Site icon Winhelponline

How to Configure Controlled Folder Access to Stop “Unauthorized changes blocked” Notifications

controlled folder access - blocked app

Windows 10 Fall Creators Update adds a beneficial security feature named Controlled folder access, which is part of the Windows Defender Exploit Guard. You may have noticed the Unauthorized changes blocked notifications. Windows Defender’s Controlled folder access feature is the one behind those notifications. Controlled folder access helps you protect valuable data from malicious programs, such as ransomware.

This article explains how to configure CFA and prevent Unauthorized changes blocked notifications when running a program.

Windows Defender Exploit Guard is a new set of host intrusion prevention capabilities for Windows 10/11, allowing you to manage and reduce the attack surface of apps installed on the computer.

What is Controlled folder access in Windows

Controlled folder access is an anti-ransomware feature in Windows that helps protect your documents, files and memory areas on your computer from modification by suspicious or malicious apps (especially ransomware). Controlled folder access is supported on Windows Server 2019 as well as Windows 10/11.

Sometimes Controlled folder access can block legitimate apps from writing to protected folders (such as the Desktop, Documents folders etc), and shows the notification Unauthorized changes blocked. You an configure Controlled folder access so that you can allow specific applications, as well as add custom folders to the list of “protected” folders.

It is especially useful in helping to protect your documents and information from ransomware that can attempt to encrypt your files and hold them hostage.

How to Use Controlled folder access?

Prerequisite: Microsoft Defender Antivirus real-time protection must be enabled for the Controlled folder access feature to work.

Enabling Controlled folder access

To enable Controlled folder access, use these steps:

  1. Double-click the Defender shield icon in the notification area to open the Windows Defender Security Center.
  2. Click Virus & threat protection
  3. Click Virus & threat protection settings

    Enabling Windows Defender Controlled folder access

  4. Enable the “Controlled folder access” setting. UAC dialog will pop up now for getting your confirmation/consent.

From now on, Controlled folder access monitors the changes that apps make to files in the protected folders.

Enable protection for additional folder locations

By default, these folders are protected, and there is no way to remove protection for these folders:

User shell folders: Documents, Pictures, Videos, Music, Favorites, and Desktop
Public shell folders: Documents, Pictures, Videos, and Desktop
Controlled folder access — Protected folders

However, some users may not prefer storing their files in the personal shell folders or libraries; they may have their documents in a network share or other locations. In that case, you can bring additional folder locations under Windows Defender protection, by clicking Protected folders link in Windows Defender Security Center, and clicking Add a protected folder button. You can also enter network shares and mapped drives.

Add (whitelist) apps for Controlled folder access

Windows Defender Controlled folder access will block write access (by “unfriendly” apps) to files in protected folders. If an app attempts to make a change to these files, and the app is blacklisted by the feature, you’ll get a notification about the attempt.

Just as you can complement the protected folders with additional folder paths, you can also add (whitelist) the apps that you want to allow access to those folders.

Notepad++ blocked

In my case, Controlled folder access was blocking the 3rd party text editor program Notepad++ from saving to the desktop.

D:\Tools\NPP\notepad++.exe has been blocked from modifying %desktopdirectory%\ by Controlled Folder Access.

And an event log entry (Event ID: 1123) is generated for the blocked event.

It will be listed under Applications and Services LogsMicrosoftWindowsWindows DefenderOperational

Controlled folder access –Event log entry
Event ID Description
5007 Event when settings are changed
1124 Audited Controlled folder access event
1123 Blocked Controlled folder access event
1127 Blocked “changes to the memory” event?

There is no official info regarding CFA Event ID: 1127. It could be related to blocked “making changes to memory” events. I found an interesting entry in my system.

Log Name:      Microsoft-Windows-Windows Defender/Operational
Source:        Microsoft-Windows-Windows Defender
Date:          
Event ID:      1127
Task Category: None
Level:         Warning
Keywords:      
User:          SYSTEM
Computer:      DESKTOP-JKJ4G5Q
Description:
Controlled Folder Access blocked C:\Program Files\JAM Software\TreeSize\TreeSize.exe from making changes to memory.
 	Detection time: 2019-04-21T17:17:09.462Z
 	User: DESKTOP-JKJ4G5Q\ramesh
 	Path: \Device\HarddiskVolume2
 	Process Name: C:\Program Files\JAM Software\TreeSize\TreeSize.exe
 	Signature Version: 1.291.2409.0
 	Engine Version: 1.1.15800.1
 	Product Version: 4.18.1903.4

To get the list of the last 25 blocked apps, open a Command Prompt window and run this command-line:

wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /q:"*[System[(EventID=1123)]]" /c:15 /f:text /rd:true | findstr /i "process name:"

Also, see the PowerShell script at the end of this article to list items in a listview grid window and whitelist selected items in a single click.

Here is the list of Unauthorized changes blocked notifications, as seen in the Action Center.

Action Center notification on blocked apps

I allowed the app right away, as Notepad++ is a widely used and trusted program. To allow an app, click Allow an app through Controlled folder access option in Windows Defender Security Center. Then, locate and add the app you want to allow.

Controlled folder access — Allowing an app

Allow recently blocked apps

The Controlled folder access also lets you allow apps that were recently blocked. To see the list of apps that are blocked, click on the Add an allowed app button, and click Recently blocked apps.

You’ll get the list of apps there were recently blocked. From the list, you can click select an app and add it to the allow list. To do so, you need to click on the + glyph icon or button near the app entry.

Here, I’ve whitelisted PowerShell.exe process, as an example.

Make sure you allow only the apps you trust. Allowing PowerShell.exe should be done with extreme caution, as crypto-malware may silently execute a PowerShell command or script on a vulnerable computer.

Manage Controlled folder access Using PowerShell

PowerShell’s Set-MpPreference cmdlet supports many parameters so that you can apply every Windows Defender setting through script. For the full list of parameters supported by this cmdlet, check out this Microsoft page.

Enable Controlled folder access using PowerShell

Start powershell.exe as administrator. To do so, type powershell in the Start menu, right click Windows PowerShell and click Run as administrator.

Enter the following cmdlet:

Set-MpPreference -EnableControlledFolderAccess Enabled
Manage controlled folder access using PowerShell cmdlet

To disable, use this command:

Set-MpPreference -EnableControlledFolderAccess Disabled

Protect additional folders using PowerShell

Add-MpPreference -ControlledFolderAccessProtectedFolders "c:\apps"

Allow a specific app (Notepad++) using PowerShell

Add-MpPreference -ControlledFolderAccessAllowedApplications "d:\tools\npp\notepad++.exe"

Allow all blocked apps to Controlled folder access (interactively) using PowerShell

Redditor /u/gschizas has come up with a neat little PowerShell script which parses the event log (entries with ID: 1123 which is the “Blocked Controlled folder access” event) to gather the list of apps blocked by Windows Defender’s Controlled folder access. The script then offers to whitelist all or selected programs from the listing.

How to use the script?

In an enterprise environment, Controlled folder access can be managed using:

  • 1. Windows Defender Security Center app
  • 2. Group Policy
  • 3. PowerShell

Troubleshooting: Controlled folder access option missing, grayed out or inaccessible

When you try to open the Controlled folder access page via Start, you may see this error message:

Page not available
Your IT administrator has limited access to some areas of this app, and the item you tried to access is not available. Contact IT helpdesk for more information.

You may be wondering if the above error is caused by some group policy restrictions in effect on your computer. It may not necessarily be true.

The error occurs if you’re using a third-party antivirus solution on your computer, which would have turned off the built-in Windows Defender. As stated earlier, the Controlled folder access feature fully relies on Windows Defender real-time protection. If Windows Defender is turned off, Controlled folder access wouldn’t work. Hence the page remains inaccessible or grayed out, depending upon the build of Windows 10/11 you’re using.

In my case, the error occurred after I installed Malwarebytes Premium. It had replaced Windows Defender.

Note: If you’re a Malwarebytes premium user, you can still enable and use Windows Defender alongside Malwarebytes premium.

To do so, open Malwarebytes Premium → Settings → Security → Disable Always register Malwarebytes in the Windows Security Center.

This option ensures that Malwarebytes Premium doesn’t turn off Microsoft Defender Antivirus. It can run alongside Defender so that the Controlled folder access feature would work as well. After turning off the setting, the Malwarebytes program status wouldn’t appear in the Windows Security Center.

Enable or disable Controlled folder access using desktop shortcuts

In some situations, you may need to temporarily disable Controlled Folder Access to allow programs to write to protected folders, without having to whitelist each program. For example, you may have whitelisted the ShareX program, but screen captures may still not work because the video capture and processing tool FFMpeg.exe is not whitelisted in Controlled Folder Access. And you may not want to allow the external program permanently.

For this purpose, you can create two desktop shortcuts to disable/enable Controlled Folder Access quickly.

  1. Right-click on the desktop, click New, shortcut
  2. In the “Type the location of the item” text box, type the following command:
    powershell.exe -command "& {Set-MpPreference -EnableControlledFolderAccess Enabled}"

  3. Name the shortcut “Enable Controlled Folder Access”.Quick Tip: In the shortcut Properties tab, you may configure it to run minimized if you don’t want to see the PowerShell window when the command is executed. Of course, PowerShell.exe need to be whitelisted in order for these shortcuts to work. PowerShell’s executable path is C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe if you’re going to whitelist it.
  4. Similarly, create another shortcut with the following target:
    powershell.exe -command "& {Set-MpPreference -EnableControlledFolderAccess Disabled}"

    Name it as “Disable Controlled Folder Access”, and optionally, change the shortcut icon for both the items as desired.

Run as Administrator

The shortcut/command has to be run elevated (as administrator). So, right-click each shortcut and click Properties. Click Advanced, and enable “Run as Administrator” checkbox, and click OK, OK.

Repeat the step for the other shortcut.

Closing words

Microsoft Defender Antivirus is getting a new security feature in almost every Windows 10 build. To name a few, Windows Defender Offline scanner, Limited Periodic Scanning, “Block at first sight” Cloud-protection and Automatic sample submission, and adware or PUA/PUP protection capability, and Application Guard.

And now Controlled folder access introduced in the Fall Creators Update is yet another valuable feature to guard the system against threats, such as ransomware.

Related article

Exit mobile version