deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 02:13:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

prep for merge, add new files, tidy structure

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire
2017-03-21 14:29:42 -07:00
parent 2101fd4a91
commit 2a2dc09885
31 changed files with 1399 additions and 230 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
windows/keep-secure/WDAV-working/1.0-00 configure-windows-defender-in-windows-10.md → windows/keep-secure/WDAV-working/-00 configure-windows-defender-in-windows-10.md
View File

0
windows/keep-secure/WDAV-working/1.3.3.1-00 enable-pua-windows-defender-for-windows-10.md → windows/keep-secure/WDAV-working/-00 enable-pua-windows-defender-for-windows-10.md
View File

0
windows/keep-secure/WDAV-working/1.0-00 get-started-with-windows-defender-for-windows-10.md → windows/keep-secure/WDAV-working/-00 get-started-with-windows-defender-for-windows-10.md
View File

4
windows/keep-secure/WDAV-working/1.4.2.3-00 run-cmd-scan-windows-defender-for-windows-10.md → windows/keep-secure/WDAV-working/-00 run-cmd-scan-windows-defender-for-windows-10.md
View File

@ -10,9 +10,9 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: mjcaparas
redirect_url: /run-scan-command-line-windows-defender-antivirus/
redirect_url: /run-scan-windows-defender-antivirus/
---
# Run a Windows Defender scan from the command line
This page has been redirected to *Run a Windows Defender Antivirus scan from the command line*.
This page has been redirected to *Configure and run on-demand scans*.

0
windows/keep-secure/WDAV-working/1.6.3-00 use-powershell-cmdlets-windows-defender-for-windows-10.md → windows/keep-secure/WDAV-working/-00 use-powershell-cmdlets-windows-defender-for-windows-10.md
View File

0
windows/keep-secure/WDAV-working/windows-defender-block-at-first-sight.md → windows/keep-secure/WDAV-working/-00 windows-defender-block-at-first-sight.md
View File

0
windows/keep-secure/WDAV-working/1.0-00 windows-defender-in-windows-10.md → windows/keep-secure/WDAV-working/-00 windows-defender-in-windows-10.md
View File

190
windows/keep-secure/WDAV-working/1.4.1.2 configure-advanced-scan-types-windows-defender-antivirus.md
View File

@ -1,190 +0,0 @@
---
title: Update and manage Windows Defender in Windows 10 (Windows 10)
description: IT professionals can manage Windows Defender on Windows<77>10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using Group Policy SettingsWindows Management Instrumentation (WMI)PowerShell.
ms.assetid: 045F5BF2-87D7-4522-97E1-C1D508E063A7
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: jasesso
---
# Update and manage Windows Defender in Windows 10
**Applies to**
- Windows<77>10
IT professionals can manage Windows Defender on Windows<77>10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using:
- Group Policy Settings
- Windows Management Instrumentation (WMI)
- PowerShell
## Manage Windows Defender endpoints through Active Directory and WSUS
All Windows<77>10 endpoints are installed with Windows Defender and include support for management through:
- Active Directory
- WSUS
You can use the Active Directory to configure the settings; Group policies can be used for centralized configuration and enforcement of many Windows Defender settings including client user interface, scan settings, and exclusions.
WSUS can be used to view basic update compliance and deploy updates manually or through automatic rules.
Note that System Center<65>2012<31>R2 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, and Microsoft Intune can provide centralized management of Windows Defender, including:
- Settings management
- Definition update management
- Alerts and alert management
- Reports and reporting
When you enable *Endpoint Protection* on your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for System Center Endpoint Protection or Intune will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed. Learn more about managing *Endpoint Protection*:
- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://technet.microsoft.com/library/dn646970.aspx)
- [Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508760.aspx)
Read more about System Center Configuration Manager in [Introduction to Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508781.aspx).
> **Important:**<2A><>You must be licensed to use *Endpoint Protection* to manage clients in your Configuration Manager hierarchy.
<EFBFBD>
## Apply updates to Windows Defender endpoints
It is important to keep Windows Defender endpoints updated to ensure they are protected. All Windows Defender updates, including General Distribution Release (GDR) updates, are now applied as operating system updates.
You can manage the distribution of updates through the [Windows Server Update Services (WSUS)](https://technet.microsoft.com/windowsserver/bb332157).
## Manage email scans in Windows Defender
You can use Windows Defender to scan email files. Malware can install itself and hide in email files, and although real-time protection offers you the best protection from email malware, you can also scan emails stored on your PC or server with Windows Defender.
> **Important:**<2A><>Mail scanning only applies to on-demand and scheduled scans, not on-access scans.
<EFBFBD>
Windows Defender scans Microsoft Office Outlook<6F>2003 and older email files. We identify the file type at run-time based on the content of the file, not on location or extension.
> **Note: **<2A><>Scanning email files might increase the time required to complete a scan.
<EFBFBD>
Windows Defender can extract embedded objects within a file (attachments and archived files, for example) and scan internally.
> **Note:**<2A><>While Windows Defender can be configured to scan email files, it can only remediate threats detected inside certain files, for example:
- DBX
- MBX
- MIME
<EFBFBD>
You can configure Windows Defender to scan PST files used by Outlook<6F>2003 or older versions (where the archive type is set to non-uni-code), but Windows Defender cannot remediate threats detected inside PST files. We recommend using real-time protection to protect against email malware.
If Windows Defender detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat:
- Email subject
- Attachment name
Email scanning in Windows Defender is turned off by default. There are three ways you can manage scans through Windows Defender:
- *Group Policy* settings
- WMI
- PowerShell
> **Important:**<2A><>There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles:
- [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1)
- [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2)
<EFBFBD>
## Use *Group Policy* settings to enable email scans
This policy setting allows you to turn on email scanning. When email scanning is enabled, the engine will parse the mailbox and mail files to analyze the mail bodies and attachments.
Turn on email scanning with the following *Group Policy* settings:
1. Open the **Group Policy Editor**.
2. In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
3. Click **Scan**.
4. Double-click **Turn on e-mail scanning**.
This will open the **Turn on e-mail scanning** window:
![turn on e-mail scanning window](images/defender-scanemailfiles.png)
5. Select **Enabled**.
6. Click **OK** to apply changes.
## Use WMI to disable email scans
You can write a WMI script or application to disable email scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
Use the **DisableEmailScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
**DisableEmailScanning**
Data type: **boolean**
Access type: Read-only
Disable email scanning.
## Use PowerShell to enable email scans
You can also enable email scanning using the following PowerShell parameter:
1. Open PowerShell or PowerShellIntegrated Scripting Environment (ISE).
2. Type **Set-MpPreference -DisableEmailScanning $false**.
Read more about this in:
- [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
- [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
## Manage archive scans in Windows Defender
You can use Windows Defender to scan archive files. Malware can install itself and hide in archive files, and although real-time protection offers you the best protection from malware, you can also scan archives stored on your PC or server with Windows Defender.
> **Important:**<2A><>Archive scanning only applies to on-demand and scheduled scans, not on-access scans.
<EFBFBD>
Archive scanning in Windows Defender is turned on by default. There are four ways you can manage scans through Windows Defender:
- *Group Policy* settings
- WMI
- PowerShell
- Endpoint Protection
> **Note:**<2A><>Scanning archive files might increase the time required to complete a scan.
<EFBFBD>
If you exclude an archive file type by using the **Extensions** box, Windows Defender will not scan files with that extension (no matter what the content is), even when you have selected the **Scan archive files** check box. For example, if you exclude .rar files but there<72>s a .r00 file that<61>s actually .rar content, it will still be scanned if archive scanning is enabled.
## Use *Group Policy* settings to enable archive scans
This policy setting allows you to turn on archive scanning.
Turn on email scanning with the following *Group Policy* settings:
1. Open the **Group Policy Editor**.
2. In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
3. Click **Scan**.
4. Double-click **Scan archive files**.
This will open the **Scan archive files** window:
![scan archive files window](images/defender-scanarchivefiles.png)
5. Select **Enabled**.
6. Click **OK** to apply changes.
There are a number of archive scan settings in the **Scan** repository you can configure through *Group Policy*, for example:
- Maximum directory depth level into which archive files are unpacked during scanning
![specify the maximum depth to scan archive files window](images/defender-scanarchivedepth.png)
- Maximum size of archive files that will be scanned
![specify the maximum size of archive files to be scanned window](images/defender-scanarchivesize.png)
- Maximum percentage CPU utilization permitted during a scan
![specify the maximum percentage od cpu utilization during a scan window](images/defender-scanarchivecpu.png)
## Use WMI to disable archive scans
You can write a WMI script or application to disable archive scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
Use the **DisableArchiveScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
**DisableArchiveScanning**
Data type: **boolean**
Access type: Read-only
Disable archive scanning.
## Use PowerShell to enable archive scans
You can also enable archive scanning using the following PowerShell parameter:
1. Open PowerShell or PowerShellISE.
2. Type **Set-MpPreference -DisableArchiveScanning $false**.
Read more about this in:
- [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
- [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
## Use Endpoint Protection to configure archive scans
In Endpoint Protection, you can use the advanced scanning options to configure archive scanning. For more information, see [What are advanced scanning options?](https://technet.microsoft.com/library/ff823807.aspx)
## Related topics
- [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
<EFBFBD>
<EFBFBD>

0
windows/keep-secure/WDAV-working/1.4.2.3 run-scan-command-line-windows-defender-antivirus.md → windows/keep-secure/WDAV-working/command-line-arguments-windows-defender-antivirus.md
View File

0
windows/keep-secure/WDAV-working/1.3.3.1 detect-block-potentially-unwanted-apps-windows-defender-antivirus (2).md → windows/keep-secure/WDAV-working/configuration-management-reference-windows-defender-antivirus.md
View File

49
windows/keep-secure/WDAV-working/1.3 configure-windows-defender-antivirus-features.md → windows/keep-secure/WDAV-working/configure-advanced-scan-types-windows-defender-antivirus.md
View File

@ -1,41 +1,31 @@
---
title: Configure Windows Defender Antivirus features (Windows 10)
description: You configure features for Windows Defender Antivirus using Configuration Manager, MDM software (such as Intune), PowerShell, and with Group Policy settings.
keywords: windows defender antivirus, antimalware, security, defender, configure, configuration, Config Manager, System Center Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
title: Update and manage Windows Defender in Windows 10 (Windows 10)
description: IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using Group Policy SettingsWindows Management Instrumentation (WMI)PowerShell.
ms.assetid: 045F5BF2-87D7-4522-97E1-C1D508E063A7
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
author: jasesso
---
# Configure Windows Defender Antivirus features
# Update and manage Windows Defender in Windows 10
**Applies to**
- Windows 10
**Applies to:**
- Windows 10, version 1703
**Audience**
- Enterprise security administrators
You can configure Windows Defender Antivirus features in a number of ways, including:
Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using:
IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using:
- Group Policy Settings
- Windows Management Instrumentation (WMI)
- PowerShell
## Apply updates to Windows Defender endpoints
It is important to keep Windows Defender endpoints updated to ensure they are protected. All Windows Defender updates, including General Distribution Release (GDR) updates, are now applied as operating system updates.
You can manage the distribution of updates through the [Windows Server Update Services (WSUS)](https://technet.microsoft.com/windowsserver/bb332157).
## Manage email scans in Windows Defender
@ -168,19 +158,4 @@ Read more about this in:
## Use Endpoint Protection to configure archive scans
In Endpoint Protection, you can use the advanced scanning options to configure archive scanning. For more information, see [What are advanced scanning options?](https://technet.microsoft.com/library/ff823807.aspx)
## Related topics
- [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
## Related topics
- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
 

2
windows/keep-secure/WDAV-working/configure-cloud-block-timeout-period-windows-defender-antivirus.md
View File

@ -1,5 +1,5 @@
---
title: Configure the cloud block timeout period
title: Configure the Windows Defender AV cloud block timeout period
description: You can configure how long Windows Defender Antivirus will block a file from running while waiting for a cloud determination.
keywords: windows defender antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds
search.product: eADQiWindows 10XVcnh

43
windows/keep-secure/WDAV-working/configure-end-user-interaction-windows-defender-antivirus.md Normal file
View File

@ -0,0 +1,43 @@
---
title: Enable and configure protection features in Windows Defender AV
description: Enable behavior-based, heuristic, and real-time protection in Windows Defender AV.
keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, windows defender antivirus, antimalware, security, defender
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
---
# Configure behavioral, heuristic, and real-time protection
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
Windows Defender Antivirus uses several methods to provide threat protection:
- Cloud-delivered protection for near-instant detection and blocking of new and emerging threats
- Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection")
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research
You can configure how Windows Defender AV uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware.
See the [Utilize Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) section for how to enable and configure Windows Defender AV cloud-delivered protection.
## In this section
Topic | Description
---|---
[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps
[Enable and configure Windows Defender AV protection capabilities](configure-real-time-protection-windows-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on antivirus monitoring features

0
windows/keep-secure/WDAV-working/1.3.3.1 detect-block-potentially-unwanted-apps-windows-defender-antivirus.md → windows/keep-secure/WDAV-working/configure-exclusions-windows-defender-antivirus.md
View File

120
windows/keep-secure/WDAV-working/configure-local-policy-overrides-windows-defender-antivirus.md Normal file
View File

@ -0,0 +1,120 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: dulcemv
---
# Detect and block Potentially Unwanted Application in Windows 10
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
##Enable PUA protection in System Center Configuration Manager and Intune
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
###Configure PUA in System Center Configuration Manager
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
<br>
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
###Configure PUA in Intune
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 1
```
##View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder

43
windows/keep-secure/WDAV-working/configure-protection-features-windows-defender-antivirus.md Normal file
View File

@ -0,0 +1,43 @@
---
title: Enable and configure protection features in Windows Defender AV
description: Enable behavior-based, heuristic, and real-time protection in Windows Defender AV.
keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, windows defender antivirus, antimalware, security, defender
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
---
# Configure behavioral, heuristic, and real-time protection
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
Windows Defender Antivirus uses several methods to provide threat protection:
- Cloud-delivered protection for near-instant detection and blocking of new and emerging threats
- Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection")
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research
You can configure how Windows Defender AV uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware.
See the [Utilize Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) section for how to enable and configure Windows Defender AV cloud-delivered protection.
## In this section
Topic | Description
---|---
[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps
[Enable and configure Windows Defender AV protection capabilities](configure-real-time-protection-windows-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on antivirus monitoring features

0
windows/keep-secure/WDAV-working/configure-real-time-protection-windows-defender-antivirus.md Normal file
View File

120
windows/keep-secure/WDAV-working/configure-remediation-windows-defender-antivirus.md Normal file
View File

@ -0,0 +1,120 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: dulcemv
---
# Detect and block Potentially Unwanted Application in Windows 10
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
##Enable PUA protection in System Center Configuration Manager and Intune
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
###Configure PUA in System Center Configuration Manager
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
<br>
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
###Configure PUA in Intune
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 1
```
##View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder

55
windows/keep-secure/WDAV-working/configure-windows-defender-antivirus-features.md Normal file
View File

@ -0,0 +1,55 @@
---
title: Configure Windows Defender Antivirus features (Windows 10)
description: You can configure features for Windows Defender Antivirus using Configuration Manager, MDM software (such as Intune), PowerShell, and with Group Policy settings.
keywords: windows defender antivirus, antimalware, security, defender, configure, configuration, Config Manager, System Center Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
---
# Configure Windows Defender Antivirus features
**Applies to:**
- Windows 10, version 1703
**Audience**
- Enterprise security administrators
You can configure Windows Defender Antivirus features in a number of ways, including:
Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using:
- Group Policy Settings
- Windows Management Instrumentation (WMI)
- PowerShell
## Related topics
- [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
## Related topics
- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)

120
windows/keep-secure/WDAV-working/customize-run-review-remediate-scans-windows-defender-antivirus.md Normal file
View File

@ -0,0 +1,120 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: dulcemv
---
# Detect and block Potentially Unwanted Application in Windows 10
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
##Enable PUA protection in System Center Configuration Manager and Intune
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
###Configure PUA in System Center Configuration Manager
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
<br>
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
###Configure PUA in Intune
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 1
```
##View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder

120
windows/keep-secure/WDAV-working/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md Normal file
View File

@ -0,0 +1,120 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: dulcemv
---
# Detect and block Potentially Unwanted Application in Windows 10
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
##Enable PUA protection in System Center Configuration Manager and Intune
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
###Configure PUA in System Center Configuration Manager
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
<br>
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
###Configure PUA in Intune
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 1
```
##View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder

43
windows/keep-secure/WDAV-working/prevent-end-user-interaction-windows-defender-antivirus.md Normal file
View File

@ -0,0 +1,43 @@
---
title: Enable and configure protection features in Windows Defender AV
description: Enable behavior-based, heuristic, and real-time protection in Windows Defender AV.
keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, windows defender antivirus, antimalware, security, defender
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
---
# Configure behavioral, heuristic, and real-time protection
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
Windows Defender Antivirus uses several methods to provide threat protection:
- Cloud-delivered protection for near-instant detection and blocking of new and emerging threats
- Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection")
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research
You can configure how Windows Defender AV uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware.
See the [Utilize Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) section for how to enable and configure Windows Defender AV cloud-delivered protection.
## In this section
Topic | Description
---|---
[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps
[Enable and configure Windows Defender AV protection capabilities](configure-real-time-protection-windows-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on antivirus monitoring features

120
windows/keep-secure/WDAV-working/requirements-windows-defender-antivirus.md Normal file
View File

@ -0,0 +1,120 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: dulcemv
---
# Detect and block Potentially Unwanted Application in Windows 10
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
##Enable PUA protection in System Center Configuration Manager and Intune
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
###Configure PUA in System Center Configuration Manager
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
<br>
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
###Configure PUA in Intune
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 1
```
##View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder

120
windows/keep-secure/WDAV-working/review-scan-results-windows-defender-antivirus.md Normal file
View File

@ -0,0 +1,120 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: dulcemv
---
# Detect and block Potentially Unwanted Application in Windows 10
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
##Enable PUA protection in System Center Configuration Manager and Intune
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
###Configure PUA in System Center Configuration Manager
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
<br>
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
###Configure PUA in Intune
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 1
```
##View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder

120
windows/keep-secure/WDAV-working/run-scan-windows-defender-antivirus.md Normal file
View File

@ -0,0 +1,120 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: dulcemv
---
# Detect and block Potentially Unwanted Application in Windows 10
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
##Enable PUA protection in System Center Configuration Manager and Intune
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
###Configure PUA in System Center Configuration Manager
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
<br>
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
###Configure PUA in Intune
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 1
```
##View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder

120
windows/keep-secure/WDAV-working/use-group-policy-windows-defender-antivirus.md Normal file
View File

@ -0,0 +1,120 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: dulcemv
---
# Detect and block Potentially Unwanted Application in Windows 10
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
##Enable PUA protection in System Center Configuration Manager and Intune
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
###Configure PUA in System Center Configuration Manager
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
<br>
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
###Configure PUA in Intune
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 1
```
##View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder

120
windows/keep-secure/WDAV-working/use-intune-config-manager-windows-defender-antivirus.md Normal file
View File

@ -0,0 +1,120 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: dulcemv
---
# Detect and block Potentially Unwanted Application in Windows 10
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
##Enable PUA protection in System Center Configuration Manager and Intune
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
###Configure PUA in System Center Configuration Manager
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
<br>
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
###Configure PUA in Intune
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 1
```
##View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder

0
windows/keep-secure/WDAV-working/1.6.3 use-powershell-cmdlets-windows-defender-antivirus.md → windows/keep-secure/WDAV-working/use-powershell-cmdlets-windows-defender-antivirus.md
View File

120
windows/keep-secure/WDAV-working/use-wmi-windows-defender-antivirus.md Normal file
View File

@ -0,0 +1,120 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: dulcemv
---
# Detect and block Potentially Unwanted Application in Windows 10
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
##Enable PUA protection in System Center Configuration Manager and Intune
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
###Configure PUA in System Center Configuration Manager
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
<br>
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
###Configure PUA in Intune
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 1
```
##View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder

0
windows/keep-secure/WDAV-working/1.0 windows-defender-antivirus-in-windows-10.md → windows/keep-secure/WDAV-working/windows-defender-antivirus-in-windows-10.md
View File

0
windows/keep-secure/WDAV-working/1.4.2.4 windows-defender-offline.md → windows/keep-secure/WDAV-working/windows-defender-offline.md
View File