Controlled Folder Access

Windows Controlled Folder Access policy

Controlled Folder Access policy overview

The Windows Controlled Folder Access policy can be set in an RDS-based or other enterprise environment via GPO. The policy requires at least Windows Server 2019 or Windows 10 1709 version. The policy enables various filesystem level security countermeasure against common malware attacks. The policy can be found in path “Computer configuration –> Policies –> Administrative Templates –> Windows Components –> Windows Defender Antivirus –> Windows Defender Exploit guard –> Controlled Folder Access”.

This GP should be used with caution though, because non-moderated usage could lead to trusted applications not being able to run or run with issues which are difficult to pipoint. In case there are functional issues in your environment and you suspect that Controlled Folder Access may be the root cause, a good place to start is the Windows event log on the affected machines under “Applications and Services Logs –> Microsoft –> Windows –> Windows Defender –> Operational” log. You could either disable the Controlled Folder Access policy or keep it in the enabled state and ensure that all your trusted apps are deemed so by using the “Configure allowed applications” GP setting.

Controlled Folder Access policy description

Enable or disable controlled folder access for untrusted applications. You can choose to block, audit, or allow attempts by untrusted apps to:
– Modify or delete files in protected folders, such as the Documents folder
– Write to disk sectors

You can also choose to only block or audit writes to disk sectors while still allowing the modification or deletion of files in protected folders. Windows Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting. Default system folders are automatically protected, but you can add folders in the Configure protected folders GP setting.

Enabled and set to Block:
The following will be blocked:

  • Attempts by untrusted apps to modify or delete files in protected folders
  • Attempts by untrusted apps to write to disk sectors
    The Windows event log will record these blocks under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123.

Disabled:
The following will not be blocked and will be allowed to run:

  • Attempts by untrusted apps to modify or delete files in protected folders
  • Attempts by untrusted apps to write to disk sectors
    These attempts will not be recorded in the Windows event log.

Audit Mode:
The following will not be blocked and will be allowed to run:

  • Attempts by untrusted apps to modify or delete files in protected folders
  • Attempts by untrusted apps to write to disk sectors
    The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124.

Block disk modification only:
The following will be blocked:

  • Attempts by untrusted apps to write to disk sectors
    The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123.

The following will not be blocked and will be allowed to run:

  • Attempts by untrusted apps to modify or delete files in protected folders
    These attempts will not be recorded in the Windows event log.

Audit disk modification only:
The following will not be blocked and will be allowed to run:

  • Attempts by untrusted apps to write to disk sectors
  • Attempts by untrusted apps to modify or delete files in protected folders
    Only attempts to write to protected disk sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124).
    Attempts to modify or delete files in protected folders will not be recorded.

Not configured:
Same as Disabled.

About The Author