Microsoft Defender Antivirus STIG Version Comparison

There are 41 differences between versions v2 r2 (May 4, 2021) (the "left" version) and v2 r4 (May 31, 2022) (the "right" version).

Check WNDF-AV-000001 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

Windows Microsoft Defender AV must be configured to block the Potentially Unwanted Application (PUA) feature.

Check Content

Verify the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Microsoft Defender Antivirus >> "Configure detection for potentially unwanted applications" is set to "Enabled" and "Block". Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows Defender If the value "PUAProtection" does not exist, this is a finding. If the value "PUAProtection" is REG_DWORD = 1, this is not a finding.

Discussion

After enabling this feature, PUA protection blocking takes effect on endpoint clients after the next signature update or computer restart. Signature updates take place daily under typical circumstances. PUA will be blocked and automatically quarantined.

Fix

Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Microsoft Defender Antivirus >> "Configure Detection for Potentially Unwanted Applications" to "Enabled" and "Block".