9.1 KiB
title, keywords, search.product, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, localizationpriority, author, ms.author
| title | keywords | search.product | ms.pagetype | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | localizationpriority | author | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|
| eADQiWindows 10XVcnh | security | w10 | manage | library | security | medium | iaanw | iawilt |
Protect important folders with Controlled Folder Access
Applies to:
- Windows 10 Insider Preview, build 16232 and later
Audience
- Enterprise security administrators
Manageability available with
- Group Policy
- PowerShell
- Windows Management Instrumentation (WMI)
- Microsoft Intune
- Windows Defender Security Center app
Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of Windows Defender Exploit Guard, which is itself a component in the new Windows Defender Advanced Threat Protection offering of security and threat prevention products.
All apps (any executable file, including .exe, .scr, .dll files and others )are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
A notification will appear on the machine where the app attempted to make changes to a protected folder.
Controlled Folder Access monitors the changes that apps make to files in certain protected folders. If an app attempts to make a change to these files, and the app is blacklisted by the feature, you’ll get a notification about the attempt.
The protected folders include common system folders, and you can additional folders. You can also allow or whitelist apps to give them access to the protected folders.
Requirements
The following requirements must be met before Controlled Folder Access will work:
Windows 10 version | Windows Defender Antivirus Insider Preview build 16232 or later (dated July 1, 2017 or later) | Windows Defender AV real-time protection and cloud-delivered protection must be enabled
Use the Windows Defender Security app to enable Controlled Folder Access:
-
Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for Defender.
-
Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Virus & threat protection settings label:
-
Set the switch for the feature to On
Use Group Policy to enable Controlled Folder Access:
-
On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
-
In the Group Policy Management Editor go to Computer configuration.
-
Click Policies then Administrative templates.
-
Expand the tree to Windows components > Windows Defender Antivirus > Exploit Guard.
-
Double-click the Configure controlled folder access setting and set the option to Enabled. In the options section you must specify one of the following:
-
Enable - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
-
Disable (Default) - The Controlled Folder Access feature will not work. All apps can make changes to files in protected folders.
-
Audit Mode - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
-
Important
To fully enable the Controlled Folder Access feature, you must set the Group Policy option to Enabled and also select Enable in the options drop-down menu.
Protect additional folders
Adding other folders to Controlled Folder Access can be handy, for example, if you don’t store files in the default Windows libraries or you’ve changed the location of the libraries away from the defaults.
Controlled Folder Access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
You can add additional folders to be protected, but you cannot remove the default folders in the default list.
Click Protected folders in the Controlled Folder Access area and enter the full path of the folder you want to monitor.
You can also enter network shares and mapped drives, but environment variables and wildcards are not supported.
Use the Windows Defender Security app to protect additional folders:
-
Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for Defender.
-
Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Virus & threat protection settings label:
-
Under the Controlled folder access section, click Protected folders
-
Click Add a protected folder and follow the prompts to add apps.
Use Group Policy to protect additional folders:
-
On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
-
In the Group Policy Management Editor go to Computer configuration.
-
Click Policies then Administrative templates.
-
Expand the tree to Windows components > Windows Defender Antivirus > Exploit Guard.
-
Double-click the Configured protected folders setting and set the option to Enabled. Click Show and enter each folder as Value? Or Value Name?
Important
Environment variables and wildcards are not supported.
Allow specifc apps to make changes to controlled folders
You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you’re finding a particular app that you know and trust is being blocked by the Controlled Folder Access feature.
Use the Windows Defender Security app to whitelist specific apps:
-
Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for Defender.
-
Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Virus & threat protection settings label:
-
Under the Controlled folder access section, click Allow an app through Controlled folder access
-
Click Add an allowed app and follow the prompts to add apps.
Use Group Policy to whitelist specific apps:
-
On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
-
In the Group Policy Management Editor go to Computer configuration.
-
Click Policies then Administrative templates.
-
Expand the tree to Windows components > Windows Defender Antivirus > Exploit Guard.
-
Double-click the Configure allowed applications setting and set the option to Enabled. Click Show and enter each app as Value? Or Value Name? what are the requirements? Have to be exe? Do you have to enter fully qualified path, or will it apply to any .exe with that name?
Review event logs for Controlled Folder Access
| Component | Configuration available with | Event ID | Corresponds to… |
|---|---|---|---|
| Controlled Folder access | GP, MDM & UI | Provider: Windows Defender | |
| Event when settings are changed | <Evt-ID: 5007> | ||
| Event when CFA fires in Audit-mode | <Evt-ID: 1124> | ||
| Event when CFA fires in Block-mode | <Evt-ID: 1123> |
MDM policy settings for Controlled Folder Access
./Vendor/MSFT/Policy/Config/Defender/EnableGuardMyFolders
Audit/block modes
Controlled Folder Access has mitigations that can be individually enabled in audit or blocking mode.
| Component | Description | Rule/mitigation description | |
|---|---|---|---|
| Controlled Folder Access | Automatically blocks access to content to protected folders. - This can be enabled in audit/block mode | Protected folders | Folders that are shielded by this component. |
| Allowed apps | Apps that are allowed to write into protected folders |