question

$$ANON_USER$$ avatar image
0 Votes"
$$ANON_USER$$ asked BillDeuterman-6694 answered

GPO to turn on Reputation Based Protection Windows 10

Does anyone know which GPO setting is the one to turn this on? I've installed the May 2020 Administrative Templates but cant find it. ![37166-image.png][1] [1]: /answers/storage/attachments/37166-image.png

windows-group-policy
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,anonymous user

As this thread has been quiet for a while, was your issue resolved?
If you want to end this thread, and the answer was helpful for you, you can "Accept as answer" to help other community members find the helpful reply quickly.
If you have a better method to solve it, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

If there is anything else we can do for you, please feel free to post here.
Best Regards,

0 Votes 0 ·
$$ANON_USER$$ avatar image
0 Votes"
$$ANON_USER$$ answered BenFloydyWork commented

Ok so I tried adding the Edge admin templates and it made no difference. I decided to spend (waste) my time finding this and after much trial and error, I found that it is in fact this: Computer > Policy > Admin > Windows Components > Windows Defender Smartscreen > Explorer > Configure Windows defender Smartscreen Turning this on, enables this setting. I will note that I had to install May and October 2020 admin templates in. May 2020 https://www.microsoft.com/en-us/download/101445 October 2020 https://www.microsoft.com/en-us/download/details.aspx?id=102157 You may have to restart the PC for this to apply - GPUPDATE /FORCE does not apply it ![43716-screenshot-2020-11-30-170204.jpg][1] [1]: /answers/storage/attachments/43716-screenshot-2020-11-30-170204.jpg

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Strangely, that setting didn't work for me, yet the Edge templates did!

I wonder if you need to have BOTH of these set???

0 Votes 0 ·
FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT commented

Hi,
To Use Group Policy to configure PUA protection:

On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure, and select Edit.

In the Group Policy Management Editor, go to Computer configuration and select Administrative templates.

Expand the tree to Windows components > Microsoft Defender Antivirus.

Double-click Configure protection for potentially unwanted applications.

Select Enabled to enable PUA protection.

In Options, select Block to block potentially unwanted applications, or select Audit Mode to test how the setting will work in your environment. Select OK.


Other ways to do this, you can refer to this article.

Best Regards,


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I already have this enabled and set to block but it still shows the reputation based is turned off.

0 Votes 0 ·

Hi,
Did you run gpupdate /force on the computer?
If not , please run the cmd as administrator and run command line: gpupdate /force to apply the policy.
Or you can restart the computer to see it the policy applied.
If still not work, please run command :gpresult /h report.html and check the result.
Best Regards,

0 Votes 0 ·
$$ANON_USER$$ avatar image
0 Votes"
$$ANON_USER$$ answered

Yes. I dont think this setting is for this ![37910-image.png][1] [1]: /answers/storage/attachments/37910-image.png

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT commented

Hi,
This is the GPO setting for Potentially Unwanted App (PUA) (Reputation Based Protection).
You can check that by :
Click Reputation Based Protection settings under the turn on box ,
38240-11093.jpg
Check on box for Potentially Unwanted App blocking as following:
38274-11092.jpg
Then you will see the turn on box will disappear as following :
38297-11095.jpg

If you click the turn on box under Reputation Based Protection, the box will be checked .

So if you enable the Potentially Unwanted App (PUA) by GPO, it will be the same result.

If the GPO is not applied ,please run command :gpresult /h report.html and check the result.
Also, if you configured the policy on the local group policy , make sure that the settings are not configured by your domain policy.




11093.jpg (31.2 KiB)
11092.jpg (21.5 KiB)
11095.jpg (25.7 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
 
Just checking in to see if the information provided was helpful.
 
If the reply helped you, please remember to accept it as an answer.
If no, please reply and tell us the current situation in order to provide further help

Best Regards,

0 Votes 0 ·
BenFloydyWork avatar image
3 Votes"
BenFloydyWork answered BenFloydyWork edited

I've found the answer to this after much confused searching.

The old GPO setting (even with the 20H2 Windows 10 admx templates incidentally) no longer appears to work (whether this is 20H2 or Edge Chromium I haven't had time or inclination to determine, but I think it matters little).

Instead you need the msedge.admx templates from Microsoft (https://www.microsoft.com/en-us/edge/business/download) - I used version 87 Stable, and this did the job (choose Get Policy Files once the version is selected).

Once these are applied to your AD, you have policies directly under Admin Templates>Microsoft Edge, and under here is one called SmartScreen Settings, with the policies you need to control this once more.

43687-image.png




image.png (23.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

$$ANON_USER$$ avatar image
0 Votes"
$$ANON_USER$$ answered BenFloydyWork commented

I dont have the edge policies applied.

I turned on that one option and if you flick it off/on it will stay on and grey out to not be configurable. Or, a restart would have forced it on.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

So strange, I had no result from just the policy you changed, only when I added the Edge policies, although I did have your setting set originally.

Are you using 20H2 with Edge Chromium 87?

I wonder if both settings may be needed depending on the precise mix? That would be Microsoft's style!

0 Votes 0 ·
$$ANON_USER$$ avatar image
0 Votes"
$$ANON_USER$$ answered Taz-9353 commented

Im on 20H2 with Version 87.0.664.47 Edge

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

So strange, there must be some logic to different policies working for each of us, but I can't see it atm.

I guess for anyone else reading, try either, or both of these settings then, and if one doesn't work for you the other might!

0 Votes 0 ·

Just setting the new Edge settings, after adding the Edge admx templates, worked for me.

0 Votes 0 ·
DuncanClay111 avatar image
0 Votes"
DuncanClay111 answered DuncanClay111 edited

I had a similar problem for Windows Server 2022

I had the following GPOs set:
Windows Components/Microsoft Defender Antivirus
- Configure detection for potentially unwanted applications: Enabled = Block

This is how it appears in Windows Server 2019
145598-2019a.jpg
145438-2019b.jpg

And this is how it appears in Windows Server 2022
145583-2022a.jpg
145549-2022b.jpg
145576-2022c.jpg

There is a new setting introduced with Windows Server 2022 for "Block downloads".

The GPO setting to control that is:
Windows Components/Microsoft Edge/SmartScreen settings
- Configure Microsoft Defender SmartScreen to block potentially unwanted apps: Enabled

App & browser control will then show as fully turned on.


In summary, the PUA GPO settings are as follows:

For Windows Server 2016:
MS Security Guide
- Turn on Windows Defender protection against Potentially Unwanted Applications

For Windows Server 2019:
Windows Components/Microsoft Defender Antivirus
- Configure detection for potentially unwanted applications: Enabled = Block

For Windows Server 2022
Windows Components/Microsoft Edge/SmartScreen settings
- Configure Microsoft Defender SmartScreen to block potentially unwanted apps: Enabled




2019a.jpg (52.8 KiB)
2019b.jpg (88.1 KiB)
2022a.jpg (68.7 KiB)
2022b.jpg (90.9 KiB)
2022c.jpg (96.2 KiB)
2019a.jpg (53.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BillDeuterman-6694 avatar image
0 Votes"
BillDeuterman-6694 answered

Thank you for the detailed description and screenshots. Setting the MS Edge Smartscreen in GP worked for me.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.