You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
> Try using [audit mode](evaluate-controlled-folder-access.md) at first so you can see how the feature works and review events without impacting normal device usage in your organization.
49
-
50
-
> [!NOTE]
51
-
> If you add Microsoft Defender Antivirus exclusions (process or path) for the binary in question, controlled folder access trusts it, and doesn't block the process or path. Group Policy settings that disable local administrator list merging override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
52
-
> - Microsoft Defender Antivirus **Configure local administrator merge behavior for lists**
53
-
> - System Center Endpoint Protection **Allow users to add exclusions and overrides**
54
-
55
-
For more information about disabling local list merging, see [Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings](/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus).
56
-
57
-
## Windows Security app
58
-
59
-
1. Open the Windows Security app by selecting the shield icon in the task bar. You can also search the start menu for **Windows Security**.
60
-
61
-
2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**.
62
-
63
-
3. Set the switch for **Controlled folder access** to **On**.
64
-
65
-
> [!NOTE]
66
-
> - This method is not available on Windows Server 2012 R2 or Windows Server 2016. If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state changes in the Windows Security app only after restarting the device. If the feature is set to **Audit mode** with any of those tools, the Windows Security app shows the state as **Off**.
67
-
>
68
-
> - If you are protecting user profile data, the user profile should be on the default Windows installation drive.
69
-
70
-
## Microsoft Intune
71
-
72
-
1. Sign in to the [Microsoft Intune admin center](https://intune.microsoft.com) and open **Endpoint Security**.
73
-
74
-
2. Go to **Attack Surface Reduction** > **Policy**.
3. Select **Platform**, choose **Windows 10, Windows 11, and Windows Server**, and select the profile **Attack Surface Reduction rules** > **Create**.
77
49
78
50
4. Name the policy and add a description. Select **Next**.
79
51
80
52
5. Scroll down, and in the **Enable Controlled Folder Access** drop-down, select an option, such as **Audit Mode**.
81
53
82
-
We recommend enabling controlled folder access in audit mode first to see how it'll work in your organization. You can set it to another mode, such as **Enabled**, later.
54
+
We recommend enabling controlled folder access in audit mode first to see how it works in your organization. You can set it to another mode, such as **Enabled**, later.
83
55
84
56
6. To optionally add folders that should be protected, select **Controlled Folder Access Protected Folders** and then add folders. Files in these folders can't be modified or deleted by untrusted applications. Keep in mind that your default system folders are automatically protected. You can view the list of default system folders in the Windows Security app on a Windows device. To learn more about this setting, see [Policy CSP - Defender: ControlledFolderAccessProtectedFolders](/windows/client-management/mdm/policy-csp-defender?#controlledfolderaccessprotectedfolders).
85
57
@@ -90,7 +62,7 @@ For more information about disabling local list merging, see [Prevent or allow u
90
62
9. Select **Next** to save each open blade and then **Create**.
91
63
92
64
> [!NOTE]
93
-
> Wildcards are supported for applications, but not for folders. Allowed apps continue to trigger events until they are restarted.
65
+
> Wildcards are supported for applications, but not for folders. Allowed apps continue to trigger events until they're restarted.
94
66
95
67
## Mobile Device Management (MDM)
96
68
@@ -107,25 +79,27 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](/wi
107
79
1. Choose whether block or audit changes, allow other apps, or add other folders, and select **Next**.
108
80
109
81
> [!NOTE]
110
-
> Wildcard is supported for applications, but not for folders. Allowed apps will continue to trigger events until they are restarted.
111
-
82
+
> Wildcard is supported for applications, but not for folders. Allowed apps continue to trigger events until they're restarted.
83
+
112
84
1. Review the settings and select **Next** to create the policy.
113
85
114
-
6. After the policy is created, **Close**.
86
+
1. After the policy is created, **Close**.
87
+
88
+
For more information about Microsoft Configuration Manager and Controlled Folder Access, please visit [Controlled folder access policies and options](/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy).
115
89
116
90
## Group Policy
117
91
118
-
1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
92
+
1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx). Right-click the Group Policy Object you want to configure and select **Edit**.
119
93
120
94
1. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
121
95
122
96
1. Expand the tree to **Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled folder access**.
123
97
124
98
1. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following options:
125
99
126
-
-**Enable** - Malicious and suspicious apps won't be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log.
100
+
-**Enable** - Malicious and suspicious apps aren't allowed to make changes to files in protected folders. A notification is provided in the Windows event log.
127
101
-**Disable (Default)** - The Controlled folder access feature won't work. All apps can make changes to files in protected folders.
128
-
-**Audit Mode** - Changes will be allowed if a malicious or suspicious app attempts to make a change to a file in a protected folder. However, it will be recorded in the Windows event log where you can assess the impact on your organization.
102
+
-**Audit Mode** - Changes are allowed if a malicious or suspicious app attempts to make a change to a file in a protected folder. However, it's recorded in the Windows event log where you can assess the impact on your organization.
129
103
-**Block disk modification only** - Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log. These logs can be found in **Applications and Services Logs** > Microsoft > Windows > Windows Defender > Operational > ID 1123.
130
104
-**Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders won't be recorded.
0 commit comments