In this post, you will learn how to configure PUA Protection in Edge using Intune (Endpoint Manager). The PUA stands for Potentially Unwanted Applications.
By enabling the Intune PUA protection in Microsoft Edge, you can protect against potentially unwanted applications (Potentially Unwanted Applications).
When you enable PUA protection in Microsoft Edge using Intune, it blocks the downloads of the low-reputation apps that might cause unexpected behaviors.
It is safe to enable the PUA protection in Edge via Intune, if it is not enabled by default. You can also use Configuration Manager to configure PUA protection for Microsoft Edge.
Recommend Reading:Â How Microsoft identifies malware and potentially unwanted applications.
There are multiple methods to enable and configure the PUA protection for Edge browser.
- You can use a GPO to configure PUA protection for Edge.
- Manually enable PUA Protection for Edge.
- Use Intune to enable PUA (Potentially Unwanted Application) in Edge.
In this post, we will create a new Intune configuration profile to configure the PUA protection in Microsoft Edge.
Intune PUA Protection Settings for Microsoft Edge
When you enable PUA protection for Microsoft Edge browser using Intune, you can configure the following PUA settings using MEM Settings Catalog.
- Configure Microsoft Defender SmartScreen – This policy setting lets you configure whether to turn on Microsoft Defender SmartScreen. Microsoft Defender SmartScreen provides warning messages to help protect your users from potential phishing scams and malicious software.
- Configure Microsoft Defender SmartScreen to block potentially unwanted apps – This policy setting lets you configure whether to turn on blocking for potentially unwanted apps with Microsoft Defender SmartScreen. Potentially unwanted app blocking with Microsoft Defender SmartScreen provides warning messages to help protect users from adware, coin miners, bundleware, and other low-reputation apps that are hosted by websites.
- Prevent bypassing Microsoft Defender SmartScreen prompts for sites – This policy setting lets you decide whether users can override the Microsoft Defender SmartScreen warnings about potentially malicious websites. If you enable this setting, users can’t ignore Microsoft Defender SmartScreen warnings, and they are blocked from continuing to the site.
Configure PUA Protection in Edge using Intune
You can use the following steps to configure PUA Protection in Edge using Intune. First sign-in to the Intune Portal (Microsoft Endpoint Manager admin center). Go to Devices > Windows > Configuration Profiles. Select Create Profile.
Select Platform as Windows 10 and later and Profile Type as Settings catalog. Click Create.
On the Create Profile window, specify the profile name as Configure PUA protection for Microsoft Edge or something similar. Click Next.
The settings catalog allows you to choose the Edge PUA settings that you want to configure. On the Configuration Settings, select Add Settings.
On the Settings Picker window, type Defender SmartScreen in the search box and click Search. The results include all the settings related to Microsoft Defender SmartScreen. Select Microsoft Edge\SmartScreen Settings category.
From the list of settings, select the following settings for enabling PUA protection in Edge.
- Configure Microsoft Defender SmartScreen
- Configure Microsoft Defender SmartScreen to block potentially unwanted apps
- Prevent bypassing Microsoft Defender SmartScreen prompts for sites
To enable the PUA settings in Edge via Intune, you must enable all the below settings.
- Configure Microsoft Defender SmartScreen – Enabled.
- Configure Microsoft Defender SmartScreen to block potentially unwanted apps – Enabled.
- Prevent bypassing Microsoft Defender SmartScreen prompts for sites – Enabled.
Click Next.
Under Assignments, under Included groups, select Add groups and then choose groups to include one or more groups. Select Next to continue.
You may include or add scope tags, this is optional, click Next.
On the Review+Create window, review the Intune Edge PUA settings and click Create.
After you create the policy, a notification will appear automatically in the top right-hand corner with a message. Policy Created – “Configure PUA Protection – Microsoft Edge” created successfully. The policy is also shown in the Configuration profiles list.
After you deploy the policy, your targeted groups will receive your Edge PUA profile settings when the devices check-in with the Intune service.
Once the policy is applied to the devices, you can launch the Edge Browser and go to Settings > Privacy, Search, and services. Under the Security, you should see the Microsoft Defender SmartScreen and Block potentially unwanted apps are enabled.
If the user attempts to download a potentially unwanted application on the device, the application is blocked. The user will see a dialog “Application.exe has been blocked as a potentially unwanted app by Microsoft Defender SmartScreen“.
How can admin override a PUA blocked by SmartScreen if you don’t allow bypass? This is the issue I have ran into. False positives.