Server Ransomware Protection

What is controlled folder access?

By allowing only trusted apps to access protected folders, controlled folder access can be achieved. When controlled folder access is set up, protected folders can be specified. Commonly, folders that are frequently used, such as files, photos, and downloads, are included in the control folders.

With a trusted list of apps, controlled folder access is possible. The trusted software apps work as expected. Apps not on the list cannot make any changes to files in protected folders.

Based on their popularity and reputation, apps are added to this list. Trustworthy apps are those that are widely used in your company and have not displayed any malicious behavior. These apps are automatically added to the list.

You can manually add apps to the trusted list using Intune or Configuration Manager. You can also perform additional actions like adding a file indicator to an app from the Security Center Console.

Controlled folder access is crucial

You can protect your files and information from ransomware by controlling folder access. Ransomware attacks can cause files to be encrypted and taken hostage. A notification is displayed on the computer if an app attempts to modify a file within a protected folder. You can personalize the notification by adding your company details or contact information. To customize the techniques that the feature monitors, you can also set the rules.

The protected folders contain common system folders, including boot sectors. You can add additional folders. To allow them to access the protected folders, you can enable apps.

audit mode can be used to assess the impact of controlled folder access on your organization. You can also visit the Windows Defender Test ground website at to confirm the feature is working and see how it works.

Check out the Microsoft 365 Defender portal to see controlled folder access events

Defender for Endpoint offers detailed reporting on events and blocks in its alert investigation scenario through the Microsoft 365 Defender portal. (See Microsoft Defender For Endpoint in Microsoft 365 Defender.

You can query Microsoft Defender data using Advanced Hunting. audit mode allows you to use advanced hunt to determine how to control folder access settings might affect your environment.

Windows Event Viewer allows you to view controlled folder access events

To see the events created by controlled folder access blocks or audits, you can check the Windows Event Log.

  1. Download the Evaluation Pack. Extract the file .xml into a location that is easily accessible.
  2. To open the Windows Event Viewer, type Event viewer into the Start Menu.
  3. In the left panel, click Actions. Select Import custom views…
  4. Navigate to the cfa_events.xml location and click on it. Copy the XML.
  5. Select OK.

Below is a table that shows events that relate to controlled folder access.