Configure Controlled Folder Access in Windows 10
Controlled Folder Access is a new feature introduced in the Fall Creators Update for Windows 10 that is part of Windows Defender Exploit Guard.
The security feature protects files from being accessed by malicious code running on the Windows machine, and Microsoft advertises it specifically as a protection mechanism against ransomware.
The main idea behind Controlled Folder Access is to protect certain folders and the files they contain from unauthorized access. Think of it as a layer of protection against manipulation of files that are stored in protected folders.
The feature requires Windows Defender Antivirus and that real-time protection is enabled as well. Attack Surface Reduction, another security feature which I reviewed yesterday, has the same requirements.
The feature was introduced in Windows 10 version 1709, the Fall Creators Update, and is not part of older versions of Microsoft's operating system.
System administrators and users can manage Controlled Folder Access in several ways: through Group Policy and PowerShell, and the Windows Defender Security Center application.
Controlled Folder Access
Microsoft describes the security functionality of Controlled Folder Access in the following way:
All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
This means that the functionality relies on Windows Defender to detect a process as malicious. If Windows Defender scans don't flag the process as malicious or suspicious, access to files an folders protected by Controlled Folder Access is granted.
This is different from other anti-ransomware tools like Hitman Pro Kickstart, Bitdefender Anti-Ransomware, or WinPatrolWar, which are usually more pro-active when it comes to protecting important files and folders.
Windows Defender Security Center application
Windows 10 users may enable and manage Controlled Folder Access using the Windows Defender Security Center application.
- Use Windows-I to open the Settings application.
- Select Update & Security > Windows Security
- Select Virus & threat protection when the Windows Security page opens.
- When Windows Security opens in a new window, select "manage settings" under Virus & threat protection settings.
- Make sure that real-time protection is enabled.
- Go back to the Windows Security Main page.
- Scroll down to the Ransomware Protection section and select Manage ransomware protection.
- Toggled "Controlled folder access" on the page to enable the feature.
- Accept the UAC prompt to make the change.
When you switch the security feature to on, two links are added underneath it.
Protected Folders
The list of folders that are protected by Controlled Folder Access is displayed when you click on the link. Windows Defender protects some folders automatically; these are:
- User: Documents, Pictures, Videos, Music, Desktop, Favorites
- Public: Documents, Pictures, Videos, Music, Desktop
You cannot remove these default folders, but you can add custom folder locations so that the added folders are protected by the security feature as well.
Click on "add a protected folder" to select a local folder and have it added to the protected folders listing.
Allow an app through controlled folder access
This option lets you whitelist applications so that these programs may interact with protected files and folders. Whitelisting is mostly useful for situations where applications are flagged incorrectly by Windows Defender (false positives).
Simply click on the "add an allowed app" option on the page, and select an executable file from the local system, so that it is allowed to access the protected files and folders.
Group Policy Configuration
You can manage the Controlled Folder Access feature using policies.
Note: The Group Policy is part of professional editions of Windows 10 only. Home users don't have access to it (the free program Policy Plus adds it to the system for the most part though).
- Tap on the Windows-key, type gpedit.msc, and select the item that is returned by Windows' built in search.
- Go to Computer configuration > Administrative templates > Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access.
- Select the "Configure Controlled folder access" policy with a double-click.
- Set the policy to enabled.
You can set the feature to the following values:
- Disable (Default) -- Same as not configured. Controlled Folder Access is not active.
- Enable -- Controlled Folder Access is active and protects folders and the files they contain.
- Audit Mode -- Events created by the feature are written to the Windows event log, but access is not blocked.
Two additional policies are available to customize the feature:
- Configure allowed applications -- Enable this policy to add programs to the whitelist.
- Configure protected folders -- Enable this policy to add custom folders that you want the security feature to include in its protection.
PowerShell commands
You may use the PowerShell to enable and configure Controlled Folder Access.
- Tap on the Windows-key, type PowerShell, hold down the Ctrl-key and the Shift-key, and select the PowerShell search result. This opens an elevated PowerShell command prompt.
To change the status of the feature, run the command: Set-MpPreference -EnableControlledFolderAccess Enabled
This enables Controlled Folder Access using PowerShell. You can set the status to enabled, disabled, or AuditMode.
To add folders to the list of protected folders, run the command: Add-MpPreference -ControlledFolderAccessProtectedFolders "<the folder to be protected>"
This adds the selected folder to the list of protected folders.
To whitelist an application, run the following command: Add-MpPreference -ControlledFolderAccessAllowedApplications "<the app that should be whitelisted, including the path>"
This adds the selected program to the list of allowed processes so that it won't be blocked by the security feature when it tries to access folders that are protected by it.
Controlled Folder Access events
Windows creates events when settings change, and in the audit and blocked modes when events fire.
- Download the Exploit Guard Evaluation Package from Microsoft, and extract it to the local system.
- Tap on the Windows-key, type Event Viewer, and select the Windows Event Viewer in the search results.
- Select Action > Import custom view when the Event Viewer window opens.
- Select the extracted file cfa-events-xml to add it as a custom view.
- Click ok on the next screen.
The following events are displayed by the custom view:
- Event 1123 -- blocked events.
- Event 1124 -- audit mode events.
- Event 5007 -- setting changes events.
Resources
- Protect important folders with Controlled folder access
- Enable Controlled folder access
- Customize Controlled folder access
- Evaluate Controlled folder access
- Windows Defender Exploit Guard
- Set-MpPreference documentation
- Add-MpPreference documentation
- Get-MpPreference documentation
What mental age of reader are you targeting with the first sentence? 10?
Why not write an article on how to *avoid* upgrading from W10 to W11. Analogous to those like me who avoided upgrading from 7 to 10 for as long as possible.
If your paymaster Microsoft permits it, of course.
5. Rufus
6. Ventoy
PS. I hate reading these “SEO optimized” articles.
I used Rufus to create an installer for a 6th gen intel i5 that had MBR. It upgraded using Setup. No issues except for Win 11 always prompting me to replace my local account. Still using Win 10 Pro on all my other PCs to avoid the bullying.
bit pointless to upgrade for the sake of upgrading as you never know when you’ll get locked out because ms might suddenly not provide updates to unsupported systems.
ps…. time travelling?
written. Jan 15, 2023
Updated • Jan 13, 2023
This happens when you schedule a post in WordPress and update it before setting the publication date.
Anyone willing to downgrade to this awful OS must like inflicting themselves with harm.
I have become convinced now that anybody who has no qualms with using Windows 11/10 must fit into one of the following brackets:
1) Too young to remember a time before W10 and W11 (doesn’t know better)
2) Wants to play the latest games on their PC above anything else (or deeply needs some software which already dropped W7 support)
3) Doesn’t know too much about how computers work, worried that they’d be absolutely lost and in trouble without the “”latest security””
4) Microsoft apologist that tries to justify that the latest “features” and “changes” are actually a good thing, that improve Windows
5) Uses their computer to do a bare minimum of like 3 different things, browse web, check emails, etc, so really doesn’t fuss
Obviously that doesn’t cover everyone, there’s also the category that:
6) Actually liked W7 more than 10, and held out as long as possible before switching, begrudgingly uses 10 now
Have I missed any group off this list?
You have missed in this group just about any professional user that uses business software like CAD programs or ERP Programs which are 99% of all professional users from this list.
Linux doesn’t help anyone who is not a linux kid and apple is just a fancy facebook machine.
Microsoft has removed KB5029351 update
only from windows update though
KB5029351 is still available from the ms update catalog site
1. This update is labaled as PREVIEW if it causes issues to unintelligent people, then they shouldn’t have allowed Preview updates ot install.
2. I have installed it in a 11 years old computer, and no problems at all.
3. Making a big drama over a bluescreen for an updated labeled as preview is ridiculous.
This is probably another BS internet drama where people ran programs and scripts that modified the registry until they broke Windows, just for removing stuff that they weren’t even using just for the sake of it.
Maybe people should stop playing geeks and actually either use Windows 10 or Windows 11, but don’t try to modify things just for the sake of it.
Sometimes removing or stopping things (like defender is a perfect example) only need intelligence, not scripts or 3rd party programs that might mess with windows.
Windows 11 was a pointless release, it was just created because some of the Windows team wanted to boost sales with some sort of new and improved Windows 10. Instead, Microsoft cannot support one version well let alone two.
Windows 11 is the worst ugly shame by Microsoft ever. They should release with every new W11 version a complete free version of Starallback inside just to make this sh** OS functionally again.
motherboard maker MSI has recently released a statement regarding the “unsupported processor” blue screen error for their boards using Intel 600/700 series chipsets & to avoid the KB5029351 Win11 update:
https://www.msi.com/news/detail/MSI-On–UNSUPPORTED-PROCESSOR–Error-Message-of-Windows-11-Update-KB5029351-Preview-142215
check out the following recent articles:
Neowin – Microsoft puts little blame on its Windows update after UNSUPPORTED PROCESSOR BSOD bug:
https://www.neowin.net/news/microsoft-puts-little-blame-on-its-windows-update-after-unsupported-processor-bsod-bug/
BleepingComputer – Microsoft blames ‘unsupported processor’ blue screens on OEM vendors:
https://www.bleepingcomputer.com/news/microsoft/microsoft-blames-unsupported-processor-blue-screens-on-oem-vendors/
While there may be changes or updates to the Windows 10 Store for Business and Education in the future, it is premature to conclude that it will be discontinued based solely on rumors.
My advice, I left win 15 years ago. Now I’m a happy linux user (linuxmint) but there is Centos, Fedora, Ubuntu depending on your needs.
motherboard maker MSI has recently released new BIOS/firmware updates for their Intel 600 & 700 series motherboards to fix the “UNSUPPORTED_PROCESSOR” problem (Sept. 6):
https://www.msi.com/news/detail/Updated-BIOS-fixes-Error-Message–UNSUPPORTED-PROCESSOR–caused-BSOD-on-MSI-s-Intel-700-and-600-Series-Motherboards-142277
I try to disable the Diagnostics Tracking Service (Connected Devices Platform User Services) but it wont let me disable it, any help will be greatly appreciated.
Tank you for your help