Detect and block potentially unwanted applications

Important

The improved Microsoft 365 security center is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new. This topic might apply to both Microsoft Defender for Endpoint and Microsoft 365 Defender. Refer to the Applies To section and look for specific call outs in this article where there might be differences.

Applies to:

Note

Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices.

Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. PUA can also refer to an application that has a poor reputation, as assessed by Microsoft Defender for Endpoint, due to certain kinds of undesirable behavior.

Here are some examples:

  • Advertising software that displays advertisements or promotions, including software that inserts advertisements to webpages.
  • Bundling software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA.
  • Evasion software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.

Tip

For more examples and a discussion of the criteria we use to label applications for special attention from security features, see How Microsoft identifies malware and potentially unwanted applications.

Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up.

PUA protection is supported on Windows 10, Windows Server 2019, and Windows Server 2016.

Microsoft Edge

The new Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via Microsoft Defender SmartScreen.

Enable PUA protection in Chromium-based Microsoft Edge

Although potentially unwanted application protection in Microsoft Edge (Chromium-based, version 80.0.361.50) is turned off by default, it can easily be turned on from within the browser.

  1. Select the ellipses, and then choose Settings.
  2. Select Privacy, search, and services.
  3. Under the Security section, turn on Block potentially unwanted apps.

Tip

If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Microsoft Defender SmartScreen demo pages.

Blocking URLs with Microsoft Defender SmartScreen

In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen protects you from PUA-associated URLs.

Admins can configure how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy settings explicitly for Microsoft Defender SmartScreen available, including one for blocking PUA. In addition, admins can configure Microsoft Defender SmartScreen as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off.

Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you create and manage indicators in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings.

Microsoft Defender Antivirus

The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUAs on endpoints in your network.

Note

This feature is available in Windows 10, Windows Server 2019, and Windows Server 2016.

Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine.

When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user (unless notifications have been disabled) in the same format as other threat detections. The notification is prefaced with PUA: to indicate its content.

The notification appears in the usual quarantine list within the Windows Security app.

Configure PUA protection in Microsoft Defender Antivirus

You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or via PowerShell cmdlets.

You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections are captured in the Windows event log.

Tip

Visit the Microsoft Defender for Endpoint demo website at demo.wd.microsoft.com to confirm that the feature is working, and see it in action.

PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives.

Use Intune to configure PUA protection

See Configure device restriction settings in Microsoft Intune and Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune for more details.

Use Configuration Manager to configure PUA protection

PUA protection is enabled by default in the Microsoft Endpoint Manager (Current Branch).

See How to create and deploy antimalware policies: Scheduled scans settings for details on configuring Microsoft Endpoint Manager (Current Branch).

For System Center 2012 Configuration Manager, see How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager.

Note

PUA events blocked by Microsoft Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager.

Use Group Policy to configure PUA protection

  1. Download and install Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)
  2. On your Group Policy management computer, open the Group Policy Management Console.
  3. Select the Group Policy Object you want to configure, and then choose Edit.
  4. In the Group Policy Management Editor, go to Computer configuration and select Administrative templates.
  5. Expand the tree to Windows Components > Microsoft Defender Antivirus.
  6. Double-click Configure detection for potentially unwanted applications.
  7. Select Enabled to enable PUA protection.
  8. In Options, select Block to block potentially unwanted applications, or select Audit Mode to test how the setting works in your environment. Select OK.
  9. Deploy your Group Policy object as you usually do.

Use PowerShell cmdlets to configure PUA protection

To enable PUA protection
Set-MpPreference -PUAProtection Enabled

Setting the value for this cmdlet to Enabled turns the feature on if it has been disabled.

To set PUA protection to audit mode
Set-MpPreference -PUAProtection AuditMode

Setting AuditMode detects PUAs without blocking them.

To disable PUA protection

We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet:

Set-MpPreference -PUAProtection Disabled

Setting the value for this cmdlet to Disabled turns the feature off if it has been enabled.

See Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Defender cmdlets for more information on how to use PowerShell with Microsoft Defender Antivirus.

View PUA events

PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. You can also use the Get-MpThreat cmdlet to view threats that Microsoft Defender Antivirus handled. Here's an example:

CategoryID       : 27
DidThreatExecute : False
IsActive         : False
Resources        : {webfile:_q:\Builds\Dalton_Download_Manager_3223905758.exe|http://d18yzm5yb8map8.cloudfront.net/
                    fo4yue@kxqdw/Dalton_Download_Manager.exe|pid:14196,ProcessStart:132378130057195714}
RollupStatus     : 33
SchemaVersion    : 1.0.0.0
SeverityID       : 1
ThreatID         : 213927
ThreatName       : PUA:Win32/InstallCore
TypeID           : 0
PSComputerName   :

You can turn on email notifications to receive mail about PUA detections.

See Troubleshoot event IDs for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID 1160.

Excluding files

Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be added to an exclusion list.

For more information, see Configure and validate exclusions based on file extension and folder location.

See also