Controlled Folder Access is a new feature introduced in the Fall Creators Update for Windows 10 that is part of Windows Defender Exploit Guard.
The security feature protects files from being accessed by malicious code running on the Windows machine, and Microsoft advertises it specifically as a protection mechanism against ransomware.
The feature requires Windows Defender Antivirus and that real-time protection is enabled as well. Attack Surface Reduction, another security feature which I reviewed yesterday, has the same requirements.
The feature was introduced in Windows 10 version 1709, the Fall Creators Update, and is not part of older versions of Microsoft's operating system.
System administrators and users can manage Controlled Folder Access in several ways: through Group Policy and PowerShell, and the Windows Defender Security Center application.
Microsoft describes the security functionality of Controlled Folder Access in the following way:
All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
This means that the functionality relies on Windows Defender to detect a process as malicious. If Windows Defender scans don't flag the process as malicious or suspicious, access to files an folders protected by Controlled Folder Access is granted.
This is different from other anti-ransomware tools like Hitman Pro Kickstart, Bitdefender Anti-Ransomware, or WinPatrolWar, which are usually more pro-active when it comes to protecting important files and folders.
Windows 10 users may enable and manage Controlled Folder Access using the Windows Defender Security Center application.
When you switch the security feature to on, two links are added underneath it.
The list of folders that are protected by Controlled Folder Access is displayed when you click on the link. Windows Defender protects some folders automatically; these are:
You cannot remove these default folders, but you can add custom folder locations so that the added folders are protected by the security feature as well.
Click on "add a protected folder" to select a local folder and have it added to the protected folders listing.
This option lets you whitelist applications so that these programs may interact with protected files and folders. Whitelisting is mostly useful for situations where applications are flagged incorrectly by Windows Defender (false positives).
Simply click on the "add an allowed app" option on the page, and select an executable file from the local system, so that it is allowed to access the protected files and folders.
You can manage the Controlled Folder Access feature using policies.
Note: The Group Policy is part of professional editions of Windows 10 only. Home users don't have access to it (the free program Policy Plus adds it to the system for the most part though).
You can set the feature to the following values:
Two additional policies are available to customize the feature:
You may use the PowerShell to enable and configure Controlled Folder Access.
To change the status of the feature, run the command: Set-MpPreference -EnableControlledFolderAccess Enabled
This enables Controlled Folder Access using PowerShell. You can set the status to enabled, disabled, or AuditMode.
To add folders to the list of protected folders, run the command: Add-MpPreference -ControlledFolderAccessProtectedFolders "<the folder to be protected>"
This adds the selected folder to the list of protected folders.
To whitelist an application, run the following command: Add-MpPreference -ControlledFolderAccessAllowedApplications "<the app that should be whitelisted, including the path>"
This adds the selected program to the list of allowed processes so that it won't be blocked by the security feature when it tries to access folders that are protected by it.
Windows creates events when settings change, and in the audit and blocked modes when events fire.
The following events are displayed by the custom view:
If you like our content, and would like to help, please consider making a contribution: