- Delegate permissions for domain join - Mon, Jun 5 2023
- Join Windows 11 to an Active Directory domain - Thu, Jun 1 2023
- Change Windows network profiles between public and private - Wed, May 24 2023
Controlled folder access, like SmartScreen, is a reputation-based method that assesses the threat posed by programs based on their frequency of occurrence, origin, or behavior.
Based on this, controlled folder access decides whether executable files (.exe, .scr, .dll, etc.) are allowed to write to the folders in the user profile. However, the number of false positives is surprisingly high. The ransomware protection not only blocks many harmless apps, but also on-board tools like PowerShell.
Users cannot change the blacklist created by the system, but they can expand the list of safe applications. However, this process is quite cumbersome, as sometimes you have to authenticate twice as an administrative user.
You can see which applications have been blocked by a corresponding toast notification and by the blocking history in the Windows Security app. The feature also creates an entry in the event viewer when an app is blocked.
By default popular applications like Notepad and PowerShell are blocked
Users can also expand the list of folders but not deselect the default protected directories. Controlled folder access not only accepts local drives; it can also watch network shares.
Evaluation in audit mode
It is recommended to start controlled folder access in audit mode first due to the many false positives, and to investigate its effects in practical operation over time.
As an administrator you can interactively switch controlled folder access on and off
If you configure the feature interactively via the settings app, then only the options On and Off are available (you need administrative rights for this). Therefore, to enable audit mode, you have to use PowerShell or Group Policy. The following command accomplishes this task in PowerShell:
Set-MpPreference -EnableControlledFolderAccess AuditMode
Enable blocking mode
Replacing AuditMode with Enabled will turn on the feature:
Set-MpPreference -EnableControlledFolderAccess Enabled
If you enable controlled folder access using group policies, you can also choose between these two modes.
The setting Configure Controlled folder access can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled folder access.
Enable controlled folder access using Group Policy
Specify additional folders and apps
Group Policy provides two additional settings that can be used to expand the list of folders or applications to be protected or allowed: Configure protected folders and Configure allowed applications.
Defining allowed applications via a Group Policy
In PowerShell, the Set-MpPreference cmdlet is also capable of this, with the ControlledFolderAccessProtectedFolders (for additional folders) and ControlledFolderAccessAllowedApplications parameters for additional allowed applications. They require the path to the directories and applications, respectively:
Set-MpPreference -ControlledFolderAccessProtectedFolders "c:\temp"
The existence of the directory passed via this parameter is not checked.
Evaluation of the logs
After the introduction of this feature, Microsoft provided an Exploit Guard Evaluation Package, which contained tools for testing controlled folder access. This has since disappeared from Microsoft's website without a trace.
Among other things, the package included the export file of a custom log view that contained a filter for all controlled folder access events:
<ViewerConfig><QueryConfig> <QueryParams><UserQuery /></QueryParams> <QueryNode><Name>CFA-Events</Name><Description>Controlled Folder Access</Description> <QueryList><Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational"> <Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select> <Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select> </Query></QueryList> </QueryNode> </QueryConfig></ViewerConfig>
If you save the above code in a file named cfa-events.xml, then you can import it into the event viewer to evaluate the logs for controlled folder access.
Import a custom view for controlled folder access into the event viewer
Summary
Controlled folder access is another protection mechanism in the Defender arsenal designed to prevent ransomware from encrypting files.
If you activate the feature immediately in block mode, you will find that it prevents numerous harmless applications and even programs that are part of Windows from accessing the user's folders. Unblocking the affected apps then becomes unnecessarily cumbersome.
Subscribe to 4sysops newsletter!
In managed environments, the feature will first be run in audit mode, and legitimate programs will then be added to a central whitelist via group policies. PowerShell is available as an alternative management option.
