Detect Potentially Unwanted Applications using Intune

Hello Everyone, here is another post from Configuration Profiles for you all. We will learn how to Enable the Detect Potentially Unwanted Applications using Intune. Here also, we will make use of Configuration Profiles from Intune to achieve this task.

You may risk infecting your network with malware due to potentially unwanted applications, which makes identifying malware attacks more difficult, and uses IT resources to remove the applications from your network. In order to prevent their installation, they should be blocked.

As a result of these applications, your network may become infected with malware more easily, making malware infections harder to identify among the noise, and waste helpdesk, IT, and user time cleaning up the applications. Detect Potentially Unwanted Applications (PUA) policy from MS Defender has already been deprecated.

Potentially Unwanted Applications (PUA) are sneaky unwelcome application bundlers that can deliver adware or malware. This policy setting controls the detection and action of PUAs. Windows Defender protects against Potentially Unwanted Applications if this setting is enabled.

Patch My PC

In the event that this setting is disabled or not configured, Potentially Unwanted Applications protection will not be enabled. With Windows 10 v1809 and Windows Server 2019, this functionality is instead configured through Group Policy settings: Computer Configuration\Administrative Templates\Windows Components\Windows Defender Antivirus, Configure detection for potentially unwanted applications.

Detect Potentially Unwanted Applications using Intune

Follow the steps stated below to Enable Configure detection for potentially unwanted applications Policy Using Intune:

Adaptiva
  • Sign in to the Intune Admin Center portal https://intune.microsoft.com/.
  • Select Devices > Windows > Configuration profiles > Create a profile.

In Create Profile, Select Windows 10 and later in Platform, and Select Profile Type as Settings catalog. Click on Create button.

PlatformProfile Type
Windows 10 and laterSettings Catalog
Table1 – Configure detection for potentially unwanted applications Policy Using Intune
Detect Potentially Unwanted Applications using IntuneFig.1
Detect Potentially Unwanted Applications using Intune Fig.1

In the Basics tab pane, enter a name for the Policy as Configure detection for potentially unwanted applications Policy. If you like, you can enter the Description for the Policy, then select Next.

Detect Potentially Unwanted Applications using Intune Fig.2
Detect Potentially Unwanted Applications using Intune Fig.2

Now in Configuration settings, click Add settings to browse or search the catalog for the settings you want to configure.

Detect Potentially Unwanted Applications using Intune Fig.3
Detect Potentially Unwanted Applications using Intune Fig.3

On the Settings Picker windows, if you search by the keyword Unwanted Applications, you will see Administrative Templates\MS Security Guide, as shown below in the image.

On selecting the option as shown below in the image, you will see one setting name, which is Turn on Windows Defender protection against Potentially Unwanted Applications (DEPRECATED). After adding your setting, click the cross mark at the right-hand corner, as shown below.

Detect Potentially Unwanted Applications using Intune Fig.4
Detect Potentially Unwanted Applications using Intune Fig.4

After this, in the Administrative Templates, set the Turn on Windows Defender protection against Potentially Unwanted Applications (DEPRECATED) to Enabled, as shown below in the image.

Detect Potentially Unwanted Applications using Intune Fig.5
Detect Potentially Unwanted Applications using Intune Fig.5

In Scope tags, you can assign a tag to filter the profile to specific IT groups. Add scope tags (if required) and click Next. Under Assignments, In Included groups, click Add groups, and then choose Select groups to include one or more groups. Click Next to continue.

Detect Potentially Unwanted Applications using Intune Fig.6
Detect Potentially Unwanted Applications using Intune Fig.6

Now in Review + create, review your settings. When you click on Create, your changes are saved, and the profile is assigned.

Detect Potentially Unwanted Applications using Intune Fig.7
Detect Potentially Unwanted Applications using Intune Fig.7

A notification will appear automatically in the top right-hand corner with a message. You can see that the Policy “Configure detection for potentially unwanted applications Policy” was created successfully. If you check, the Policy is available in the Configuration profiles list.

Your groups will receive your profile settings when the devices check in with the Intune service. The Policy applies to the device.

Intune Reporting

From Intune Portal, you can view the Intune settings catalog profile report, which provides an overview of device configuration policies and deployment status.

To monitor the policy assignment, from the list of Configuration Profiles, select the Policy, and here you can check the device and user check-in status. If you click View Report, additional details are displayed.

Configure detection for potentially unwanted applications Policy Using Intune Fig.8
Configure detection for potentially unwanted applications Policy Using Intune Fig.8

Intune MDM Event Log

Intune event ID 813 or 814 indicates that a string policy has been applied to Windows 10 or 11 devices. In addition, you can view the exact value of the Policy that is being applied to those devices.

You can check the Event log path to confirm this – Applications and Services Logs – Microsoft – Windows – Devicemanagement-Enterprise-Diagnostics-Provider – Admin.

The log states the following – MDM PolicyManager: Set policy string, Policy: (TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications),
Area: (MSSecurityGuide), EnrollmentID requesting merge: (4009A089-4FBA-482B-9D17-9E5A8428CB98), Current User: (Device), String: (), Enrollment Type: (0xD), Scope: (0x0).

Detect Potentially Unwanted Applications using Intune Fig.9
Detect Potentially Unwanted Applications using Intune Fig.9

If you look in the event viewer log shown above, you will get some important information like Area and Enrollment ID that will help you in detecting the registry path. Please refer to the below for this information:

AreaPolicyString ValueScopedEvent ID
MSSecurityGuideTurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplicationsEnabledDevice814
Table2 – Configure detection for potentially unwanted applications Policy Using Intune

You can use information from the above table to REGEDIT.exe on a target computer to view the registry settings that store group policy settings. These settings are located in the registry path.

  • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\providers\4009A089-4FBA-482B-9D17-9E5A8428CB98\default\Device\MSSecurityGuide

After you navigate to the above path in the Registry Editor, you will find the registry with the name TS_TEMP_DELETE. Refer to the table and image as shown below.

Registry NameData
TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplicationsEnabled
Table 3 – Detect Potentially Unwanted Applications using Intune
Detect Potentially Unwanted Applications using Intune Fig.10
Detect Potentially Unwanted Applications using Intune Fig.10

Author

Abhinav Rana is working as an SCCM Admin. He loves to help the community by sharing his knowledge. He is a B.Tech graduate in Information Technology.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.