deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/rs1' into rs1

Browse Source
This commit is contained in:
Joey Caparas 2016-08-01 16:18:01 +10:00
commit c7fe858d06
5 changed files with 108 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/keep-secure/TOC.md
View File

@ -714,7 +714,7 @@
#### [Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md) #### [Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)
#### [Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md) #### [Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)
#### [Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md) #### [Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md)
#### [Detect and block Potentially Unwanted Applications](enable-pua-windows-defender-for-windows-10.md) #### [Detect and block Potentially Unwanted Applications with Windows Defender](enable-pua-windows-defender-for-windows-10.md)
#### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md) #### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
### [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) ### [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
#### [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md) #### [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md)

106
windows/keep-secure/enable-pua-windows-defender-for-windows-10.md Normal file
View File

@ -0,0 +1,106 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.sitesec: library
ms.pagetype: security
author: dulcemv
---
# Detect and block Potentially Unwanted Application in Windows 10
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
**Enable PUA protection in SCCM and Intune**
The PUA feature is available for enterprise users who are running System Center Configuration Manager (SCCM) or Intune in their infrastructure.
***Configure PUA in SCCM***
For SCCM users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
***Use PUA audit mode in SCCM***
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
> **Note:**&nbsp;&nbsp;You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
et-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in SCCM.
***Configure PUA in Intune***
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
***Use PUA audit mode in Intune***
You can detect PUA without blocking them from your client. Gain insights into what can be blocked.
**View PUA events**
PUA events are reported in the Windows Event Viewer and not in SCCM or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
**What PUA notifications look like**
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:<br>
![Image showing the potentally unwanted application detection](images/pua1.png)
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.<br>
![Image showing the potentally unwanted application detection history](images/pua2.png)
**PUA threat file-naming convention**
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
**PUA blocking conditions**
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file has [Mark of the Web](https://msdn.microsoft.com/en-us/library/ms537628%28v=vs.85%29.aspx) set
* The file is in the %downloads% folder
* Or if the file in the %temp% folder

BIN
windows/keep-secure/images/pua1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/keep-secure/images/pua2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 195 KiB

2
windows/whats-new/whats-new-windows-10-version-1607.md
View File

@ -73,7 +73,7 @@ Several new features and management options have been added to Windows Defender
- [Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md) to leverage the Windows Defender cloud for near-instant protection against new malware. - [Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md) to leverage the Windows Defender cloud for near-instant protection against new malware.
- [Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md) to see more informaiton about threat detections and removal. - [Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md) to see more informaiton about threat detections and removal.
- [Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md). - [Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md).
- [Detect and block Potentially Unwanted Applications](enable-pua-windows-defender-for-windows-10.md) during download and install times. - [Detect and block Potentially Unwanted Applications with Windows Defender](enable-pua-windows-defender-for-windows-10.md) during download and install times.
## Management ## Management