Although potentially unwanted application protection in Microsoft Edge (Chromium-based, version 80.0.361.50) is turned off by default, it can easily be turned on from within the browser.<\/p>\n\n\n\n
In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen protects you from PUA-associated URLs.<\/p>\n\n\n\n
Security admins can configure<\/a> how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy settings<\/a> explicitly for Microsoft Defender SmartScreen available, including one for blocking PUA<\/a>. In addition, admins can configure Microsoft Defender SmartScreen<\/a> as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off.<\/p>\n\n\n\n Although Microsoft Defender for Endpoint has its own blocklist based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you create and manage indicators<\/a> in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings.<\/p>\n\n\n\n The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUA on endpoints in your network.<\/p>\n\n\n\n Note<\/p>\n\n\n\n This feature is available in Windows 11, Windows 10, Windows Server 2022, Windows Server 2019, and Windows Server 2016.<\/p>\n\n\n\n Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user (unless notifications have been disabled<\/a> in the same format as other threat detections. The notification is prefaced with The notification appears in the usual quarantine list within the Windows Security app<\/a>.<\/p>\n\n\n\n You can enable PUA protection with Microsoft Intune<\/a>, Microsoft Endpoint Configuration Manager<\/a>, Group Policy<\/a>, or via PowerShell cmdlets<\/a>.<\/p>\n\n\n\n You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections are captured in the Windows event log. PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and you’d like to avoid any false positives.<\/p>\n\n\n\n See Configure device restriction settings in Microsoft Intune<\/a> and Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune<\/a> for more details.<\/p>\n\n\n\n PUA protection is enabled by default in the Microsoft Endpoint Manager (Current Branch).<\/p>\n\n\n\n See How to create and deploy antimalware policies: Scheduled scans settings<\/a> for details on configuring Microsoft Endpoint Manager (Current Branch).<\/p>\n\n\n\n For System Center 2012 Configuration Manager, see How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager<\/a>.<\/p>\n\n\n\n Note<\/p>\n\n\n\n PUA events blocked by Microsoft Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager.<\/p>\n\n\n\n PowerShellCopy<\/p>\n\n\n\n Setting the value for this cmdlet to PowerShellCopy<\/p>\n\n\n\n Setting We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet:<\/p>\n\n\n\n PowerShellCopy<\/p>\n\n\n\n Setting the value for this cmdlet to For more information, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus<\/a> and Defender Antivirus cmdlets<\/a>.<\/p>\n\n\n\n PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. You can also use the ConsoleCopy<\/p>\n\n\n\n You can turn on email notifications to receive mail about PUA detections.<\/p>\n\n\n\n See Troubleshoot event IDs<\/a> for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID 1160<\/strong>.<\/p>\n\n\n\n If you’re using Microsoft Defender for Endpoint<\/a>, you can use an advanced hunting query to view PUA events. Here’s an example query:<\/p>\n\n\n\n ConsoleCopy<\/p>\n\n\n\n To learn more about advanced hunting, see Proactively hunt for threats with advanced hunting<\/a>.<\/p>\n\n\n\n Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be added to an exclusion list.<\/p>\n\n\n\n For more information, see\u00a0Configure and validate exclusions based on file extension and folder location<\/a>.<\/p>\n\n\n\n Ref: Block potentially unwanted applications with Microsoft Defender Antivirus | Microsoft Learn<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Enable PUA protection in Chromium-based Microsoft Edge Although potentially unwanted application protection in Microsoft Edge (Chromium-based, version 80.0.361.50) is turned off by default, it can easily be turned on from within the browser. In your Edge browser, select the ellipses, and then choose Settings. Select Privacy, search, and services. Under the Security section, turn on Block potentially unwanted apps. Block Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[10,14],"tags":[1334,1333,1335],"class_list":["post-4370","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-windows-7-8-10","tag-block-pua","tag-block-urls-with-microsoft-defender-smartscreen","tag-enable-pua-protection-on-microsoft-edge"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4370","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4370"}],"version-history":[{"count":1,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4370\/revisions"}],"predecessor-version":[{"id":4371,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4370\/revisions\/4371"}],"wp:attachment":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4370"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4370"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4370"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<\/a>Microsoft Defender Antivirus and PUA protection<\/h2>\n\n\n\n
PUA:<\/code> to indicate its content.<\/p>\n\n\n\n<\/a>Configure PUA protection in Microsoft Defender Antivirus<\/h2>\n\n\n\n
<\/a>Use Intune to configure PUA protection<\/h3>\n\n\n\n
<\/a>Use Configuration Manager to configure PUA protection<\/h3>\n\n\n\n
<\/a>Use Group Policy to configure PUA protection<\/h3>\n\n\n\n
<\/a>Use PowerShell cmdlets to configure PUA protection<\/h3>\n\n\n\n
<\/a>To enable PUA protection<\/h4>\n\n\n\n
Set-MpPreference -PUAProtection Enabled\n<\/code><\/pre>\n\n\n\nEnabled<\/code> turns on the feature if it has been disabled.<\/p>\n\n\n\n<\/a>To set PUA protection to audit mode<\/h4>\n\n\n\n
Set-MpPreference -PUAProtection AuditMode\n<\/code><\/pre>\n\n\n\nAuditMode<\/code> detects PUAs without blocking them.<\/p>\n\n\n\n<\/a>To disable PUA protection<\/h4>\n\n\n\n
Set-MpPreference -PUAProtection Disabled\n<\/code><\/pre>\n\n\n\nDisabled<\/code> turns off the feature if it has been enabled.<\/p>\n\n\n\n<\/a>View PUA events using PowerShell<\/h2>\n\n\n\n
Get-MpThreat<\/code> cmdlet to view threats that Microsoft Defender Antivirus handled. Here’s an example:<\/p>\n\n\n\nCategoryID : 27\nDidThreatExecute : False\nIsActive : False\nResources : {webfile:_q:\\Builds\\Dalton_Download_Manager_3223905758.exe|http:\/\/d18yzm5yb8map8.cloudfront.net\/\n fo4yue@kxqdw\/Dalton_Download_Manager.exe|pid:14196,ProcessStart:132378130057195714}\nRollupStatus : 33\nSchemaVersion : 1.0.0.0\nSeverityID : 1\nThreatID : 213927\nThreatName : PUA:Win32\/InstallCore\nTypeID : 0\nPSComputerName :\n<\/code><\/pre>\n\n\n\n<\/a>Get email notifications about PUA detections<\/h2>\n\n\n\n
<\/a>View PUA events using advanced hunting<\/h2>\n\n\n\n
DeviceEvents\n| where ActionType == \"AntivirusDetection\"\n| extend x = parse_json(AdditionalFields)\n| project Timestamp, DeviceName, FolderPath, FileName, SHA256, ThreatName = tostring(x.ThreatName), WasExecutingWhileDetected = tostring(x.WasExecutingWhileDetected), WasRemediated = tostring(x.WasRemediated)\n| where ThreatName startswith_cs 'PUA:'\n<\/code><\/pre>\n\n\n\n<\/a>Exclude files from PUA protection<\/h2>\n\n\n\n