deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-07 18:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

yaml

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire 2017-03-26 22:36:02 -07:00
parent 5abc6ae7c3
commit 51514731da
9 changed files with 54 additions and 575 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md
View File

@ -1,26 +1,23 @@
---
title: Update and manage Windows Defender in Windows 10 (Windows 10)
description: IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using Group Policy SettingsWindows Management Instrumentation (WMI)PowerShell.
ms.assetid: 045F5BF2-87D7-4522-97E1-C1D508E063A7
title: Configure advanced scanning types for Windows Defender AV
description: You can configure Windows Defender AV to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files).
keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: jasesso
author: iaanw
---
# Update and manage Windows Defender in Windows 10
# Configure email, removable storage, network, reparse point, and archive scanning in Windows Defender AV
**Applies to**
- Windows 10
IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using:
- Group Policy Settings
- Windows Management Instrumentation (WMI)
- PowerShell

10
windows/keep-secure/configure-exclusions-windows-defender-antivirus.md
View File

@ -1,17 +1,19 @@
---
title: Exclude files
description:
title: Set up exclusions for Windows Defender AV scans
description: You can exclude files (including files modified by specified processes) and folders from being scanned by Windows Defender AV
keywords:
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
---
# Exclude files
# Exclude files and processes from Windows Defender AV scans
**Applies to:**

115
windows/keep-secure/configure-remediation-windows-defender-antivirus.md
View File

@ -1,120 +1,17 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
title: Remediate and resolve infections detected by Windows Defender AV
description: Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
keywords:
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: dulcemv
author: iaanw
---
# Detect and block Potentially Unwanted Application in Windows 10
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
##Enable PUA protection in System Center Configuration Manager and Intune
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
###Configure PUA in System Center Configuration Manager
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
<br>
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
###Configure PUA in Intune
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 1
```
##View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder
# Configure remediation for Windows Defender AV scans

117
windows/keep-secure/review-scan-results-windows-defender-antivirus.md
View File

@ -1,120 +1,15 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
title: Review the results of Windows Defender AV scans
description: Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app
keywords:
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: dulcemv
author: iaanw
---
# Detect and block Potentially Unwanted Application in Windows 10
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
##Enable PUA protection in System Center Configuration Manager and Intune
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
###Configure PUA in System Center Configuration Manager
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
<br>
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
###Configure PUA in Intune
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 1
```
##View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder
# Review Windows Defender AV scan results

8
windows/keep-secure/run-scan-windows-defender-antivirus.md
View File

@ -1,11 +1,11 @@
---
title: Use the command line utility
description:
title: Run and customize on-demand scans in Windows Defender AV
description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app
keywords:
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
@ -16,7 +16,7 @@ author: iaanw
# Run a Windows Defender scan from the command line
# Configure and run Windows Defender AV scans
**Applies to:**

9
windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Schedule catch-up scans
description:
title: Schedule regular scans with Windows Defender AV
description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
keywords:
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -12,7 +12,10 @@ localizationpriority: medium
author: iaanw
---
# Schedule scans
# Configure scheduled scans for Windows Defender AV
**Applies to**
- Windows 10

117
windows/keep-secure/use-group-policy-windows-defender-antivirus.md
View File

@ -1,120 +1,15 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
title: Configure Windows Defender AV with Group Policy
description: Configure Windows Defender AV settings with Group Policy
keywords: group policy, GPO, configuration, settings
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: dulcemv
author: iaanw
---
# Detect and block Potentially Unwanted Application in Windows 10
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
##Enable PUA protection in System Center Configuration Manager and Intune
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
###Configure PUA in System Center Configuration Manager
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
<br>
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
###Configure PUA in Intune
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 1
```
##View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder
# Use Group Policy settings to configure and manage Windows Defender AV

117
windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md
View File

@ -1,120 +1,15 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
title: Configure Windows Defender AV with Configuration Manager and Intune
description: Use System Center Configuration Manager and Microsoft Intune to configure Windows Defender AV and Endpoint Protection
keywords: scep, intune, endpoint protection, configuration
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: dulcemv
author: iaanw
---
# Detect and block Potentially Unwanted Application in Windows 10
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
##Enable PUA protection in System Center Configuration Manager and Intune
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
###Configure PUA in System Center Configuration Manager
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
<br>
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
###Configure PUA in Intune
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 1
```
##View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder
# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV

117
windows/keep-secure/use-wmi-windows-defender-antivirus.md
View File

@ -1,120 +1,15 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
title: Configure Windows Defender AV with WMI
description: Use WMI scripts to configure Windows Defender AV
keywords: wmi, scripts, windows management instrumentation, configuration
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: dulcemv
author: iaanw
---
# Detect and block Potentially Unwanted Application in Windows 10
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
##Enable PUA protection in System Center Configuration Manager and Intune
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
###Configure PUA in System Center Configuration Manager
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
<br>
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
###Configure PUA in Intune
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 1
```
##View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder
# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV