Merge pull request #4105 from YongRhee-MSFT/docs-editor/detect-block-potentially-unwan-1748882391

denisebmsft · web-flow · commit e4f8c74fb79a · 2025-06-10T16:54:11.000-07:00
Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
diff --git a/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
@@ -16,7 +16,7 @@ ms.collection:
 - tier2
 - mde-ngp
 search.appverid: met150
-ms.date: 05/01/2025
+ms.date: 06/10/2025
 ---
 
 # Detect and block potentially unwanted applications
@@ -50,6 +50,8 @@ For macOS, see [Detect and block potentially unwanted applications with Defender
 
 For Linux, see [Detect and block potentially unwanted applications with Defender for Endpoint on Linux](/defender-endpoint/linux-pua).
 
+## What are potentially unwanted applications?
+
 Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software that might be unexpected or unwanted. PUA isn't considered a virus, malware, or other type of threat, but it might perform actions on endpoints that adversely affect endpoint performance or use. The term *PUA* can also refer to an application that has a poor reputation, as assessed by Microsoft Defender for Endpoint, due to certain kinds of undesirable behavior.
 
 Here are some examples:
@@ -96,7 +98,7 @@ Although Microsoft Defender for Endpoint has its own blocklist based upon a data
 
 The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUA on endpoints in your network.
 
-Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications are disabled](configure-notifications-microsoft-defender-antivirus.md) in the same format as other threat detections. The notification is prefaced with `PUA:` to indicate its content.
+Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications are disabled](configure-notifications-microsoft-defender-antivirus.md)) in the same format as other threat detections. The notification is prefaced with `PUA:` to indicate its content.
 
 The notification appears in the usual [quarantine list within the Windows Security app](microsoft-defender-security-center-antivirus.md).
 
@@ -106,11 +108,31 @@ You can enable PUA protection with Microsoft Defender for Endpoint Security Sett
 
 At first, try using PUA protection in audit mode. It detects potentially unwanted applications without actually blocking them. Detections are captured in the Windows Event log. PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and it's important to avoid false positives.
 
-| Operating systems |Potentially Unwanted Protection (PUA) by default is set to:|
-| -------- | -------- |
-|Windows 11, Windows 10, Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016|Audit mode (2)|
-|Windows 11, Windows 10 + Microsoft Defender for Endpoint Plan 1 or Microsoft Defender for Endpoint Plan 2 or Microsoft Endpoint for Business|Block mode (1)|
-|Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2 with the unified Microsoft Defender for Endpoint client + Microsoft Defender for Servers Plan 1 or Microsoft Defender for Servers Plan 2 or Microsoft Defender for Endpoint for servers|Block mode (1)   |
+Scenarios and default settings for PUA protection depend on whether devices are onboarded to Defender for Endpoint or Microsoft Defender for Business.
+
+##### Microsoft Defender Antivirus without devices onboarded to Defender for Endpoint
+
+|Scenarios| Security intelligence update version |PUA protection default setting|
+| -------- | -------- | -------- |
+| Windows 10 or later<br/>Windows Server 2016 or later | older than 1.329.495.0 | Disabled (0) |
+| Windows 10 or later<br/>Windows Server 2016 or later | 1.329.495.0 or later | Audit mode (2) |
+
+##### Microsoft Defender Antivirus with devices onboarded to Defender for Endpoint Plan 1/Plan 2 or Defender for Business
+
+| Scenarios |Security intelligence update version | Smart App Locker | PUA protection default setting|
+| -------- | -------- | -------- | -------- |
+| Windows 10, version 2004 or later<br/>Windows Server 2012 R2 and Windows Server 2016 with the [modern unified solution](onboard-server.md#functionality-in-the-modern-unified-solution-for-windows-server-2016-and-windows-server-2012-r2)<br/>Windows Server 2019 or later | older than 1.329.495.0 | Feature not available | Audit mode (2)|
+| Windows 11, version 22H2 or later | 1.329.495.0 or later | Available | Audit mode (2)|
+| Windows 10, version 2004 or later<br/>Windows Server 2012 R2 and Windows Server 2016 with the [modern unified solution](onboard-server.md#functionality-in-the-modern-unified-solution-for-windows-server-2016-and-windows-server-2012-r2)<br/>Windows Server 2019 or later | 1.329.495.0 or later | Feature not available | Block mode (1)|
+
+> [!TIP]
+> To enforce PUA protection in block mode, use any of the following management methods:
+>
+> - Defender for Endpoint Security Settings Management
+> - Intune
+> - Configuration Manager
+> - Group Policy
+> - PowerShell
 
 ### Use Microsoft Defender for Endpoint Security Settings Management to configure PUA protection
 
