Protect your data with Controlled folder access on Windows 10

Spread the love

On Windows 10, “Controlled folder access” is an intrusion-prevention feature available with Microsoft Defender Exploit Guard, which is part of the Microsoft Defender Antivirus. It’s been designed primarily to stop ransomware from encrypting and taking your data hostage, but it also protects files from unwanted changes from other malicious applications.

The anti-ransomware feature is optional on Windows 10. When enabled, it uses a mechanism to track the apps (executable files, scripts, and DLLs), trying to make changes to files in the protected folders. If the app is malicious or not recognized, the feature will block the attempt in real-time, and you’ll receive a notification of the suspicious activity.

Best VPN providers 2020: Learn about ExpressVPN, NordVPN & more

If you want an extra layer of security to safeguard your data, you can enable and customize Controlled folder access using the Windows Security app, Group Policy, and even PowerShell.

In this Windows 10 guide, we walk you through the steps to enable the Controlled folder access feature to prevent ransomware attacks on your device.

How to enable ransomware protection using Security Center

To enable Controlled folder access on Windows 10, use these steps:

  1. Open Start.
  2. Search for Windows Security and click the top result to open the app.
  3. Click on Virus & threat protection.
  4. Under the “Ransomware protection” section, click the Manage ransomware protection option.

    Manage Ransomware Protection option

    Source: Windows Central

  5. Turn on the Controlled folder access toggle switch.

    Controlled folder access enable option

    Source: Windows Central

Once you complete the steps, Microsoft Defender Antivirus will start protecting your files and folders from unauthorized access by malicious programs like ransomware.

View block history

To view a list of blocked items by the anti-ransomware solution, use these steps:

  1. Open Start.
  2. Search for Windows Security and click the top result to open the app.
  3. Click on Virus & threat protection.
  4. Under the “Ransomware protection” section, click the Manage ransomware protection option.

    Manage Ransomware Protection option

    Source: Windows Central

  5. Click the Block history option.

    Controlled folder access block history option

    Source: Windows Central

  6. Confirm the items that have been blocked.

    Controlled folder access block history

    Source: Windows Central

The page is the same page to view the protection history available through the main page of the Microsoft Defender Antivirus. However, accessing it from this area applies a filter to list only the history of “Controlled folder access.”

Add new location for protection

By default, the security feature protects the Documents, Pictures, Videos, Music, Desktop, and Favorites folders. Although it’s not possible to modify the default list, if you have files in a different location, you can manually add other paths.

To add a new folder location for protection, use these steps:

  1. Open Start.
  2. Search for Windows Security and click the top result to open the app.
  3. Click on Virus & threat protection.
  4. Under the “Ransomware protection” section, click the Manage ransomware protection option.

    Manage Ransomware Protection option

    Source: Windows Central

  5. Click the Protected folders option.

    Controlled folder access protected folders option

    Source: Windows Central

  6. Click the Add a protected folder button.

    Add a protected folder

    Source: Windows Central

  7. Select the new location.
  8. Click the Select Folder button.

After you complete the steps, the anti-ransomware feature will monitor and protect the new locations.

If the storage configuration changes and you need to remove a location, you can follow the same instructions, but on step No. 5, select the location and click the Remove button.

Whitelist apps with Controlled folder access

On Windows 10, Controlled folder access can detect the apps that can safely access your files, but in the case one of the apps you trust is blocked, you’ll need to allow the app manually.

To whitelist an app with Controlled folder access, use these steps:

  1. Open Start.
  2. Search for Windows Security and click the top result to open the app.
  3. Click on Virus & threat protection.
  4. Under the “Ransomware protection” section, click the Manage ransomware protection option.

    Manage Ransomware Protection option

    Source: Windows Central

  5. Click the Allow an app through Controlled folder access option.

    Allow an app through Controlled folder access option

    Source: Windows Central

  6. Click the Add an allowed app button.
  7. Select the Recently blocked apps option to whitelist an app you trust has been flagged as malicious. Or click the Browse all apps option.

    Add an allowed app

    Source: Windows Central

  8. Select the app executable (for example, chrome.exe) you want to allow through this feature.
  9. Click the Open button.

Once you complete the steps, the app won’t be blocked by the feature, and it’ll be able to make changes to files.

How to enable ransomware protection using Group Policy

To enable Windows 10’s ransomware protection with Group Policy, use these steps:

  1. Open Start.
  2. Search for gpedit and click the top result to open the Local Group Policy Editor.
  3. Browse the following path:

    Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access

    Quick note: If you’re still on Windows 10 version 1909 or earlier, the path is slightly different: Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access

  4. Double-click the Configure Controlled folder access policy on the right side.

    Configure Controlled folder access policy

    Source: Windows Central

  5. Select the Enabled option.
  6. Under the “Options” section, use the drop-down menu and select the Block option.

    Controlled folder access enable gpedit option

    Source: Windows Central

  7. Click the Apply button.
  8. Click the OK button.

After you complete the steps, Controlled folder access will enable you to start monitoring and protecting your files stored in the default system folders.

The only caveat of using this method is that any future configuration will have to be made through Group Policy. If you open Windows Security, you’ll notice the “This setting is managed by your administrator” message, and the Controlled folder access option will appear grayed out.

You can revert the changes using the same instructions, but on step No. 5, select the Not Configured option.

Add new location for protection

If you must protect data located in a different location, you can use the “Configure protected folders” policy to add the new folder.

To include a new location for protection with Control folder access, use these steps:

  1. Open Start.
  2. Search for gpedit and click the top result to open the Local Group Policy Editor.
  3. Browse the following path:

    Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access

  4. Double-click the Configure protected folders policy on the right side.

    Configure Controlled Folder Access policy

    Source: Windows Central

  5. Select the Enabled option.
  6. Under the “Options” section, click the Show button.

    Controlled folder access enable protected folder

    Source: Windows Central

  7. Specify the locations you want to protect by entering the path of the folder in the “Value name” field and adding 0 in the “Value” field.

    This example adds the “MyData” folder in the “F” drive for protection:

    F:\MyData

    Controlled folder access add new folder gpedit

    Source: Windows Central

  8. Repeat step No. 7 to add more locations.
  9. Click the OK button.
  10. Click the Apply button.
  11. Click the OK button.

Once you complete the steps, the new folder will be added to the protection list of Controlled folder access.

To revert the changes, use the same instructions, but on step No. 5, select the Not Configured option.

Whitelist apps with Controlled folder access

To whitelist an app through the anti-ransomware feature on Windows 10, use these steps:

  1. Open Start.
  2. Search for gpedit and click the top result to open the Local Group Policy Editor.
  3. Browse the following path:

    Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access

  4. Double-click the Configure allowed applications policy on the right side.

    Configure allowed applications policy

    Source: Windows Central

  5. Select the Enabled option.
  6. Under the “Options” section, click the Show button.

    Configure allowed applications enable option

    Source: Windows Central

  7. Specify the location of the .exe file for the app (such as C:\path\to\app\app.exe) you want to allow in the “Value name” field and add 0 in the “Value” field.

    This example allows the Chrome app when Controlled folder access is enabled:

    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

    Allow app through Controlled folder access option

    Source: Windows Central

  8. Repeat step No. 7 to add more locations.
  9. Click the OK button.
  10. Click the Apply button.
  11. Click the OK button.

After you complete the steps, the app won’t be blocked, and it’ll be able to make changes to protected files and folders.

How to enable ransomware protection using PowerShell

Alternatively, you can also enable and configure Controlled folder access using PowerShell commands.

To enable Controlled folder access with PowerShell, use these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and click the Run as administrator option.
  3. Type the following command to enable the feature and press Enter:

    Set-MpPreference -EnableControlledFolderAccess Enabled

    Controlled folder access enable via PowerShell

    Source: Windows Central

  4. (Optional) Type the following command to disable the security feature and press Enter:

    Set-MpPreference -EnableControlledFolderAccess Disabled

Once you complete the steps, Controlled folder access will enable on your computer to protect files and folders from ransomware attacks.

Add new location for protection

To allow Controlled folder access to protect an additional folder, use these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and click the Run as administrator option.
  3. Type the following command to add a new location and press Enter:

    Add-MpPreference -ControlledFolderAccessProtectedFolders "F:\folder\path\to\add"

    In the command, make sure to change the path for the location and executable of the app you want to allow.

    For example, this command adds the “MyData” folder in the “F” drive to list of protected folders:

    Add-MpPreference -ControlledFolderAccessProtectedFolders "F:\MyData"

    Controlled folder access add folder via PowerShell

    Source: Windows Central

  4. (Optional) Type the following command to remove a folder and press Enter:

    Disable-MpPreference -ControlledFolderAccessProtectedFolders "F:\folder\path\to\remove"

After you complete the steps, the anti-ransomware feature will protect the contents inside the new location.

Whitelist apps with Controlled folder access

To allow an app in Controlled folder access with PowerShell, use these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and click the Run as administrator option.
  3. Type the following command to allow an app and press Enter:

    Add-MpPreference -ControlledFolderAccessAllowedApplications "F:\path\to\app\app.exe"

    In the command, make sure to change the path for the location and executable of the app you want to allow.

    For example, this command adds Chrome to the list of allowed apps:

    Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"

    Controlled folder access whitelist app via PowerShell

    Source: Windows Central

  4. (Optional) Type the following command to remove an app and press Enter:

    Remove-MpPreference -ControlledFolderAccessAllowedApplications "F:\path\to\app\app.exe"

Once you complete the steps, the app will be allowed to run and make changes to your files when the feature is available.

Controlled folder access is one of the intrusion-prevention features of the Microsoft Defender Exploit Guard, which is part of the Microsoft Defender Antivirus. This means that the security feature won’t be available if you use a third-party antivirus.

More Windows 10 resources

For more helpful articles, coverage, and answers to common questions about Windows 10, visit the following resources:

Leave a Reply