At the end of November, Microsoft rolled out a new security capability for Enterprise users, allowing organizations to opt-in to block unwanted applications that download from a web browser. The applications are blocked during download so installation is never even accomplished. This security capability should help minimize the number of malware applications served to oblivious end-users.
For now, flipping the switch to enable this feature is a bit convoluted and definitely a manual process. I’m positive it will be improved in the future, but for now it’s a registry modification which can be wrapped into a self-created Group Policy setting.
Here’s the specifics:
* For System Center Endpoint Protection and Forefront Endpoint Protection:
Registry path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft Antimalware\MpEngine
Value name: MpEnablePus
Value (dword): 0 = off; 1 = on
* For Windows Defender:
Registry path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine
Value name: MpEnablePus
Value (dword): 0 = off; 1 = on
