--- title: keywords: search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: medium author: iaanw ms.author: iawilt --- # Protect important folders with Controlled Folder Access **Applies to:** - Windows 10 Insider Preview, build 16232 and later **Audience** - Enterprise security administrators **Manageability available with** - Group Policy - PowerShell - Windows Management Instrumentation (WMI) - Microsoft Intune - Windows Defender Security Center app Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). This topic describes how to customize the following settings of the Controlled Folder Access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs): - [Add additional folders to be protected](#protect-additional-folders) - [Add apps that should be allowed to access protected folders](#allow-specifc-apps-to-make-changes-to-controlled-folders) ## Protect additional folders Controlled Folder Access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop. You can add additional folders to be protected, but you cannot remove the default folders in the default list. Adding other folders to Controlled Folder Access can be useful, for example, if you don’t store files in the default Windows libraries or you’ve changed the location of the libraries away from the defaults. You can also enter network shares and mapped drives, but environment variables and wildcards are not supported. You can use the Windows Defender Security Center app or Group Policy to add and remove additional protected folders. ### Use the Windows Defender Security app to protect additional folders 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png) 3. Under the **Controlled folder access** section, click **Protected folders** 4. Click **Add a protected folder** and follow the prompts to add apps. ![](images/cfa-prot-folders.png) ### Use Group Policy to protect additional folders 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 3. In the **Group Policy Management Editor** go to **Computer configuration**. 4. Click **Policies** then **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**. 6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder as Value? Or Value Name? > [!IMPORTANT] > Environment variables and wildcards are not supported. ### Use PowerShell to protect additional folders ### Use MDM CSPs or Intune to protect additional folders ### Use System Center Configuration Manager to protect additional folders ## Allow specifc apps to make changes to controlled folders You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you’re finding a particular app that you know and trust is being blocked by the Controlled Folder Access feature. You can use the Windows Defender Security Center app or Group Policy to add and remove apps that should be allowed to access protected folders. ### Use the Windows Defender Security app to whitelist specific apps 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png) 3. Under the **Controlled folder access** section, click **Allow an app through Controlled folder access** 4. Click **Add an allowed app** and follow the prompts to add apps. ![](images/cfa-allow-app.png) ### Use Group Policy to whitelist specific apps 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 3. In the **Group Policy Management Editor** go to **Computer configuration**. 4. Click **Policies** then **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**. 6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app as Value? Or Value Name? what are the requirements? Have to be exe? Do you have to enter fully qualified path, or will it apply to any .exe with that name? ### Use PowerShell to whitelist specific apps ### Use MDM CSPs or Intune to whitelist specific apps ./Vendor/MSFT/Policy/Config/Defender/EnableGuardMyFolders ### Use System Center Configuration Manager to whitelist specific apps ## Related topics - [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) - [Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md) - [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)