From b7d0e0f861f946c55978c6fecc3e044a3d2e4ca8 Mon Sep 17 00:00:00 2001 From: Thomas Lee Date: Sun, 31 Jan 2021 16:42:08 +0000 Subject: [PATCH 1/4] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md Updated examples to have correct casing based on values in Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.PUAProtectionType enum Added an example for viewing PUA events Removed future tense to improve readability. --- ...anted-apps-microsoft-defender-antivirus.md | 37 ++++++++++++++----- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index dc721c7813..0467981cf8 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -62,13 +62,13 @@ Although potentially unwanted application protection in Microsoft Edge (Chromium ### Blocking URLs with Microsoft Defender SmartScreen -In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen will protect you from PUA-associated URLs. +In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen protects you from PUA-associated URLs. Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several [group policy settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Microsoft Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can [configure Microsoft Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off. -Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen will respect the new settings. +Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings. ## Microsoft Defender Antivirus @@ -87,7 +87,7 @@ The notification appears in the usual [quarantine list within the Windows Securi You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve-view=true). -You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections will be captured in the Windows event log. +You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections are captured in the Windows event log. > [!TIP] > Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. @@ -125,7 +125,7 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw 7. Select **Enabled** to enable PUA protection. -8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. +8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting works in your environment. Select **OK**. 9. Deploy your Group Policy object as you usually do. @@ -134,25 +134,25 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw ##### To enable PUA protection ```PowerShell -Set-MpPreference -PUAProtection enable +Set-MpPreference -PUAProtection Enabled ``` -Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. +Setting the value for this cmdlet to `Enabled` turns the feature on if it has been disabled. ##### To set PUA protection to audit mode ```PowerShell -Set-MpPreference -PUAProtection auditmode +Set-MpPreference -PUAProtection AuditMode ``` -Setting `AuditMode` will detect PUAs without blocking them. +Setting `AuditMode` detects PUAs without blocking them. ##### To disable PUA protection We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet: ```PowerShell -Set-MpPreference -PUAProtection disable +Set-MpPreference -PUAProtection Disabled ``` -Setting the value for this cmdlet to `Disabled` will turn the feature off if it has been enabled. +Setting the value for this cmdlet to `Disabled` turns the feature off if it has been enabled. See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. @@ -160,6 +160,23 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. +You can also use the ``Get-MpThreat`` cmdlet to view threats that Defender handled. +```console + +CategoryID : 27 +DidThreatExecute : False +IsActive : False +Resources : {webfile:_q:\Builds\Dalton_Download_Manager_3223905758.exe|http://d18yzm5yb8map8.cloudfront.net/ + fo4yue@kxqdw/Dalton_Download_Manager.exe|pid:14196,ProcessStart:132378130057195714} +RollupStatus : 33 +SchemaVersion : 1.0.0.0 +SeverityID : 1 +ThreatID : 213927 +ThreatName : PUA:Win32/InstallCore +TypeID : 0 +PSComputerName : +``` + You can turn on email notifications to receive mail about PUA detections. See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID **1160**. From 40589e437f4e628d9fe18e780fbc70a721feb3a5 Mon Sep 17 00:00:00 2001 From: Thomas Lee Date: Sun, 31 Jan 2021 22:21:20 +0000 Subject: [PATCH 2/4] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md Changed double-tick to single, as per suggestion. Added blank line around codefencing --- ...ntially-unwanted-apps-microsoft-defender-antivirus.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 0467981cf8..73b795ee62 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -134,14 +134,18 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw ##### To enable PUA protection ```PowerShell + Set-MpPreference -PUAProtection Enabled + ``` Setting the value for this cmdlet to `Enabled` turns the feature on if it has been disabled. ##### To set PUA protection to audit mode ```PowerShell + Set-MpPreference -PUAProtection AuditMode + ``` Setting `AuditMode` detects PUAs without blocking them. @@ -150,7 +154,9 @@ Setting `AuditMode` detects PUAs without blocking them. We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet: ```PowerShell + Set-MpPreference -PUAProtection Disabled + ``` Setting the value for this cmdlet to `Disabled` turns the feature off if it has been enabled. @@ -160,7 +166,8 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. -You can also use the ``Get-MpThreat`` cmdlet to view threats that Defender handled. +You can also use the `Get-MpThreat` cmdlet to view threats that Defender handled. + ```console CategoryID : 27 From 2c2946d03a75384998f916a26260b8c8a0ca1a6c Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 1 Feb 2021 09:05:21 +0530 Subject: [PATCH 3/4] typo correction as per the user report #9050 , replaced s to is --- windows/deployment/update/waas-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 76e17626d7..01f89be64e 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -46,7 +46,7 @@ Application compatibility testing has historically been a burden when approachin Most Windows 7–compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal. Combined with valuable feedback via the Windows Insider Program and diagnostic data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story similar to desktop applications, so most of them will be compatible with Windows 10. -For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics s a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](https://docs.microsoft.com/mem/configmgr/desktop-analytics/ready-for-windows). +For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics is a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](https://docs.microsoft.com/mem/configmgr/desktop-analytics/ready-for-windows). ### Device compatibility From 27bc25e7daf6b9cc92222580249de5bc691b6725 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 1 Feb 2021 13:47:35 -0800 Subject: [PATCH 4/4] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...entially-unwanted-apps-microsoft-defender-antivirus.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 73b795ee62..5b962456c2 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -11,7 +11,7 @@ author: denisebmsft ms.author: deniseb ms.custom: nextgen audience: ITPro -ms.date: 01/08/2021 +ms.date: 02/01/2021 ms.reviewer: manager: dansimp ms.technology: mde @@ -164,9 +164,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u ### View PUA events -PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. - -You can also use the `Get-MpThreat` cmdlet to view threats that Defender handled. +PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. You can also use the `Get-MpThreat` cmdlet to view threats that Microsoft Defender Antivirus handled. Here's an example: ```console @@ -194,7 +192,7 @@ Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA For more information, see [Recommended antivirus exclusions for Configuration Manager site servers, site systems, and clients](https://docs.microsoft.com/troubleshoot/mem/configmgr/recommended-antivirus-exclusions#exclusions). -## Related articles +## See also - [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md) - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)