Windows 10 Fall Creators Update adds a beneficial security feature named Controlled folder access, which is part of the Windows Defender Exploit Guard. Controlled folder access helps you protect valuable data from malicious programs, such as ransomware.
Windows Defender Exploit Guard is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps installed on the computer.
- How to Use Controlled folder access
- Enabling Controlled folder access
- Enable protection for additional folder locations
- Add (whitelist) apps for Controlled folder access
- Manage Controlled folder access Using PowerShell
Prerequisite: Windows Defender AV real-time protection must be enabled for the Controlled folder access feature to work.
To enable Controlled folder access, use these steps:
- Double-click the Defender shield icon in the notification area to open the Windows Defender Security Center.
- Click Virus & threat protection
- Click Virus & threat protection settings
- Enable the “Controlled folder access” setting. UAC dialog will pop up now for getting your confirmation/consent.
From now on, Controlled folder access monitors the changes that apps make to files in the protected folders.
By default, these folders are protected, and there is no way to remove protection for these folders:
User shell folders: Documents, Pictures, Videos, Music, Favorites, and Desktop Public shell folders: Documents, Pictures, Videos, and Desktop
However, some users may not prefer storing their files in the personal shell folders or libraries; they may have their documents in a network share or other location(s). In that case, you can bring additional folder locations under Windows Defender protection, by clicking Protected folders link in Windows Defender Security Center, and clicking Add a protected folder button. You can also enter network shares and mapped drives.
Windows Defender Controlled folder access will block write access ( by “unfriendly” apps) to files in protected folders. If an app attempts to make a change to these files, and the app is blacklisted by the feature, you’ll get a notification about the attempt.
Just as you can complement the protected folders with additional folder paths, you can also add (whitelist) the apps that you want to allow access to those folders.
In my case, Controlled folder access was blocking the 3rd party text editor program Notepad++ from saving to the desktop.
And an event log entry (
Event ID: 1123) is generated for the blocked event.
|5007||Event when settings are changed|
|1124||Audited Controlled folder access event|
|1123||Blocked Controlled folder access event|
Here is the list of similar notifications, as seen in the Action Center.
As Notepad++ is a widely used and trusted program, I right away whitelisted the app.
To allow an app, click Allow an app through Controlled folder access option in Windows Defender Security Center. Then, locate and add the app you want to allow.
Set-MpPreference cmdlet supports many parameters so that you can apply every Windows Defender setting through script. For the full list of parameters supported by this cmdlet, check out this Microsoft page.
powershell.exe as administrator. To do so, type
powershell in the Start menu, right click Windows PowerShell and click Run as administrator.
Enter the following cmdlet:
Set-MpPreference -EnableControlledFolderAccess Enabled
To disable, use this command:
Set-MpPreference -EnableControlledFolderAccess Disabled
Add-MpPreference -ControlledFolderAccessProtectedFolders "c:\apps"
Allow a specific app (Notepad++) using PowerShell
Add-MpPreference -ControlledFolderAccessAllowedApplications "d:\tools\npp\notepad++.exe"
Redditor /u/gschizas has come up with a neat little PowerShell script which parses the event log (entries with ID:
1123 which is the “Blocked Controlled folder access” event) to gather the list of apps blocked by Windows Defender’s Controlled folder access. The script then offers to whitelist all or selected programs from the listing.
How to use the script?
- Open PowerShell as administrator.
- Visit the gschizas GitHub page
- Select all the lines of code and copy to clipboard.
- Switch to the PowerShell window and paste the contents there, and press ENTER
- Select the apps you want to whitelist and click OK. To multi-select programs, press the Ctrl button and click on the corresponding entry.
- Click OK.
The list of blocked apps are shown, as recorded in the event log.
This allows the apps through Controlled folder access en masse.
In an enterprise environment, Controlled folder access can be managed using:
- 1. Windows Defender Security Center app
- 2. Group Policy
- 3. PowerShell
Windows Defender is getting a new security feature in almost every Windows 10 build. To name a few, Windows Defender Offline scanner, Limited Periodic Scanning, “Block at first sight” Cloud-protection and Automatic sample submission, and adware or PUA/PUP protection capability, and Application Guard. And now Controlled folder access introduced in the Fall Creators Update is yet another valuable feature to guard the system against threats, such as ransomware.
About the author
Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and has a vast experience in the ITeS industry — delivering support for Microsoft's consumer products. He has been a Microsoft MVP [2003 to 2012] who contributes to various Windows support forums.