From 6db34b9d0ee4f57cb73709a001bb666a9043b373 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 27 Jan 2020 12:30:13 +0500 Subject: [PATCH 1/4] Details updation Updated the note and details to reflect the correct information Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5867 --- .../microsoft-defender-atp/enable-controlled-folders.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md index 40cbdce038..1d64f68ed0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md @@ -101,11 +101,13 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt * **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log * **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders. * **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization. + * **Block disk modification only** - Attempts by untrusted apps to write to disk sectors. The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123. + * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124). Attempts to modify or delete files in protected folders will not be recorded. ![Screenshot of group policy option with Enabled and then Enable selected in the drop-down](../images/cfa-gp-enable.png) > [!IMPORTANT] -> To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu. +> To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and select **Block** in the options drop-down menu. ## PowerShell From c15ddfcac2e27a4f9367aff01357646de01faae4 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 27 Jan 2020 16:46:08 +0500 Subject: [PATCH 2/4] Update windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/enable-controlled-folders.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md index 1d64f68ed0..5874f3b38e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md @@ -104,7 +104,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt * **Block disk modification only** - Attempts by untrusted apps to write to disk sectors. The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123. * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124). Attempts to modify or delete files in protected folders will not be recorded. - ![Screenshot of group policy option with Enabled and then Enable selected in the drop-down](../images/cfa-gp-enable.png) + ![Screenshot of the group policy option Enabled and Audit Mode selected in the drop-down](../images/cfa-gp-enable.png) > [!IMPORTANT] > To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and select **Block** in the options drop-down menu. From 76d875391e2e243a0e9071897fa2586b3cc4a371 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 28 Jan 2020 05:45:34 +0500 Subject: [PATCH 3/4] Update windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/enable-controlled-folders.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md index 5874f3b38e..b112db0822 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md @@ -101,7 +101,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt * **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log * **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders. * **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization. - * **Block disk modification only** - Attempts by untrusted apps to write to disk sectors. The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123. + * **Block disk modification only** - Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log. These logs can be found in **Applications and Services Logs** > Microsoft > Windows > Windows Defender > Operational > ID 1123. * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124). Attempts to modify or delete files in protected folders will not be recorded. ![Screenshot of the group policy option Enabled and Audit Mode selected in the drop-down](../images/cfa-gp-enable.png) From a30b298dc381238f74efbf932975bf183aef240d Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 28 Jan 2020 05:45:56 +0500 Subject: [PATCH 4/4] Update windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/enable-controlled-folders.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md index b112db0822..b4ab6ff563 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md @@ -102,7 +102,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt * **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders. * **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization. * **Block disk modification only** - Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log. These logs can be found in **Applications and Services Logs** > Microsoft > Windows > Windows Defender > Operational > ID 1123. - * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124). Attempts to modify or delete files in protected folders will not be recorded. + * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders will not be recorded. ![Screenshot of the group policy option Enabled and Audit Mode selected in the drop-down](../images/cfa-gp-enable.png)