deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 04:43:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
3388f9ad138c0de4b32abde12754c75c91be1a1f
windows-itpro-docs/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
Iaan D'Souza-Wiltshire 3388f9ad13 further adds to library
2017-08-14 19:38:49 -07:00

6.0 KiB
Raw Blame History

title, keywords, search.product, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, localizationpriority, author, ms.author
title keywords search.product ms.pagetype ms.prod ms.mktglfcycl ms.sitesec ms.pagetype localizationpriority author ms.author
eADQiWindows 10XVcnh security w10 manage library security medium iaanw iawilt

Protect important folders with Controlled Folder Access

Applies to:

  • Windows 10 Insider Preview, build 16232 and later

Audience

  • Enterprise security administrators

Manageability available with

  • Group Policy
  • PowerShell
  • Windows Management Instrumentation (WMI)
  • Microsoft Intune
  • Windows Defender Security Center app

Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of Windows Defender Exploit Guard.

This topic describes how to customize the following settings of the Controlled Folder Access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):

Protect additional folders

Controlled Folder Access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.

You can add additional folders to be protected, but you cannot remove the default folders in the default list.

Adding other folders to Controlled Folder Access can be useful, for example, if you dont store files in the default Windows libraries or youve changed the location of the libraries away from the defaults.

You can also enter network shares and mapped drives, but environment variables and wildcards are not supported.

You can use the Windows Defender Security Center app or Group Policy to add and remove additional protected folders.

Use the Windows Defender Security app to protect additional folders

  1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for Defender.

  2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Virus & threat protection settings label:

    Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center

  3. Under the Controlled folder access section, click Protected folders

  4. Click Add a protected folder and follow the prompts to add apps.

Use Group Policy to protect additional folders

  1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.

  2. In the Group Policy Management Editor go to Computer configuration.

  3. Click Policies then Administrative templates.

  4. Expand the tree to Windows components > Windows Defender Antivirus > Exploit Guard.

  5. Double-click the Configured protected folders setting and set the option to Enabled. Click Show and enter each folder as Value? Or Value Name?

Important

Environment variables and wildcards are not supported.

Use PowerShell to protect additional folders

Use MDM CSPs or Intune to protect additional folders

Use System Center Configuration Manager to protect additional folders

Allow specifc apps to make changes to controlled folders

You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if youre finding a particular app that you know and trust is being blocked by the Controlled Folder Access feature.

You can use the Windows Defender Security Center app or Group Policy to add and remove apps that should be allowed to access protected folders.

Use the Windows Defender Security app to whitelist specific apps

  1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for Defender.

  2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Virus & threat protection settings label:

    Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center

  3. Under the Controlled folder access section, click Allow an app through Controlled folder access

  4. Click Add an allowed app and follow the prompts to add apps.

Use Group Policy to whitelist specific apps

  1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.

  2. In the Group Policy Management Editor go to Computer configuration.

  3. Click Policies then Administrative templates.

  4. Expand the tree to Windows components > Windows Defender Antivirus > Exploit Guard.

  5. Double-click the Configure allowed applications setting and set the option to Enabled. Click Show and enter each app as Value? Or Value Name? what are the requirements? Have to be exe? Do you have to enter fully qualified path, or will it apply to any .exe with that name?

Use PowerShell to whitelist specific apps

Use MDM CSPs or Intune to whitelist specific apps

./Vendor/MSFT/Policy/Config/Defender/EnableGuardMyFolders

Use System Center Configuration Manager to whitelist specific apps

Related topics