The new feature is available in Microsoft's System Center Endpoint Protection (SCEP) and Forefront Endpoint Protection (FEP) as an option that can be turned on by system administrators.
PUA signatures are included in the anti-malware definition updates and cloud protection, so no additional configuration is needed.
Potentially unwanted applications are those programs that, once installed, also deploy other programs without users' knowledge, inject advertisements into Web traffic locally, hijack browser search settings, or solicit payment for various services based on false claims.
"These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time cleaning up the applications," researchers from the Microsoft Malware Protection Center said in a blog post.
System administrators can deploy PUA protection for the specific anti-malware product version in their organization through the registry as a Group Policy setting.
Microsoft recommends that this feature be deployed after creating a corporate policy that explains what potentially unwanted applications are and prohibits their installation. Employees should also be informed in advance that this protection will be enabled to reduce the potential number of calls to the IT helpdesk when certain applications that worked before start being blocked.
If the network is already likely to have many PUA installations, it's recommended to deploy the protection in stages to limited number of computers in order to see if any detections are false positives and to add exclusions for them. Exclusion mechanisms based on file name, folder, extension and process are supported, the Microsoft researchers said.