How to Configure and Use Controlled Folder Access in Windows 10

Windows 10 Fall Creators Update adds a beneficial security feature named Controlled folder access, which is part of the Windows Defender Exploit Guard. Controlled folder access helps you protect valuable data from malicious programs, such as ransomware.

Windows Defender Exploit Guard is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps installed on the computer.

Contents

How to Use Controlled folder access

Prerequisite: Windows Defender AV real-time protection must be enabled for the Controlled folder access feature to work.

Enabling Controlled folder access

To enable Controlled folder access, use these steps:

  1. Double-click the Defender shield icon in the notification area to open the Windows Defender Security Center.
  2. Click Virus & threat protection
  3. Click Virus & threat protection settings
  4. Enabling Controlled folder access - Windows Defender
    Enabling Windows Defender Controlled folder access
  5. Enable the “Controlled folder access” setting. UAC dialog will pop up now for getting your confirmation/consent.

From now on, Controlled folder access monitors the changes that apps make to files in the protected folders.

Enable protection for additional folder locations

By default, these folders are protected, and there is no way to remove protection for these folders:

User shell folders: Documents, Pictures, Videos, Music, Favorites, and Desktop
Public shell folders: Documents, Pictures, Videos, and Desktop
controlled folder access protected folders
Controlled folder access — Protected folders

However, some users may not prefer storing their files in the personal shell folders or libraries; they may have their documents in a network share or other location(s). In that case, you can bring additional folder locations under Windows Defender protection, by clicking Protected folders link in Windows Defender Security Center, and clicking Add a protected folder button. You can also enter network shares and mapped drives.

Add (whitelist) apps for Controlled folder access

Windows Defender Controlled folder access will block write access ( by “unfriendly” apps) to files in protected folders. If an app attempts to make a change to these files, and the app is blacklisted by the feature, you’ll get a notification about the attempt.

Just as you can complement the protected folders with additional folder paths, you can also add (whitelist) the apps that you want to allow access to those folders.

Notepad++ blocked

In my case, Controlled folder access was blocking the 3rd party text editor program Notepad++ from saving to the desktop.

D:\Tools\NPP\notepad++.exe has been blocked from modifying %desktopdirectory%\ by Controlled Folder Access.

And an event log entry (Event ID: 1123) is generated for the blocked event.

Windows DefenderControlled folder access event log
Controlled folder access –Event log entry
Event IDDescription
5007Event when settings are changed
1124Audited Controlled folder access event
1123Blocked Controlled folder access event

Here is the list of similar notifications, as seen in the Action Center.

controlled folder access - blocked apps
Action Center notification on blocked apps

As Notepad++ is a widely used and trusted program, I right away whitelisted the app.

To allow an app, click Allow an app through Controlled folder access option in Windows Defender Security Center. Then, locate and add the app you want to allow.

Controlled folder access -- Allowing an app
Controlled folder access — Allowing an app

Manage Controlled folder access Using PowerShell

PowerShell’s Set-MpPreference cmdlet supports many parameters so that you can apply every Windows Defender setting through script. For the full list of parameters supported by this cmdlet, check out this Microsoft page.

Enable Controlled folder access using PowerShell

Start powershell.exe as administrator. To do so, type powershell in the Start menu, right click Windows PowerShell and click Run as administrator.

Enter the following cmdlet:

Set-MpPreference -EnableControlledFolderAccess Enabled
controlled folder access powershell cmdlet
Manage controlled folder access using PowerShell cmdlet

To disable, use this command:

Set-MpPreference -EnableControlledFolderAccess Disabled

Protect additional folders using PowerShell

Add-MpPreference -ControlledFolderAccessProtectedFolders "c:\apps"

Allow a specific app (Notepad++) using PowerShell

Add-MpPreference -ControlledFolderAccessAllowedApplications "d:\tools\npp\notepad++.exe"

Allow all blocked apps to Controlled folder access (interactively) using PowerShell

Redditor /u/gschizas has come up with a neat little PowerShell script which parses the event log (entries with ID: 1123 which is the “Blocked Controlled folder access” event) to gather the list of apps blocked by Windows Defender’s Controlled folder access. The script then offers to whitelist all or selected programs from the listing.

How to use the script?

  • Open PowerShell as administrator.
  • Visit the gschizas GitHub page
  • Select all the lines of code and copy to clipboard.
  • Switch to the PowerShell window and paste the contents there, and press ENTER
  • allow all apps controlled folder apps using powershell script
    Allow all apps through Controlled folder apps –Powershell script

    The list of blocked apps are shown, as recorded in the event log.

    allow all apps controlled folder apps using powershell script
    Select the apps to whitelist
  • Select the apps you want to whitelist and click OK. To multi-select programs, press the Ctrl button and click on the corresponding entry.
  • Click OK.

This allows the apps through Controlled folder access en masse.

allow all apps controlled folder apps
Apps added to Controlled folder apps “Allow” list

In an enterprise environment, Controlled folder access can be managed using:

  • 1. Windows Defender Security Center app
  • 2. Group Policy
  • 3. PowerShell

Closing words

Windows Defender is getting a new security feature in almost every Windows 10 build. To name a few, Windows Defender Offline scanner, Limited Periodic Scanning, “Block at first sight” Cloud-protection and Automatic sample submission, and adware or PUA/PUP protection capability, and Application Guard. And now Controlled folder access introduced in the Fall Creators Update is yet another valuable feature to guard the system against threats, such as ransomware.

About the author

Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and has a vast experience in the ITeS industry — delivering support for Microsoft's consumer products. He has been a Microsoft MVP [2003 to 2012] who contributes to various Windows support forums.

3 thoughts on “How to Configure and Use Controlled Folder Access in Windows 10

  1. I found the same thing. First, it blocked a third-party app, which is well-known. I scanned it; it was clean; I put it on the trusted app list. But then, within an hour, it blocked me from saving a Microsoft Word file. I turned Controlled Access Folder off. I am done with it for now. I run premium Malwarebytes for anti-ransomware protection.

  2. Tried it out but quickly turned it off. It was blocking explorer.exe and all Microsoft Office programs by default. You’d think Microsoft would know to whitelist their own programs. Guess not.

Leave a Comment

+1
Share2
Tweet
Share
Pin