Potentially Unwanted Application with SCCM

With the name Potentially Unwanted Application (PUA) are identified all those software or programs that contains adware, toolbars or that installs any other hidden or potentially unwanted package.

In my life as IT pro I often found myself dealing with software installing unwanted packages as part of a tool or utility, sometimes this is fine and even expected but most of the time the real goal of the application installation is unclear hence the name.

in this article we’re going to see how ConfigMgr can be configured to detect and report Potentially Unwanted Application.

Potentially Unwanted Application Pre-Requisites

Detecting potentially Unwanted Application is a rather straightforward process and the only requirements are installation and configuration of the Endpoint Protection Role  and the deployment of custom client settings for endpoint protection.

Potentially Unwanted Application Configuration

When an antimalware polices are deployed to clients the PUA component is disabled by default to avoid issues as the settings will block the PUA download and installation and it can be desirable exclude specific files or folder to meet the environment’s needs.

To create the Potentially Unwanted Application protection policy in the Configuration Manager admin console navigate to [Assets and Compliance] / [Compliance Settings] right-click on Configuration Items and click on Create Configuration Item

Potentially Unwanted Application Configuration Item

Assign a name to the new configuration item and select Windows as the type of item

Potentially Unwanted Application Configuration Item Configuration

In the Supported Platforms page select all Windows versions to which the PUA policy will be applied and click next for this example just select Windows 10

Potentially Unwanted Application Configuration Item Supported Platforms

In the Specify Settings for this operating system click on the New button to start the creation of a new compliance settings

Potentially Unwanted Application New Compliance Setting

In the Create Setting General tab  assign a descriptive name,  in the Data Type field select Integer and in the Key Name input SoftwarePoliciesMicrosoftWindows DefenderMpEngine and finally input value MpEnablePus

Potentially Unwanted Application New Compliance Setting Registry

[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note:  Keep in mind depending on the Windows version, and hence the antimalware solution implemented, you need to specify different registry settings. I will describe all  settings at the end of the article.[/su_note]

Switch to the Compliance Rules tab and select New to start the new rule creation, assign a name to the Compliance Rule and configure it according to the settings to the image to enable Potentially Unwanted Application settings

Potentially Unwanted Application Compliance Settings

Click Apply and then Next in the various pages to proceed with the PUA creation

Potentially Unwanted Application Rules Wizard

Potentially Unwanted Application Compliance Rule Wizard

Review information in the Summary page and click start to start the PUA Creation

Potentially Unwanted Application Complete

Potentially Unwanted Application Configuration by Windows Version

As already explained depending on the Windows version the endpoint protection component will be different so you need to specify different registry settings for the Potentially Unwanted Application detection policy to take effect, the following table summarizes the registry settings per production version

Product Version            Key
System Center Endpoint Protection SoftwarePoliciesMicrosoftMicrosoft AntimalwareMpEngine
System Center Endpoint Protection SoftwarePoliciesMicrosoftMicrosoft AntimalwareMpEngine
System Center Endpoint Protection SoftwarePoliciesMicrosoftMicrosoft AntimalwareMpEngine
Windows Defender SoftwarePoliciesMicrosoftWindows DefenderMpEngine
Advertisements

One thought on “Potentially Unwanted Application with SCCM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s