• United States



Contributing Writer

How to enable the Windows Potentially Unwanted Application (PUA) feature

May 01, 20193 mins
SecuritySmall and Medium BusinessWindows

Turning on the PUA setting helps avoid users falling prey to malicious drive-by downloads.

security firewall breach hacker privacy battle id work getty
Credit: idWork / Getty

If your organization uses Windows Defender on Windows 10 1607 or later updates, there may be some settings you’ll want to enable that are not enabled by default. Microsoft provides advice on security settings in this regard. One setting you might want to enable is the Potentially Unwanted Application (PUA) feature. You can turn it on in multiple ways using multiple tools.

PUA looks for items that follow certain structures or conditions:

  • The file is being scanned from the browser
  • The file is in a folder with “downloads” in the path
  • The file is in a folder with “temp” in the path
  • The file is on the user’s desktop
  • The file does not meet one of these conditions and is not under %programfiles%, %appdata% or %windows%

If these conditions are met, the file will be quarantined and not allowed to be installed.

You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets or with registry keys. You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log.

To set it using registry keys go to HKLMSOFTWAREPoliciesMicrosoftWindows DefenderMpEngineMpEnablePus. Set the following values:

  • Enabled (recommended): 1
  • Audit Mode: 2

If the folder for MpEngine is not there, you will have to enable it. Then add a dword 32bit value for MpEnablePus and set the value to 1 (to enable it) or 2 (for Audit Mode).

Alternatively you can set it via group policy:

  • Open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click “Edit”.
  • In the Group Policy Management Editor go to “Computer configuration” and select “Administrative templates”.
  • Expand the tree to Windows components > Windows Defender Antivirus.
  • Double-click “Configure protection for potentially unwanted applications”.
  • Select “Enabled” to enable PUA protection.
  • In Options, select “Block” to block potentially unwanted applications, or select “Audit Mode” to test how the setting will work in your environment. Click “OK”.

To set up the policy using Intune, review the settings in the dashboard. Browse to Device configuration profiles and create a profile for Windows 10. Look underneath Device restrictions under Windows Defender Antivirus. Again, you can choose to block or audit the setting.

bradley pua 1 Susan Bradley

Setting the PUA value in Intune

Finally, you can use PowerShell to enable the protection. Use the following cmdlet:

Set-MpPreference -PUAProtection Enabled


Set-MpPreference -PUAProtection AudiMode

bradley pua 2 Susan Bradley

Setting the PUA value in PowerShell

Setting the value for this cmdlet to “Enabled” turns on the feature if it has been disabled.  Setting AuditMode will detect PUAs but not block them.

These settings are functional in Windows 10 Professional and you do not need Defender ATP or Enterprise licenses to enable this setting. Enabling this setting ensures that drive-by downloads won’t trick users to install on your systems. Test first on a select group of systems to ensure that your line-of-business applications are not impacted by these settings.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author