Fight Ransomware

Windows 10 Defender Ransomware Protection

What is controlled folder access?

Secure folder access helps protect your valuable data from dangerous apps and threats, like ransomware, by restricting access to specific folders. Protecting your data by validating programs against a list of known and trusted apps is what controlled folder access is all about. Controlled folder access is supported on Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11 clients, and it may be enabled via the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune, among other tools (for managed devices).

Note

Scripting engines should not be trusted, and you should not grant them access to regulated protected directories in your network. For example, controlled folder access does not trust PowerShell, even if you authorize it with a certificate and file indications.

Controlled folder access is most effective when used in conjunction with Microsoft Defender for Endpoint, which provides extensive reporting on controlled folder access events and blocks as part of the standard alert investigation scenarios.

Tip

Unlike other folder access blocks, controlled folder access blocks do not produce alerts in the Alerts queue. Although you cannot see information about regulated folder access blocks in the device timeline view, you may see information about them when you use advanced hunting or custom detection rules.

What is the procedure for granting controlled folder access?
Controlled folder access works by enabling only trustworthy apps to access the folders that have been protected. When controlled folder access is enabled, protected folders must be defined in the configuration. Typically, regularly used folders, such as those used for papers, photographs, downloads, and other types of files, are included in the list of controlled folders, as are folders used for other types of files.

Controlled folder access is only available to apps that are on a trusted apps list. Those applications that have been included in a list of trusted software perform as intended. It is impossible for apps that are not listed on the list to modify files contained within protected folders, and this includes text editors.

Apps are added to the list depending on their popularity and reputation in the market. Apps that are widely used throughout your organization and that have never shown any behavior that may be seen as dangerous are regarded as reliable. Those applications are automatically included in the list.

Manually adding apps to the trusted list can also be accomplished with the use of Configuration Manager or Intune. Several additional operations can be carried out through the Microsoft 365 Defender site.

Why is it vital to have controlled folder access?

It is especially beneficial in protecting your documents and information from ransomware because it allows you to restrict access to specific folders. When you are the victim of a ransomware attack, your files may be encrypted and kept hostage. Whenever a program attempts to make changes to a file in a protected folder while controlled folder access is enabled, a notification shows on the computer. You can personalize the message by including information about your firm and contact information. Individual rules can also be enabled or disabled to enable or disable specific tactics that the feature checks.

Additional folders can be added to the list of protected folders, which includes common system directories (including boot sectors). You can also grant apps permission to access the protected folders if you want to do so.

You can use audit mode to analyze the impact that controlled folder access would have on your organization if it were made available to everyone. To verify that the functionality is operational and to learn more about how it works, you can also visit the Windows Defender Test Ground website at demo.wd.microsoft.com.

Note

It is no longer recommended to use the Defender for the Endpoint demo site, which can be found at demo.wd.microsoft.com. It will be withdrawn shortly.

It is possible to have controlled folder access on the computers running the following versions of Windows:

  • Windows 10, version 1709, and later are supported.
  • Operating System: Windows 11
  • Windows Server 2019 and Windows Server 2022 are two of the most recent versions of Windows Server.
  • By default, the Windows system directories are password-protected.
  • Windows system folders, as well as several other folders, are secured by default. These are the folders that are protected by default:

It is possible to add additionally protected directories to the list of protected folders, which includes common system directories (including boot sectors). You can also grant apps permission to access the protected folders if you want to do so. The following are the Windows system directories that are protected by default:

Favorites Default folders display in the user’s profile, under This PC, and are accessible from any computer.

Windows default systems files that are password-protected

Note

The Windows system folders that are by default protected cannot be removed, but you can enable other folders to be secured in this way if you like.

Access to controlled folders must meet certain requirements.
Controlled folder access necessitates the activation of real-time protection for Microsoft Defender Antivirus.

In the Microsoft 365 Defender interface, you can look over the occurrences related to regulated folder access.
Defender for Endpoint provides detailed reporting into events and blocks as part of its alert investigation scenarios in the Microsoft 365 Defender portal; for more information, see Microsoft Defender for Endpoint in Microsoft 365 Defender. Defender for Endpoint is a feature of the Microsoft 365 Defender portal.

Using Advanced hunting, you may query Microsoft Defender for Endpoint data and retrieve the results. Using advanced hunting, you may explore how controlled folder access settings might influence your environment if they were enabled while in audit mode.

As an illustration, consider the following query:

PowerShell

Where ActionType is (‘ControlledFolderAccessViolationAudited’, ‘ControlledFolderAccessViolationBlocked’), copy the DeviceEvents and paste them into a new document.
Examine the occurrences relating to controlled folder access in the Windows Event Viewer.
The following events are created when controlled folder access blocks (or audits) an application, and they may be found in the Windows event log:

Download the Evaluation Package and extract the file cfa-events.xml to a location on the device that is easily accessible to the user.
The Windows Event Viewer can be accessed by typing event viewer into the Start menu.
Select Import custom view from the Actions drop-down menu on the left-hand panel…
Select the CFA-events.xml file from the location where it was extracted. Alternatively, you can copy the XML itself.
Click on the OK button.