Starting with Windows 10 build 16232, Controlled Folder Access was introduced into Windows Defender Antivirus.
Controlled Folder Access helps you protect valuable data from malicious applications and threats, such as ransomware. It is part of Windows Defender Exploit Guard.
Controlled Folder Access in Windows Defender Security Center examines applications that can make changes to files in protected folders. Occasionally, an application that is safe to use will be determined to be harmful. This happens because Microsoft wants to keep you safe and sometimes makes the mistake of being too cautious. However, this may affect how you use your PC normally. You can add an application to the list of safe or allowed applications to prevent them from being blocked.
You can add additional folders to the list of protected folders, but you cannot change the default list, including folders like Documents, Pictures, Movies, and Desktop . Adding other folders to Controlled Folder Access can be helpful, for example if you don’t store files in the default Windows library or you have changed the library’s location from the default.
This guide will show you how to enable or disable the Controlled Folder Access feature of Windows Defender Exploit Guard in Windows 10.
- Theory – What is Ransomware?
Fight Ransomware with Controlled Folder Access Windows 10
Open Windows Security and click the Virus & threat protection icon.
Click the Manage ransomware protection link in the Ransomware protection section .
Enable or disable (default) Controlled Folder Access , depending on what you want.
Then you will find two more options – Protected folders and Allow an app through Controlled folder access . Click “Protected folders” to manage protected folders now. You may not be able to remove any folders from the list, but you can certainly add more folders by clicking the Add a protected folder button.
If you have Controlled folder access enabled and on a directory, if any unauthorized application or process tries to access or change its content, that attempt will be stopped and an Unauthorized changes blocked message will be blocked. is displayed in the bottom right corner of the screen.
Click Yes when prompted for approval by UAC.
When done, you can close Windows Defender Security Center if you want.
The only reason ransomware was created was because malware writers considered it an easy way to make money. Vulnerabilities like unpatched software, outdated operating systems, or people’s ignorance will benefit malicious actors and criminals. Hence, taking precautionary steps to protect yourself against ransomware attacks is the best way to go.
While Windows Defender provides this protection, you can use some anti-ransomware for free instead. While there are several ransomware decryption tools out there, you should take the ransomware attack seriously. Not only is it jeopardizing your data, it can also violate your privacy to the point of damaging your reputation.
See also: 6 notable security features on the Windows 10 Fall Creators Update
Another way to enable Controlled Folder Access
In addition to the above, there are 2 other ways to enable Controlled Folder Access. The easiest way is to run the PowerShell command.
Set-MpPreference -EnableControlledFolderAccess Enabled
To turn it off, just run the same command, but replace it with “Disabled”.
Alternatively, system administrators in large organizations can use the Group Policy Management Console to enable this feature for users across the network.
- Step 1: On the Group Policy management machine , open the Group Policy Management Console, right-click the Group Policy Object you want to select and click Edit.
- Step 2: At Group Policy Management Editor, select Computer Configuration.
- Step 3: Click Policies > Administrative Templates.
- Step 4: Expand Windows Components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access.
Management for the whole system via Group Policy Management Console
- Step 5: Double-click Configure Controlled folder acces and select Enabled.
Group Policy can be used to select accessed applications and protected folders for each computer in the domain.
Select folders and applications for computers in the system
When any unauthenticated software tries to edit files in these folders, users will receive a warning in the Windows Notification bar . Windows Defender also records in event history.
Warning when software tries to access protected folders
Note that for Controlled Folder Access to work, real-time protection must be enabled in Windows Defender.
Test using Controlled Folder Access to stop ransomware
In testing with Asasin Locky, x1881 CryptoMix, Comrade HiddenTear, and Wyvern BTCWare malware variants, Controlled Folder Access did a good job of blocking these ransomware from encrypting files in protected folders. The other folders are still encrypted as usual.
The unprotected folder is still encrypted by the ransomware
As a side effect, when executable files of whitelisted folders attempt to edit files in the protected folder, Controlled Folder Access will block this and do not display a message.