Enable Audit Mode for PUA Detection in SCCM

Let’s check how you can enable Audit mode for potentially unwanted applications PUA Detection in SCCM Antimalware policy settings. PUA protection in audit mode is useful to detect potentially unwanted applications without blocking them.

Starting in Configuration Manager version 2107, An Audit option for potentially unwanted applications (PUA) was added in the Antimalware policy settings.

Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software that might be unexpected or unwanted.

Patch My PC

PUA is not considered a virus, malware, or other type of threat, but it might perform actions on endpoints that adversely affect endpoint performance or use.

PUA protection in audit mode is also useful if your company is conducting an internal software security compliance check and you’d like to avoid any false positives. The detections are captured in the Windows event log.

Enable Audit Mode for PUA Detection in SCCM

Let’s follow the steps below to enable potentially unwanted applications PUA Detection in sccm for an existing policy –

1E Nomad
  • Launch the Configuration Manager Console. Navigate to Assets and Compliance > Endpoint Protection > Antimalware policy.
In SCCM Console - Click Assets and Compliance > Endpoint Protection > Antimalware Policies
In SCCM Console – Click Assets and Compliance > Endpoint Protection > Antimalware Policies
  • Choose the set of antimalware policies you want to change, or create a new custom antimalware policy.
  • Select the Real-time protection settings page.
  • Set the Configure detection for potentially unwanted applications setting to Audit.

Note – This protection policy setting set to Enabled by default.

Enable Audit Mode for PUA Detection in SCCM
Enable Audit Mode for PUA Detection in SCCM

Create a new antimalware policy for PUA Detection in SCCM

Let’s follow the steps below to create a new antimalware policy to enable PUA Detection in sccm –

  • In the Configuration Manager console, click Assets and Compliance.
  • In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware Policies.
  • On the Home tab, in the Create group, click Create Antimalware Policy.
Enable Audit Mode for PUA Detection in SCCM 1
Antimalware Policies > Create Antimalware Policy

In the General section of the Create Antimalware Policy dialog box, enter a name and a description for the policy.

Select Real-time protection - Enable Audit Mode for PUA Detection in SCCM
Select Real-time protection – Enable Audit Mode for PUA Detection in SCCM
  • In the Create Antimalware Policy dialog box, configure the Real-time protection settings, Enable Audit mode for PUA detection.
  • Set Configure detection for potentially unwanted applications to Audit and then click OK.
Enable Audit Mode for PUA Detection in SCCM
Enable Audit Mode for PUA Detection in SCCM

Additionally list of settings that you can configure – Real-time Protection Settings –

Setting nameDescription
Enable real-time protectionSet to Yes to configure real-time protection settings for client computers. We recommend that you enable this setting.
Monitor file and program activity on your computerSet to Yes if you want Endpoint Protection to monitor when files and programs start to run on client computers and to alert you about any actions that they perform or actions taken on them.
Scan system filesThis setting lets you configure whether incoming, outgoing, or incoming and outgoing system files are monitored for malware. For performance reasons, you might have to change the default value of Scan incoming and outgoing files if a server has high incoming or outgoing file activity.
Enable behavior monitoringEnable this setting to use computer activity and file data to detect unknown threats. When this setting is enabled, it might increase the time required to scan computers for malware.
Enable protection against network-based exploitsEnable this setting to protect computers against known network exploits by inspecting network traffic and blocking any suspicious activity.
Enable script scanningFor Configuration Manager with no service pack only.
Enable this setting if you want to scan any scripts that run on computers for suspicious activity.
Block Potentially Unwanted Applications at download and prior to installationStarting in Configuration Manager version 2107, you can select to Audit this setting. Use PUA protection in audit mode to detect potentially unwanted applications without blocking them.
Real-time Protection Settings
  • Verify that the new antimalware policy is displayed in the Antimalware Policies list.
 SCCM Console - Antimalware Policies list
SCCM Console – Antimalware Policies list

Once you completed, You can deploy an antimalware policy to client computers. The Deploy option cannot be used with the default client malware policy.

Author

About Author – Jitesh has over 5 years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus area is Windows 10 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.