScreen...
reg add "%REG_PATH%" /v SmartScreenEnabled /t REG_SZ /d Off /f >nul

:: 4. Run Task
echo [STEP 2] Running installer/deployment task...
echo          (Replace this section with your actual commands^)
timeout /t 5 >nul

:: 5. Restore Original Protection State
echo [STEP 3] Restoring SmartScreen to: !ORIGINAL_STATE!
reg add "%REG_PATH%" /v SmartScreenEnabled /t REG_SZ /d "!ORIGINAL_STATE!" /f >nul

if !errorlevel! equ 0 (
    echo [SUCCESS] SmartScreen restored to original state.
) else (
    echo [WARNING] Could not restore SmartScreen. Please verify manually
    echo          in Windows Security settings.
)

echo.
echo ============================================================
pause

Common Pitfalls and How to Avoid Them

Administrative Rights

Modifying HKEY_LOCAL_MACHINE is a restricted operation. If you run your script from a standard user terminal, the reg add command will fail with an "Access Denied" error.

Group Policy (GPO) Overrides

If the machine is part of an Active Directory Domain, the "SmartScreen" status may be locked by a Group Policy.

SEO and UX Tip

Advise your users that if their script succeeds but the setting doesn't change in the GUI, it is likely being overridden by a Domain-level GPO. In this case, local registry edits will be reset automatically within 90 minutes.

Best Practices for Security Automation

Always Re-enable: If your script crashes during an installer, ensure there is a mechanism to re-enable SmartScreen later.
Use 'Prompt' vs 'RequireAdmin': For standard office computers, use Prompt. For high-security environments, use RequireAdmin so that only an IT technician can bypass a warning.
Monitor via Event Log: SmartScreen blocks are logged in Applications and Services Logs > Microsoft > Windows > SmartScreen > Debug.

Browser SmartScreen

Note that SmartScreen for Microsoft Edge is controlled via separate policy keys (Software\Policies\Microsoft\Edge\SmartScreenEnabled). Turning it off for Windows Explorer will not turn it off for the Edge browser.

Conclusion

Enabling and disabling Windows SmartScreen via Batch script is a powerful way to streamline automated deployments and developer workflows. By targeting the correct registry keys, you can gain granular control over when the system intervenes with security warnings, allowing your automation to run smoothly while ensuring that protection is restored for everyday use. This professional approach to system management balances operational efficiency with a commitment to security, protecting your Windows infrastructure from threats while removing unnecessary friction from your IT pipelines.

Why Manage SmartScreen via Script?​

Method 1: Toggling SmartScreen for Files and Apps​

Disabling SmartScreen​

Enabling SmartScreen (Recommended)​

Method 2: Managing SmartScreen for Microsoft Store Apps​

Creating a Controlled "Maintenance Mode" Script​

Common Pitfalls and How to Avoid Them​

Administrative Rights​

Group Policy (GPO) Overrides​

Best Practices for Security Automation​

Conclusion​

Table of Contents