Detect and block potentially unwanted applications

Applies to:

The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can identify and block PUAs from downloading and installing on endpoints in your network.

These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have a poor reputation.

Typical PUA behavior includes:

  • Various types of software bundling
  • Ad injection into web browsers
  • Driver and registry optimizers that detect issues, request payment to fix the errors, but remain on the endpoint and make no changes or optimizations (also known as "rogue antivirus" programs)

These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications.

Tip

You can also visit the Windows Defender ATP demo website at demo.wd.microsoft.com to confirm the feature is working and see how it works.

How it works

PUAs are blocked when a user attempts to download or install the detected file, and if the file meets one of the following conditions:

  • The file is being scanned from the browser
  • The file is in a folder with "downloads" in the path
  • The file is in a folder with "temp" in the path
  • The file is on the user's desktop
  • The file does not meet one of these conditions and is not under %programfiles%, %appdata%, or %windows%

The file is placed in the quarantine section so it won't run.

When a PUA is detected on an endpoint, the endpoint will present a notification to the user (unless notifications have been disabled) in the same format as normal threat detections (prefaced with "PUA:").

They will also appear in the usual quarantine list in the Windows Security app.

View PUA events

PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune.

Hoever, PUA detections will be reported if you have set up email notifications for detections.

See Troubleshoot event IDs for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID 1160.

Configure PUA protection

You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or PowerShell cmdlets.

You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log.

This feature is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives.

Use Intune to configure PUA protection

See Configure device restriction settings in Microsoft Intune and Windows Defender Antivirus device restriction settings for Windows 10 in Intune for more details.

Use Configuration Manager to configure PUA protection:

PUA protection is enabled by default in System Center Configuration Manager (current branch), including version 1606 and later.

See How to create and deploy antimalware policies: Scheduled scans settings for details on configuring System Center Configuration Manager (current branch).

For Configuration Manager 2012, see How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager.

Note

PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.

Use Group Policy to configure PUA protection:

  1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.

  2. In the Group Policy Management Editor go to Computer configuration and click Administrative templates.

  3. Expand the tree to Windows components > Windows Defender Antivirus.

  4. Double-click Configure protection for potentially unwanted applications.

  5. Click Enabled to enable PUA protection.

  6. In Options, select Block to block potentially unwanted applications, or select Audit Mode to test how the setting will work in your environment. Click OK.

Use PowerShell cmdlets to configure PUA protection:

Use the following cmdlet:

Set-MpPreference -PUAProtection

Setting the value for this cmdlet to Enabled will turn the feature on if it has been disabled.

Setting AuditMode will detect PUAs but will not block them.

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more information on how to use PowerShell with Windows Defender Antivirus.