This post describes how to enable Controlled folder access using Group Policy. With the latest versions of Windows 10, Microsoft has really worked hard on improving Windows defender. The AV features that most of the customers were looking for are now available in Windows Defender. While most of the antivirus softwares have already got advanced features, Windows defender too gets new features with every update.
We all know that Microsoft introduced host intrusion prevention functionalities in Windows 10. The idea behind this is to prevent the user data from unsafe apps. One of the important feature of Windows Defender Exploit Guard is Controlled folder access.
This feature protects important data from malicious apps and threats. Once any ransomware enters a computer, it encrypts the files and demands ransom to unlock it. Since this is a common behavior of ransomware, securing the files and folders is first preventive step.
Controlled folder access can be enabled by using one of the following ways.
- Group Policy
- Windows Defender app
- MDM CSP’s
So how does this work ?. With controlled folder access enabled, the apps are monitored for any suspicious activities. All the apps installed are scanned in depth by Windows Defender antivirus.
In addition the Windows defender will then determine whether the app is safe or malicious. If it finds the app to be malicious, the app will be blocked from making changes to the files located inside protected folders. Also a notification will be shown to the user about the app being blocked by windows defender.
By default Windows system folders are protected with controlled folder access feature. The below screenshot shows the default system folders that are protected. By clicking Add a protected folder, a user can add additional folders to the list.
- Before you enable controlled folder access, ensure Windows Defender AV real-time protection is enabled.
- The controlled folder access feature will not be available if a third-party antivirus is installed on the system.
How to Enable Controlled Folder Access Using Group Policy
To enable controlled folder access using group policy, launch the group policy management console. Under Computer configuration click Administrative templates > Windows components. Next click Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access. On the right pane there are 3 settings available.
Double-click the Configure Controlled folder access. To enable the policy click Enabled. You see 3 options to configure the guard my folders feature.
- Disable – This is the default option. Not a secure option though as any app can modify / delete files in protected folders.
- Block – This is a strict mode where untrusted apps cannot make any changes to files insides protected folders. Enable this with caution as it may affect organization’s productivity.
- Audit Mode – In the audit mode untrusted apps are allowed to make changes (modify/delete) to files inside protected folders. However each of the activity is logged in the windows event log.
Select Audit mode and click Apply and OK.
Once you have used group policy to enable and manage controlled folder access, there are 2 more policy settings. Configure Allowed applications and Configure Protected folders.
Configure Allowed Applications
With this policy setting, the applications added to the list will be marked as trusted by controlled folder access. To enable the policy setting, click Enabled and to add the list of apps click Show button. A window pops up where you can enter the app path in value name field. Enter 0 as value for all the applications that you add to the list.
Launch the PowerShell and type the command “get-mppreference“. In the output, take a look at allowed apps next to ControlledFolderAcessAllowedApplications.
Configure Protected Folders
The policy setting allows admins to configure protected folders. Untrusted applications cannot modify/delete folders added to list of protected folders. Double click the policy setting “Configure Protected Folders”. Click Enabled and to add the folders click Show. In the new window, add the folder path under value name and set the value to 0. Click Apply and OK.
Launch PowerShell and type the command get-mppreference. Look for value ControlledFolderAccessProtectedFolders to see folders that you just added.