Configure Potentially Unwanted Applications PUA Protection in Microsoft Edge using Intune MEM

Let’s check how you can configure Potentially Unwanted Applications PUA Protection in Microsoft Edge using Intune aka Endpoint Manager. Potentially unwanted applications aren’t considered to be viruses or malware, but these apps might perform actions on endpoints that adversely affect endpoint performance or use. PUA can also refer to applications that are considered to have poor reputations.

PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This protection helps deliver more productive, performant, and delightful Windows experiences. PUAs are not considered malware. Microsoft uses specific categories and category definitions to classify software as potentially unwanted applications (PUA). There are many other policies available that you can Configure Microsoft Defender SmartScreen to block potentially unwanted apps, as mentioned below.

  • Configure Microsoft Defender SmartScreen
  • Configure Microsoft Defender SmartScreen to block potentially unwanted apps
  • Force Microsoft Defender SmartScreen checks on downloads from trusted sources
  • Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads

You can perform the basic Microsoft Edge security policy troubleshooting from the MEM admin center portal. One example is given below How To Start Troubleshooting Intune Issues from the server-side. The next level of troubleshooting is with MDM Diagnostics Tool to collect the log and information from the client-side.

Patch My PC

Configure Potentially Unwanted Applications PUA Protection in Microsoft Edge

This section will help you assign the policy set up protection by enabling the block potentially unwanted apps feature in Microsoft Edge using Intune setting catalog policies. You can refer to the following guide to Create Intune Settings Catalog Policy and deploy it only to a set of Intune Managed Windows 11 or Windows 10 devices using Intune Filters.

Let’s follow the steps to configure PUA protection in Microsoft Edge using Intune –

  • Sign in to the Endpoint Manager Intune portal https://endpoint.microsoft.com/
  • Select Devices > Windows > Configuration profiles > Create profile
Intune Configuration Profiles – Create Profile
Intune Configuration Profiles – Create Profile

In Create Profile, Select Platform, Windows 10, and later and Profile, Select Profile Type as Settings catalog. Click on Create button.

1E Nomad
Intune Configuration Profiles – Select Platform, Profile type
Intune Configuration Profiles – Select Platform, Profile type

On the Basics tab, enter a descriptive name, such as Configure Potentially Unwanted Applications PUA Protection in Microsoft Edge. Optionally, enter a Description for the policy, then select Next.

Configure Potentially Unwanted Applications PUA Protection in Microsoft Edge using Intune MEM 1
Create Profile – Configure Potentially Unwanted Applications PUA Protection in Microsoft Edge

In Configuration settings, click Add settings to browse or search the catalog for the settings you want to configure.

Configure Potentially Unwanted Applications PUA Protection in Microsoft Edge using Intune MEM 2
Settings catalog – Click + Add settings | Configure PUA Protection in Microsoft Edge

On the Settings Picker windows, Select Microsoft Edge, Under SmartScreen settings to see all the settings in this category. Select Configure Microsoft Defender SmartScreen, Configure Microsoft Defender SmartScreen to block potentially unwanted apps, and Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads below.

After adding your settings, click the cross mark at the right-hand corner to close the settings picker. 

Configure Potentially Unwanted Applications PUA Protection in Microsoft Edge using Intune MEM 3
Select Microsoft Edge > SmartScreen – Configure PUA Protection in Microsoft Edge

The setting is shown and configured with a default value Disabled. Set Configure Microsoft Defender SmartScreen to block potentially unwanted apps to Enabled. Click Next. Additionally, It’s good to enable the following policies –

  • Configure Microsoft Defender SmartScreen – This policy setting lets you configure whether to turn on Microsoft Defender SmartScreen. Microsoft Defender SmartScreen provides warning messages to help protect your users from potential phishing scams and malicious software.
  • Configure Microsoft Defender SmartScreen to block potentially unwanted apps – This policy setting lets you configure whether to turn on blocking for potentially unwanted apps with Microsoft Defender SmartScreen. Potentially unwanted app blocking with Microsoft Defender SmartScreen provides warning messages to help protect users from adware, coin miners, bundleware, and other low-reputation apps that are hosted by websites.
  • Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads – This policy lets you determine whether users can override Microsoft Defender SmartScreen warnings about unverified downloads. If you enable this policy, users in your organization can’t ignore Microsoft Defender SmartScreen warnings, and they’re prevented from completing the unverified downloads.
Configure Potentially Unwanted Applications PUA Protection in Microsoft Edge using Intune MEM 4
Set Configure PUA Protection – Enabled

Under Assignments, In Included groups, select Add groups and then choose Select groups to include one or more groups. Select Next to continue.

Assignments – Select groups to include
Assignments – Select groups to include | Configure PUA Protection in Microsoft Edge

In Scope tags, you can assign a tag to filter the profile to specific IT groups. Add scope tags (if required) and click Next.
In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned.

Configure Potentially Unwanted Applications PUA Protection in Microsoft Edge using Intune MEM 5
Review – Configure PUA Protection in Microsoft Edge

A notification will appear automatically in the top right-hand corner with a message. Here you can see, Policy “Configure Potentially Unwanted Applications (PUAs) Protection” created successfully. The policy is also shown in the Configuration profiles list.

Configure Potentially Unwanted Applications PUA Protection in Microsoft Edge using Intune MEM 6

Your groups will receive your profile settings when the devices check-in with the Intune service. Once the policy applies to the devices, Open Settings in the browser, Select Privacy, Search, and services. Check to see that Microsoft Defender SmartScreen is turned on. Under the Security section, turn on Block potentially unwanted apps.

Configure PUA Protection in Microsoft Edge
Configure PUA Protection in Microsoft Edge

When Microsoft Edge detects a PUA, you will see a message when downloading a potentially unwanted app Here is what users will see when a download is blocked by the feature, users can choose to keep it by tapping … in the bottom bar, choosing to Keep, and then choosing to Keep anyway in the dialog that appears.

Configure Potentially Unwanted Applications PUA Protection in Microsoft Edge using Intune MEM 7
Configure PUA Protection in Microsoft Edge

Author

About Author -> Jitesh has over 5 years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus area is Windows 10, Windows 11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.