Detect and block potentially unwanted applications
Applies to:
- Microsoft Defender XDR
- Microsoft Defender for Endpoint Plan 1 and Plan 2
- Microsoft Defender for Business
- Microsoft Edge
- Microsoft Defender for Individuals
- Microsoft Defender Antivirus
Platforms
- Windows
Microsoft Defender Antivirus is available in the following editions/versions of Windows and Windows Server:
- Windows Server 2022
- Windows Server 2019
- Windows Server, version 1803 or later
- Windows Server 2016
- Windows Server 2012 R2 (Requires Microsoft Defender for Endpoint)
- Windows 11
- Windows 10
- Windows 8.1
For macOS, see Detect and block potentially unwanted applications with Defender for Endpoint on macOS.
For Linux, see Detect and block potentially unwanted applications with Defender for Endpoint on Linux.
Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software that might be unexpected or unwanted. PUA isn't considered a virus, malware, or other type of threat, but it might perform actions on endpoints that adversely affect endpoint performance or use. The term PUA can also refer to an application that has a poor reputation, as assessed by Microsoft Defender for Endpoint, due to certain kinds of undesirable behavior.
Here are some examples:
- Advertising software that displays advertisements or promotions, including software that inserts advertisements to webpages.
- Bundling software that offers to install other software that isn't digitally signed by the same entity. Also, software that offers to install other software that qualifies as PUA.
- Evasion software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.
Tip
For more examples and a discussion of the criteria we use to label applications for special attention from security features, see How Microsoft identifies malware and potentially unwanted applications.
Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or cost your IT and security teams time and effort to clean them up. If your organization's subscription includes Microsoft Defender for Endpoint, you can also set Microsoft Defender Antivirus PUA to block, in order to block apps that are considered to be PUA on Windows devices.
Learn more about Windows Enterprise subscriptions.
Tip
As a companion to this article, see our Microsoft Defender for Endpoint setup guide to review best practices and learn about essential tools such as attack surface reduction and next-generation protection. For a customized experience based on your environment, you can access the Defender for Endpoint automated setup guide in the Microsoft 365 admin center.
Microsoft Edge
The new Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via Microsoft Defender SmartScreen.
Enable PUA protection in Chromium-based Microsoft Edge
Although potentially unwanted application protection in Microsoft Edge (Chromium-based, version 80.0.361.50) is turned off by default, it can easily be turned on from within the browser.
In your Microsoft Edge browser, select the ellipses, and then choose Settings.
Select Privacy, search, and services.
Under the Security section, turn on Block potentially unwanted apps.
Tip
If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Microsoft Defender SmartScreen demo pages.
Block URLs with Microsoft Defender SmartScreen
In Chromium-based Microsoft Edge with PUA protection turned on, Microsoft Defender SmartScreen protects you from PUA-associated URLs.
Security admins can configure how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy settings explicitly for Microsoft Defender SmartScreen available, including one for blocking PUA. In addition, admins can configure Microsoft Defender SmartScreen as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off.
Although Microsoft Defender for Endpoint has its own blocklist based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you create and manage indicators in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings.
Microsoft Defender Antivirus and PUA protection
The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUA on endpoints in your network.
Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user (unless notifications have been disabled in the same format as other threat detections. The notification is prefaced with PUA:
to indicate its content.
The notification appears in the usual quarantine list within the Windows Security app.
Configure PUA protection in Microsoft Defender Antivirus
You can enable PUA protection with Microsoft Defender for Endpoint Security Settings Management, Microsoft Intune, Microsoft Configuration Manager, Group Policy, or via PowerShell cmdlets.
At first, try using PUA protection in audit mode. It detects potentially unwanted applications without actually blocking them. Detections are captured in the Windows Event log. PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and it's important to avoid false positives.
Use Microsoft Defender for Endpoint Security Settings Management to configure PUA protection
See the following articles:
Use Intune to configure PUA protection
See the following articles:
- Configure device restriction settings in Microsoft Intune
- Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune
Use Configuration Manager to configure PUA protection
PUA protection is enabled by default in the Microsoft Configuration Manager (Current Branch).
See How to create and deploy antimalware policies: Scheduled scans settings for details on configuring Microsoft Configuration Manager (Current Branch).
For System Center 2012 Configuration Manager, see How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager.
Note
PUA events blocked by Microsoft Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Configuration Manager.
Use Group Policy to configure PUA protection
Download and install Administrative Templates (.admx) for Windows 11 October 2021 Update (21H2)
On your Group Policy management computer, open the Group Policy Management Console.
Select the Group Policy Object you want to configure, and then choose Edit.
In the Group Policy Management Editor, go to Computer configuration and select Administrative templates.
Expand the tree to Windows Components > Microsoft Defender Antivirus.
Double-click Configure detection for potentially unwanted applications, and set it to Enabled.
In Options, select Block to block potentially unwanted applications, or select Audit Mode to test how the setting works in your environment. Select OK.
Deploy your Group Policy object as you usually do.
Use PowerShell cmdlets to configure PUA protection
To enable PUA protection
Set-MpPreference -PUAProtection Enabled
Setting the value for this cmdlet to Enabled
turns on the feature if it has been disabled.
To set PUA protection to audit mode
Set-MpPreference -PUAProtection AuditMode
Setting AuditMode
detects PUAs without blocking them.
To disable PUA protection
We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet:
Set-MpPreference -PUAProtection Disabled
Setting the value for this cmdlet to Disabled
turns off the feature if it has been enabled.
For more information, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Defender Antivirus cmdlets.
Test and make sure that PUA blocking works
Once you have PUA enabled in block mode, you can test to make sure that it's working properly. For more information, see Potentially unwanted applications (PUA) demonstration.
View PUA events using PowerShell
PUA events are reported in the Windows Event Viewer, but not in Microsoft Configuration Manager or in Intune. You can also use the Get-MpThreat
cmdlet to view threats that Microsoft Defender Antivirus handled. Here's an example:
CategoryID : 27
DidThreatExecute : False
IsActive : False
Resources : {webfile:_q:\Builds\Dalton_Download_Manager_3223905758.exe|http://d18yzm5yb8map8.cloudfront.net/
fo4yue@kxqdw/Dalton_Download_Manager.exe|pid:14196,ProcessStart:132378130057195714}
RollupStatus : 33
SchemaVersion : 1.0.0.0
SeverityID : 1
ThreatID : 213927
ThreatName : PUA:Win32/InstallCore
TypeID : 0
PSComputerName :
Get email notifications about PUA detections
You can turn on email notifications to receive mail about PUA detections. For more information about Microsoft Defender Antivirus events, see Troubleshoot event IDs. PUA events are recorded under event ID 1160.
View PUA events using advanced hunting
If you're using Microsoft Defender for Endpoint, you can use an advanced hunting query to view PUA events. Here's an example query:
DeviceEvents
| where ActionType == "AntivirusDetection"
| extend x = parse_json(AdditionalFields)
| project Timestamp, DeviceName, FolderPath, FileName, SHA256, ThreatName = tostring(x.ThreatName), WasExecutingWhileDetected = tostring(x.WasExecutingWhileDetected), WasRemediated = tostring(x.WasRemediated)
| where ThreatName startswith_cs 'PUA:'
To learn more about advanced hunting, see Proactively hunt for threats with advanced hunting.
Exclude files from PUA protection
Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be added to an exclusion list.
For more information, see Configure and validate exclusions based on file extension and folder location.
Tip
If you're looking for Antivirus related information for other platforms, see:
See also
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.