How to enable the Windows Potentially Unwanted Application (PUA) feature

If your organization uses Windows Defender on Windows 10 1607 or later updates, there may be some settings you’ll want to enable that are not enabled by default. Microsoft provides advice on security settings in this regard. One setting you might want to enable is the Potentially Unwanted Application (PUA) feature. You can turn it on in multiple ways using multiple tools.

PUA looks for items that follow certain structures or conditions:

• The file is being scanned from the browser
• The file is in a folder with “downloads” in the path
• The file is in a folder with “temp” in the path
• The file is on the user’s desktop
• The file does not meet one of these conditions and is not under %programfiles%, %appdata% or %windows%

If these conditions are met, the file will be quarantined and not allowed to be installed.

You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets or with registry keys. You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log.

To set it using registry keys go to HKLMSOFTWAREPoliciesMicrosoftWindows DefenderMpEngineMpEnablePus. Set the following values:

• Enabled (recommended): 1
• Audit Mode: 2

If the folder for MpEngine is not there, you will have to enable it. Then add a dword 32bit value for MpEnablePus and set the value to 1 (to enable it) or 2 (for Audit Mode).

Alternatively you can set it via group policy:

• Open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click “Edit”.
• In the Group Policy Management Editor go to “Computer configuration” and select “Administrative templates”.
• Expand the tree to Windows components > Windows Defender Antivirus.
• Double-click “Configure protection for potentially unwanted applications”.
• Select “Enabled” to enable PUA protection.
• In Options, select “Block” to block potentially unwanted applications, or select “Audit Mode” to test how the setting will work in your environment. Click “OK”.

To set up the policy using Intune, review the settings in the dashboard. Browse to Device configuration profiles and create a profile for Windows 10. Look underneath Device restrictions under Windows Defender Antivirus. Again, you can choose to block or audit the setting.

Susan Bradley

Finally, you can use PowerShell to enable the protection. Use the following cmdlet:

Set-MpPreference -PUAProtection Enabled

or

Set-MpPreference -PUAProtection AudiMode

Susan Bradley

Setting the value for this cmdlet to “Enabled” turns on the feature if it has been disabled.  Setting AuditMode will detect PUAs but not block them.

These settings are functional in Windows 10 Professional and you do not need Defender ATP or Enterprise licenses to enable this setting. Enabling this setting ensures that drive-by downloads won’t trick users to install on your systems. Test first on a select group of systems to ensure that your line-of-business applications are not impacted by these settings.