6.4 KiB
title, keywords, description, search.product, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, localizationpriority, author, ms.author, ms.date
| title | keywords | description | search.product | ms.pagetype | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | localizationpriority | author | ms.author | ms.date |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Turn on the protected folders feature in Windows 10 | Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, enable, turn on, use | Learn how to protect your important files by enabling Controlled folder access | eADQiWindows 10XVcnh | security | w10 | manage | library | security | medium | andreabichsel | v-anbic | 04/30/2018 |
Enable Controlled folder access
Applies to:
- Windows 10, version 1709 and later
Audience
- Enterprise security administrators
Manageability available with
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of Windows Defender Exploit Guard.
This topic describes how to enable Controlled folder access with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). You can choose to block, audit, or allow attempts by untrusted apps to:
- Change or delete files in protected folders like the Documents folder
- Write to the disk
Enable and audit Controlled folder access
You can enable Controlled folder access with the Windows Defender Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the computer or device.
For further details on how audit mode works, and when you might want to use it, see the audit Windows Defender Exploit Guard topic.
Note
The Controlled folder access feature will display the state in the Windows Defender Security Center app under Virus & threat protection settings. If the feature is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Defender Security Center app after a restart of the device. If the feature is set to Audit mode with any of those tools, the Windows Defender Security Center app will show the state as Off. See Use audit mode to evaluate Windows Defender Exploit Guard features for more details on how audit mode works.
Use the Windows Defender Security app to enable Controlled folder access
-
Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for Defender.
-
Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Virus & threat protection settings label:
-
Set the switch for the feature to On
Use Group Policy to enable Controlled folder access
-
On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
-
In the Group Policy Management Editor go to Computer configuration and click Administrative templates.
-
Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access.
-
Double-click the Configure Controlled folder access setting and set the option to Enabled. In the options section you must specify one of the following:
- Disable (Default) - The Controlled folder access feature won't work. All apps can make changes to files in protected folders, and no notifications will appear in the Windows event log.
- Block - Malicious and suspicious apps won't be allowed to make changes to files in protected folders or write to disk. A notification will appear in the Windows event log with ID 1123.
- Audit Mode - If a malicious or suspicious app attempts to make a change to a file in a protected folder or write to disk, the change will be allowed but will be recorded in the Windows event log with ID 1124. This allows you to assess the impact of this feature on your organization before deploying it.
- Block disk modification only - Malicious and suspicious apps won't be allowed to write to disk. A notification will appear in the Windows event log with ID 1123.
- Audit disk modification only - If a malicious or suspicious app attempts to write to disk, the change will be allowed but will be recorded in the Windows event log with ID 1124. This allows you to assess the impact of this feature on your organization before deploying it.
Important
To fully enable the Controlled folder access feature, you must set the Group Policy option to Enabled and also select Block in the options drop-down menu.
Use PowerShell to enable Controlled folder access
-
Type powershell in the Start menu, right click Windows PowerShell and click Run as administrator
-
Enter the following cmdlet:
Set-MpPreference -EnableControlledFolderAccess Enabled
You can enable the feature in audit mode by specifying AuditMode instead of Enabled. To block disk writes only, specify BlockDiskModificationOnly. To audit disk writes only, specify AuditDiskModificationOnly.
Use Disabled to turn the feature off.
Use MDM CSPs to enable Controlled folder access
Use the ./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList configuration service provider (CSP) to allow apps to make changes to protected folders.