Add PUA, PUP, PUS Protection to Windows Defender

Increase your computer security by taking advantage of a new Feature Microsoft are trialing.



  1. Regedit32
    As you will be well aware in recent times there has been a considerable amount of increased attacks on Windows Users through rogue applications, spamming, ransomware, and so forth.

    Many users may have opted to use Windows Defender as their main line of protection against such attacks, and while it does a pretty good job, no security software is a 100% guarantee of total protection.

    Microsoft introduced a new feature which at this point in time is available for Windows 10 Enterprise users that took Windows Defender to a new level of security. They made it possible for Windows Defender to detect and block PUAs (Potentially Unwanted Applications), also known as Potentially Unwanted Programs (PUPs), and Potentially Unwanted Software (PUS).

    This is an opt in feature only so it is not automatically set to protect you, as many users all ready use their own third party applications to scan and block unwanted downloads and files.

    The good news is Windows 10 Home and Professional users can also opt in now if they would like to increase their security. This is great for a Family where a parent may want to help prevent their child accidently downloading and installing malicious applications, or generally just bothersome add-ons that affect the Browser(s) installed on the operating system.

    There are three ways you can opt in and enable this new feature. This first two options are not official yet, and may not remain effectively permanently. However, they do work fine for now. The third option, is the official method and ought to remain effective.

    Option 1- Note: This is not the official method and may not remain effective.

    This method makes use of an elevated Windows PowerShell to modify the Windows Defender registry key. It is a useful method as the key cannot easily be modified otherwise, because it belongs to the SYSTEM, meaning you cannot manually modify or delete data here normally, unless you change permissions.
    • In your Search/Cortana field type powershell
    • In the Search results right-click on Windows PowerShell and select Run as administrator
    • When prompted by the UAC click Yes
    • Now in the Administrator: Windows PowerShell console type or copy & paste the following command:
    Code (Text):
    Set-MpPreference -PUAProtection 1
    Press Enter key to execute

    Sample image

    sample1.png

    Close
    the Windows PowerShell window.​
    • Now right-click on Start and select Settings > Update & security
    • In the left pane click on Windows Defender
    • In the main window click Open Windows Defender Security Center
    • Click Virus & threat protection
    • Click Virus & threat protection settings
    • Toggle the Real-time Protection to Off, then toggle it back to On
    • Done!
    The above modifies the following SYSTEM controlled Registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender

    Sample image

    sample2.png


    If you change your mind and want to disable PUA Protection then in the Administrator: Windows PowerShell console type or copy & paste the following:

    Code (Text):
    Set-MpPreference -PUAProtection 0


    Press Enter key then close Windows PowerShell window.

    Now toggle off then toggle back on the Real-time Protection


    Option 2 - Note: This is not the official method and may not remain effective.

    As stated earlier, the above Registry Key that was modified in Option 1, is controlled by the SYSTEM. Thus to manually edit that key you'd need to change ownership of the key first. That is cumbersome, and for the novice can be risk as it introduces potential issues for the Operating System further down the track if done incorrectly.

    To avoid having to do this, you can instead manually add a policy to Windows Defender instead. I'm a fan of avoiding taking people directly into the Windows Registry where possible, so to execute this option, let's make use of an elevated Command Prompt instead.
    • In your Search/Cortana field type command
    • In the Search results right-click on Command Prompt and select Run as administrator
    • When the UAC prompts you click Yes
    • In the Administrator: Command Prompt window type or copy & paste the following command:
    Code (Text):
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 1 /f
    Press Enter key to execute

    Sample image

    sample3.png

    Now type exit then press Enter key
    • Right-click on Start and select Settings > Update & security
    • In the left pane click on Windows Defender
    • In the main window click Open Windows Defender Security Center
    • Click Virus & threat protection
    • Click Virus & threat protection settings
    • Toggle the Real-time Protection to Off, then toggle it back to On
    • Done!

      The above modifies the following Policies Registry key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
    Sample image

    sample4.png

    If you change your mind and want to disable PUA Protection then in the Administrator: Command Prompt console type or copy & paste the following:

    Code (Text):
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f


    Press Enter key then close Windows PowerShell window.

    Now toggle off then toggle back on the Real-time Protection

    Note: You could also disable this setting from an elevated command prompt by deleting the new value:

    Code (Text):
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /f


    Option 3 - Note: This is the official method and is most likely to remain effective.

    This option also modifies the Policies Registry key as per the original Microsoft instructions found on their publication on this topic. Again I'll demonstrate how to using an elevated Command Prompt:
    • In your Search/Cortana field type command
    • In the Search results right-click on Command Prompt and select Run as administrator
    • When the UAC prompts you click Yes
    • In the Administrator: Command Prompt window type or copy & paste the following command:
    Code (Text):
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePlus /t REG_DWORD /d 1 /f

    Press Enter key to execute

    Sample image

    sample5.png

    Now type exit then press Enter key
    • Right-click on Start and select Settings > Update & security
    • In the left pane click on Windows Defender
    • In the main window click Open Windows Defender Security Center
    • Click Virus & threat protection
    • Click Virus & threat protection settings
    • Toggle the Real-time Protection to Off, then toggle it back to On
    • Done!
    The above modifies the following Policies Registry Key by adding a sub-key called MpEngine and a new DWORD (32-bit) value: MpEnablePlus

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

    Sample image

    sample6.png


    If you change your mind and want to disable PUA Protection then in the Administrator: Command Prompt console type or copy & paste the following:

    Code (Text):
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePlus /t REG_DWORD /d 0 /f


    Press Enter key then close Windows PowerShell window.


    Now toggle off then toggle back on the Real-time Protection


    Note: You could also disable this setting from an elevated command prompt by deleting the new sub-key:


    Code (Text):
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /f

    Resources:


    https://blogs.technet.microsoft.com...lly-unwanted-applications-in-your-enterprise/


    Regards,

    Regedit32
    JAY B., Grizzly, Ian and 1 other person like this.