How to enable Windows Defender's potentially unwanted programs protection

Martin Brinkmann
Aug 20, 2018
Updated • Jul 30, 2020

One of the latest additions to Windows Defender Antivirus' arsenal of protection tools blocks potentially unwanted programs, short PUPs, from landing on the system or being installed on Windows PCs.

Note: Potentially Unwanted Programs (PUPs) and Potentially Unwanted Applications (PUAs) refer to the same type of potentially unwanted software.

Microsoft improved the defensive capabilities of the built-in antivirus and security tool Windows Defender significantly for Windows 10.

The company added features such as Windows Defender System Guard and Application Guard, Network protection, Controlled Folder Access, or Exploit protection in recent years to the tool. Microsoft even published Windows Defender Browser Protection for Google Chrome.

Some features are reserved for Enterprise editions of Windows 10 but some are also available in Home editions.

Windows Defender's PUP protection

Windows Defender may block potentially unwanted programs from being downloaded or installed on Windows 10 systems. The feature is not enabled by default and can only be enabled using PowerShell, InTune, or System Center.

Potentially Unwanted Programs are not classified as malware usually; these programs may come as extra installation offers during software installations on a Windows PC or as standalone programs that don't provide a lot of value, if at all.

Microsoft gives the following examples of typical PUA (Potentially Unwanted Applications):

  • Various types of software bundling
  • Ad-injection into web browsers
  • Driver and registry optimizers that detect issues, request payment to fix the errors, but remain on the endpoint and make no changes or optimizations (also known as "rogue antivirus" programs)

Windows Defender Antivirus does not block potentially unwanted programs by default. You can check the protection on Microsoft's Demo Scenario site to test a system's protection against various threats.

Just click on the link under Scenario to test the protection. This should work with Windows Defender and other antivirus software installed provided that they are configured to block PUPs.

The protection works in the following cases:

  • The file is downloaded in a browser.
  • The file is in a folder with "downloads" or "temp" in the path.
  • The file is on the user's Desktop.
  • The file is not under %programfiles%, %appdata%, or %windows%, and does not meet any of the conditions above.

Windows Defender Antivirus places files identified as PUP in the Quarantine. Users are informed about the identification of PUPs on the system similar to how they are informed about other threats detected by Windows Defender.

Admins and users can check the Windows Event Viewer for event ID 1160 as potentially unwanted program events are recorded under it.

Enable the potentially unwanted programs protection in Windows Defender

windows defender pup protection

Note that the following instructions apply to Windows 10 only and that you need elevated rights to make the change.

  1. Open Windows PowerShell with Windows-X and the selection of Windows PowerShell (Admin) from the context menu.
    • If you don't see Windows PowerShell (Admin) listed there do the following instead: open Start, type Windows PowerShell, right-click on the result, and select "run as administrator".
  2. Confirm the UAC prompt that is displayed.
  3. The console that opens should being with "Administrator".
  4. Type Set-MpPreference -PUAProtection Enabled and hit the Return-key.

Nothing is returned when you run the command. You can run the command Get-MpPreference to check the status of preferences of Windows Defender Antivirus. Find PUAProtection and make sure it is set to 1 (which means that it is enabled).

Tip: You can disable the protection again at a later point in time by running the command Set-MpPreference -PUAProtection Disabled. It is furthermore possible to set the feature to audit mode. Audit mode records events but won't interfere (read block) potentially unwanted programs. To set audit mode run MpPreference -PUAProtection AuditMode.

I recommend that you run the test scenario that Microsoft published to the demo site linked above to make sure the protection is enabled correctly.

Admins who work with Microsoft Intune or System Center Configuration Manager find instructions on enabling the Potentially Unwanted Applications protection of Windows Defender Antivirus on Microsoft's Doc website.

Enable Reputation-based protection in the Settings

reputation based protection

You can enable the protection against potentially unwanted programs in the Settings as well. Here is how that is done:

  1. Select Start > Settings, or use the keyboard shortcut Windows-I to open the Settings.
  2. Go to Update & Security.
  3. Select Windows Security.
  4. Activate the button Open Windows Security.
  5. Select App & Browser Control.
  6. Hit the Turn On button to enable the protection.

Whitelist blocked PUA applications

windows defender threat history

Detected PUAs are moved to the Quarantine of Windows Defender automatically. It happens that you want to keep a program that Windows Defender identified as a PUA.

You can restore any program that Windows Defender put into Quarantine and potentially unwanted programs are no exception to that.

  1. Use Windows-I to open the Settings application.
  2. Go to Update & Security > Windows Security.
  3. Select "Open Windows Security".
  4. Go to Virus & threat protection.
  5. Click on "Threat history".
  6. Select the threat that you want to recover and then restore.
    1. If you don't see the threat listed there, as only some are displayed there, select "see full history" to get the complete listing.

Windows Defender restores the file to its original location, e.g. the Downloads folder. You should be able to run it from there then without any issues.

Now You: Do you run antivirus software with PUP protection? (via Windows Central)

How to enable Windows Defender's potentially unwanted programs protection
Article Name
How to enable Windows Defender's potentially unwanted programs protection
Find out how to enable protection against potentially unwanted program downloads on Windows 10 by enabling the protective feature in Windows Defender.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Dan Donx said on January 15, 2023 at 10:29 am

    What mental age of reader are you targeting with the first sentence? 10?

    Why not write an article on how to *avoid* upgrading from W10 to W11. Analogous to those like me who avoided upgrading from 7 to 10 for as long as possible.

    If your paymaster Microsoft permits it, of course.

  2. Dexter said on January 15, 2023 at 11:14 am

    5. Rufus
    6. Ventoy

    PS. I hate reading these “SEO optimized” articles.

    1. cdr said on January 15, 2023 at 3:32 pm

      I used Rufus to create an installer for a 6th gen intel i5 that had MBR. It upgraded using Setup. No issues except for Win 11 always prompting me to replace my local account. Still using Win 10 Pro on all my other PCs to avoid the bullying.

  3. sv said on January 15, 2023 at 6:40 pm

    bit pointless to upgrade for the sake of upgrading as you never know when you’ll get locked out because ms might suddenly not provide updates to unsupported systems.

    ps…. time travelling?
    written. Jan 15, 2023
    Updated • Jan 13, 2023

    1. Martin Brinkmann said on January 16, 2023 at 5:49 am

      This happens when you schedule a post in WordPress and update it before setting the publication date.

  4. Anonymous said on January 16, 2023 at 8:24 am

    Anyone willing to downgrade to this awful OS must like inflicting themselves with harm.

  5. basingstoke said on January 16, 2023 at 11:18 am

    I have become convinced now that anybody who has no qualms with using Windows 11/10 must fit into one of the following brackets:

    1) Too young to remember a time before W10 and W11 (doesn’t know better)

    2) Wants to play the latest games on their PC above anything else (or deeply needs some software which already dropped W7 support)

    3) Doesn’t know too much about how computers work, worried that they’d be absolutely lost and in trouble without the “”latest security””

    4) Microsoft apologist that tries to justify that the latest “features” and “changes” are actually a good thing, that improve Windows

    5) Uses their computer to do a bare minimum of like 3 different things, browse web, check emails, etc, so really doesn’t fuss

    Obviously that doesn’t cover everyone, there’s also the category that:

    6) Actually liked W7 more than 10, and held out as long as possible before switching, begrudgingly uses 10 now

    Have I missed any group off this list?

    1. Heinz Strunk said on September 19, 2023 at 3:57 pm

      You have missed in this group just about any professional user that uses business software like CAD programs or ERP Programs which are 99% of all professional users from this list.

      Linux doesn’t help anyone who is not a linux kid and apple is just a fancy facebook machine.

  6. ilev said on August 24, 2023 at 7:34 pm

    Microsoft has removed KB5029351 update

    1. EP said on August 24, 2023 at 9:21 pm

      only from windows update though
      KB5029351 is still available from the ms update catalog site

  7. Anonymous said on August 24, 2023 at 11:05 pm

    1. This update is labaled as PREVIEW if it causes issues to unintelligent people, then they shouldn’t have allowed Preview updates ot install.

    2. I have installed it in a 11 years old computer, and no problems at all.

    3. Making a big drama over a bluescreen for an updated labeled as preview is ridiculous.

    This is probably another BS internet drama where people ran programs and scripts that modified the registry until they broke Windows, just for removing stuff that they weren’t even using just for the sake of it.
    Maybe people should stop playing geeks and actually either use Windows 10 or Windows 11, but don’t try to modify things just for the sake of it.

    Sometimes removing or stopping things (like defender is a perfect example) only need intelligence, not scripts or 3rd party programs that might mess with windows.

  8. john said on August 24, 2023 at 11:17 pm

    Windows 11 was a pointless release, it was just created because some of the Windows team wanted to boost sales with some sort of new and improved Windows 10. Instead, Microsoft cannot support one version well let alone two.

    1. John G. said on August 25, 2023 at 12:08 pm

      Windows 11 is the worst ugly shame by Microsoft ever. They should release with every new W11 version a complete free version of Starallback inside just to make this sh** OS functionally again.

  9. EP said on August 25, 2023 at 3:10 pm

    motherboard maker MSI has recently released a statement regarding the “unsupported processor” blue screen error for their boards using Intel 600/700 series chipsets & to avoid the KB5029351 Win11 update:–UNSUPPORTED-PROCESSOR–Error-Message-of-Windows-11-Update-KB5029351-Preview-142215

  10. EP said on August 29, 2023 at 7:32 pm

    check out the following recent articles:

    Neowin – Microsoft puts little blame on its Windows update after UNSUPPORTED PROCESSOR BSOD bug:

    BleepingComputer – Microsoft blames ‘unsupported processor’ blue screens on OEM vendors:

  11. Leonard Britvolli said on August 30, 2023 at 10:33 pm

    While there may be changes or updates to the Windows 10 Store for Business and Education in the future, it is premature to conclude that it will be discontinued based solely on rumors.

  12. sembrador said on September 5, 2023 at 9:32 pm

    My advice, I left win 15 years ago. Now I’m a happy linux user (linuxmint) but there is Centos, Fedora, Ubuntu depending on your needs.

  13. EP said on September 6, 2023 at 11:55 am

    motherboard maker MSI has recently released new BIOS/firmware updates for their Intel 600 & 700 series motherboards to fix the “UNSUPPORTED_PROCESSOR” problem (Sept. 6):–UNSUPPORTED-PROCESSOR–caused-BSOD-on-MSI-s-Intel-700-and-600-Series-Motherboards-142277

  14. Raphael Benzo said on September 24, 2023 at 9:52 pm

    I try to disable the Diagnostics Tracking Service (Connected Devices Platform User Services) but it wont let me disable it, any help will be greatly appreciated.
    Tank you for your help

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.