Controlled folder access prevents suspicious programs from modifying or creating files in protected directories, such as Documents, Pictures, Favorites, or Desktop. The feature can be configured centrally via group policies, for example, to allow access to additional apps.

Controlled folder access, like SmartScreen, is a reputation-based method that assesses the threat posed by programs based on their frequency of occurrence, origin, or behavior.

Based on this, controlled folder access decides whether executable files (.exe, .scr, .dll, etc.) are allowed to write to the folders in the user profile. However, the number of false positives is surprisingly high. The ransomware protection not only blocks many harmless apps, but also on-board tools like PowerShell.

Users cannot change the blacklist created by the system, but they can expand the list of safe applications. However, this process is quite cumbersome, as sometimes you have to authenticate twice as an administrative user.

You can see which applications have been blocked by a corresponding toast notification and by the blocking history in the Windows Security app. The feature also creates an entry in the event viewer when an app is blocked.

By default popular applications like Notepad and PowerShell are blocked

By default popular applications like Notepad and PowerShell are blocked

Users can also expand the list of folders but not deselect the default protected directories. Controlled folder access not only accepts local drives; it can also watch network shares.

Evaluation in audit mode

It is recommended to start controlled folder access in audit mode first due to the many false positives, and to investigate its effects in practical operation over time.

As an administrator you can interactively switch controlled folder access on and off

As an administrator you can interactively switch controlled folder access on and off

If you configure the feature interactively via the settings app, then only the options On and Off are available (you need administrative rights for this). Therefore, to enable audit mode, you have to use PowerShell or Group Policy. The following command accomplishes this task in PowerShell:

Set-MpPreference -EnableControlledFolderAccess AuditMode

Enable blocking mode

Replacing AuditMode with Enabled will turn on the feature:

Set-MpPreference -EnableControlledFolderAccess Enabled

If you enable controlled folder access using group policies, you can also choose between these two modes.

The setting Configure Controlled folder access can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled folder access.

Enable controlled folder access using Group Policy

Enable controlled folder access using Group Policy

Specify additional folders and apps

Group Policy provides two additional settings that can be used to expand the list of folders or applications to be protected or allowed: Configure protected folders and Configure allowed applications.

Defining allowed applications via a Group Policy

Defining allowed applications via a Group Policy

In PowerShell, the Set-MpPreference cmdlet is also capable of this, with the ControlledFolderAccessProtectedFolders (for additional folders) and ControlledFolderAccessAllowedApplications parameters for additional allowed applications. They require the path to the directories and applications, respectively:

Set-MpPreference -ControlledFolderAccessProtectedFolders "c:\temp"

The existence of the directory passed via this parameter is not checked.

Evaluation of the logs

After the introduction of this feature, Microsoft provided an Exploit Guard Evaluation Package, which contained tools for testing controlled folder access. This has since disappeared from Microsoft's website without a trace.

Among other things, the package included the export file of a custom log view that contained a filter for all controlled folder access events:

<QueryParams><UserQuery /></QueryParams>
<QueryNode><Name>CFA-Events</Name><Description>Controlled Folder Access</Description>
<QueryList><Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select>
<Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select>

If you save the above code in a file named cfa-events.xml, then you can import it into the event viewer to evaluate the logs for controlled folder access.

Import a custom view for controlled folder access into the event viewer

Import a custom view for controlled folder access into the event viewer


Controlled folder access is another protection mechanism in the Defender arsenal designed to prevent ransomware from encrypting files.

If you activate the feature immediately in block mode, you will find that it prevents numerous harmless applications and even programs that are part of Windows from accessing the user's folders. Unblocking the affected apps then becomes unnecessarily cumbersome.

Subscribe to 4sysops newsletter!

In managed environments, the feature will first be run in audit mode, and legitimate programs will then be added to a central whitelist via group policies. PowerShell is available as an alternative management option.


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account