How Does Ransomware Protection Work?

What is controlled folder access?

Secure folder access helps protect your valuable data from dangerous apps and threats, like ransomware, by restricting access to specific folders. Protecting your data by validating programmes against a list of known and trusted apps is what controlled folder access is all about. Controlled folder access is supported on Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11 clients, and it may be enabled via the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune, among other tools (for managed devices).


Scripting engines should not be trusted, and you should not grant them access to regulated protected directories in your network. For example, controlled folder access does not trust PowerShell, even if you authorise it with a certificate and file indications.

Controlled folder access is most effective when used in conjunction with Microsoft Defender for Endpoint, which provides extensive reporting on controlled folder access events and blocks as part of the standard alert investigation scenarios.


Unlike other folder access blocks, controlled folder access blocks do not produce alerts in the Alerts queue. Although you cannot see information about regulated folder access blocks in the device timeline view, you may see information about them when you use advanced hunting or custom detection rules.

How does controlled folder access work?

Controlled folder access works by enabling only trustworthy apps to access the folders that have been protected. When controlled folder access is enabled, protected folders must be defined in the configuration. Typically, regularly used folders, such as those used for papers, photographs, downloads, and other types of files, are included in the list of controlled folders, as are folders used for other types of files.

Controlled folder access is only available to apps that are on a trusted apps list. Those applications that have been included in a list of trusted software perform as intended. It is impossible for apps that are not listed on the list to modify files contained within protected folders, and this includes text editors.

Apps are added to the list depending on their popularity and reputation in the market. Apps that are widely used throughout your organisation and that have never shown any behaviour that may be seen as dangerous are regarded as reliable. Those applications are automatically included in the list.

Manually adding apps to the trusted list can also be accomplished with the use of Configuration Manager or Intune. Several additional operations can be carried out through the Microsoft 365 Defender site.

Why controlled folder access is important

It is especially beneficial in protecting your documents and information from ransomware because it allows you to restrict access to specific folders. When you are the victim of a ransomware attack, your files may be encrypted and kept hostage. Whenever a programme attempts to make changes to a file in a protected folder while controlled folder access is enabled, a notification shows on the computer. You can personalise the message by including information about your firm and contact information. Individual rules can also be enabled or disabled to enable or disable specific tactics that the feature checks.

Additional folders can be added to the list of protected folders, which includes common system directories (including boot sectors). You can also grant apps permission to access the protected folders if you want to do so.

You can use audit mode to analyse the impact that controlled folder access would have on your organisation if it were made available to everyone. To verify that the functionality is operational and to learn more about how it works, you can also visit the Windows Defender Test Ground website at

It is possible to have controlled folder access on the computers running the following versions of Windows:

Windows system folders are protected by default

Operating System: Windows 11
Windows Server 2019 and Windows Server 2022 are two of the most recent versions of Windows Server.
By default, the Windows system directories are password-protected.
Windows system folders, as well as several other folders, are secured by default. These are the folders that are protected by default:


  • Users\<username>\
  • Documents \sc:\
  • Users\Public\
  • Documents \sc:\
  • Users\<username>\
  • Pictures \sc:\
  • Users\Public\
  • Pictures \sc:\
  • Users\Public\
  • Videos \sc:\
  • Users\<username>\
  • Videos \sc:\
  • Users\<username>\
  • Music \sc:\
  • Users\Public\
  • Music \sc:\
  • Users\<username>\

Favorite Things to Remember

The Windows system folders that are by default protected cannot be removed, but you can enable other folders to be secured in this way if you like.

Review controlled folder access events in the Microsoft 365 Defender portal

Controlled folder access necessitates the activation of real-time protection for Microsoft Defender Antivirus.

In the Microsoft 365 Defender interface, you can look over the occurrences related to regulated folder access.
When responding to alert investigation scenarios in the Microsoft 365 Defender interface, Defender for Endpoint provides thorough reporting on events and blocks as part of its event and block analysis. (See Microsoft Defender for Endpoints in Microsoft 365 Defender for more information.)

Using Advanced hunting, you may query Microsoft Defender for Endpoint data and retrieve the results. Using advanced hunting, you may explore how controlled folder access settings might influence your environment if they were enabled while in audit mode.

As an illustration, consider the following query:


Where ActionType is (‘ControlledFolderAccessViolationAudited’, ‘ControlledFolderAccessViolationBlocked’), copy the DeviceEvents and paste them into a new document.
Examine the occurrences relating to controlled folder access in the Windows Event Viewer.
The following events are created when controlled folder access blocks (or audits) an application, and they may be found in the Windows event log:

Download the Evaluation Package and extract the file cfa-events.xml to a location on the device that is easily accessible to the user.
The Windows Event Viewer can be accessed by typing event viewer into the Start menu.
Select Import custom view from the Actions drop-down menu on the left-hand panel…
Select the CFA-events.xml file from the location where it was extracted. Alternatively, you can copy the XML itself.
Click on the OK button.

Review controlled folder access events in Windows Event Viewer

  • In the Windows Event Viewer, look at the events that occurred when a controlled folder was accessed.
  • 5007 is the description of the event ID.
  • When a setting is modified, an event occurs.
  • The controlled folder access event has been blocked.
  • The list of protected folders can be viewed or modified.
  • Controlled folder access is a feature of the Windows Security app that allows you to see a list of the folders that are protected.

View or change the list of protected folders

  • The Windows Security software can be found in the Start menu of your Windows 10 or Windows 11 device.
  • Choose virus and threat protection from the drop-down menu.
  • Select Manage ransomware protection from the Ransomware protection drop-down menu.
  • If you have controlled folder access turned off, you will need to switch it back on. Protected folders can be selected.
  • One of the following measures should be taken:
  • To add a folder, select + Add a protected folder from the drop-down menu.
  • To remove a folder, pick it and then select Remove from the drop-down menu.