Detect and block potentially unwanted applications

Applies to:

Potentially unwanted applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. PUA can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior.

For example:

  • Advertising software: Software that displays advertisements or promotions, including software that inserts advertisements to webpages.
  • Bundling software: Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA.
  • Evasion software: Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.

For more examples and a discussion of the criteria we use to label applications for special attention from security features, see How Microsoft identifies malware and potentially unwanted applications.

Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up.

How it works

Microsoft Edge

The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via Windows Defender SmartScreen.

Enable PUA protection in Chromium-based Microsoft Edge

Although potentially unwanted application protection in Microsoft Edge (Chromium-based) is off by default, it can easily be turned on from within the browser.

  1. From the tool bar, select Settings and more > Settings
  2. Select Privacy and services
  3. Under the Services section, you can toggle Potentially unwanted app blocking on or off

Tip

If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen demo pages.

Blocking URLs with Windows Defender SmartScreen

In Chromium-based Edge with PUA protection turned on, Windows Defender SmartScreen will protect you from PUA-associated URLs.

Admins can configure how Microsoft Edge and Windows Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy settings explicitly for Windows Defender SmartScreen available, including one for blocking PUA. In addition, admins can configure Windows Defender SmartScreen as a whole, using group policy settings to turn Windows Defender SmartScreen on or off.

Although Microsoft Defender ATP has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you create and manage indicators in the Microsoft Defender ATP portal, Windows Defender SmartScreen will respect the new settings.

Windows Defender Antivirus

The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network.

Note

This feature is only available in Windows 10.

Windows Defender Antivirus blocks detected PUA files, and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine.

When a PUA is detected on an endpoint, Windows Defender Antivirus sends a notification to the user (unless notifications have been disabled) in the same format as other threat detections. The notification will be prefaced with PUA: to indicate its content.

The notification will appear in the usual quarantine list within the Windows Security app.

Configure PUA protection in Windows Defender Antivirus

You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or via PowerShell cmdlets.

You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the Windows event log.

Tip

You can visit the Microsoft Defender ATP demo website at demo.wd.microsoft.com to confirm that the feature is working, and see it in action.

PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives.

Use Intune to configure PUA protection

See Configure device restriction settings in Microsoft Intune and Windows Defender Antivirus device restriction settings for Windows 10 in Intune for more details.

Use Configuration Manager to configure PUA protection

PUA protection is enabled by default in the System Center Configuration Manager (Current Branch), starting with version 1606.

See How to create and deploy antimalware policies: Scheduled scans settings for details on configuring System Center Configuration Manager (Current Branch).

For Configuration Manager 2012, see How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager.

Note

PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in System Center Configuration Manager.

Use Group Policy to configure PUA protection
  1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure, and select Edit.

  2. In the Group Policy Management Editor, go to Computer configuration and select Administrative templates.

  3. Expand the tree to Windows components > Windows Defender Antivirus.

  4. Double-click Configure protection for potentially unwanted applications.

  5. Select Enabled to enable PUA protection.

  6. In Options, select Block to block potentially unwanted applications, or select Audit Mode to test how the setting will work in your environment. Select OK.

Use PowerShell cmdlets to configure PUA protection

Use the following cmdlet:

Set-MpPreference -PUAProtection

Setting the value for this cmdlet to Enabled will turn the feature on if it has been disabled.

Setting AuditMode will detect PUAs without blocking them.

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more information on how to use PowerShell with Windows Defender Antivirus.

View PUA events

PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or in Intune.

You can turn on email notifications to receive mail about PUA detections.

See Troubleshoot event IDs for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID 1160.

Allow-listing apps

Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See How to Configure Endpoint Protection in Configuration Manager for information on allowing files which are currently blocked by PUA protection in Windows Defender Antivirus.