What is controlled folder access?
Secure folder access helps protect your valuable data from dangerous apps and threats, like as ransomware, by restricting access to specific folders. Protecting your data by validating programmes against a list of known and trusted apps is what controlled folder access is all about. Controlled folder access is supported on Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11 clients, and it may be enabled via the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune, among other tools (for managed devices).
Scripting engines should not be trusted, and you should not grant them access to regulated protected directories in your network. For example, controlled folder access does not trust PowerShell, even if you authorise it with a certificate and file indications.
Controlled folder access is most effective when used in conjunction with Microsoft Defender for Endpoint, which provides extensive reporting on controlled folder access events and blocks as part of the standard alert investigation scenarios.
Unlike other folder access blocks, controlled folder access blocks do not produce alerts in the Alerts queue. Although you cannot see information about regulated folder access blocks in the device timeline view, you may see information about them when you use advanced hunting or custom detection rules.
How does controlled folder access work?
Controlled folder access works by enabling only trustworthy apps to access the folders that have been protected. When controlled folder access is enabled, protected folders must be defined in the configuration. Typically, regularly used folders, such as those used for papers, photographs, downloads, and other types of files, are included in the list of controlled folders, as are folders used for other types of files.
Controlled folder access is only available to apps that are on a trusted apps list. Those applications that have been included in a list of trusted software perform as intended. It is impossible for apps that are not listed on the list to modify files contained within protected folders, and this includes text editors.
Apps are added to the list depending on their popularity and reputation in the market. Apps that are widely used throughout your organisation and that have never showed any behaviour that may be seen as dangerous are regarded as reliable. Those applications are automatically included in the list.
Manually adding apps to the trusted list can also be accomplished with the use of Configuration Manager or Intune. A number of additional operations can be carried out through the Microsoft 365 Defender site.
Why controlled folder access is important
It is especially beneficial in protecting your documents and information from ransomware because it allows you to restrict access to specific folders. When you are the victim of a ransomware attack, your files may be encrypted and kept hostage. Whenever a programme attempts to make changes to a file in a protected folder while controlled folder access is enabled, a notification shows on the computer. You can personalise the message by including information about your firm and contact information. Individual rules can also be enabled or disabled to enable or disable specific tactics that the feature checks.
Additional folders can be added to the list of protected folders, which includes common system directories (including boot sectors). You can also grant apps permission to access the protected folders if you want to do so.
You can use audit mode to analyse the impact that controlled folder access would have on your organisation if it were made available to everyone. To verify that the functionality is operational and to learn more about how it works, you can also visit the Windows Defender Test Ground website at demo.wd.microsoft.com.
It is possible to have controlled folder access on the computers running the following versions of Windows:
Windows 10, version 1709 and later are supported.
Operating System: Windows 11
Windows Server 2019 and Windows Server 2022 are two of the most recent versions of Windows Server.
By default, the Windows system directories are password-protected.
Review controlled folder access events in the Microsoft 365 Defender portal
The Windows system folders that are by default protected cannot be removed, but you can enable other folders to be secured in this way if you like.
Access to controlled folders must meet certain requirements.
Controlled folder access necessitates the activation of real-time protection for Microsoft Defender Antivirus.
In the Microsoft 365 Defender interface, you can look over the occurrences related to regulated folder access.
When responding to alert investigation scenarios in the Microsoft 365 Defender interface, Defender for Endpoint provides thorough reporting on events and blocks as part of its event and block analysis. (See Microsoft Defender for Endpoints in Microsoft 365 Defender for more information.)
Using Advanced hunting, you may query Microsoft Defender for Endpoint data and retrieve the results. Using advanced hunting, you may explore how controlled folder access settings might influence your environment if they were enabled while in audit mode.