With the release of Windows 10 Fall Creators Update last week, the "Controlled Folder Access" that Microsoft touted in June is now live for millions of users.

As the name hints, the Controlled Folder Access feature allows users to control who can access certain folders.

The feature works on a "block everything by default" philosophy, which means that on a theoretical level, it would be able to prevent ransomware when it tries to access and encrypt files stored in those folders.

The benefits of using Controlled Folder Access for your home and work computers are tangible for anyone that's fearful of losing crucial files to a ransomware infection.

If you want to give Controlled Folder Access a go, below are the basic steps to enable it on your PC.

Step 1

Press the Start button and type "Windows Defender Security Center." Select the option when visible. The following window should appear.

Windows Defender Security Center

There's a high chance you might select the wrong option and end up in the Windows Defender Settings section. In this case, just press the obvious "Open Windows Defender Security Center" button that appears at the top of the window.

Windows Defender Settings section

Step 2

In the "Windows Defender Security Center" select the second option in the side menu named "Virus & threat protection" and then select the "Virus & threat protection settings" option from the main window.

Step 2

Step 3

Scroll down on this page and locate the "Controlled folder access" section. To enable the feature, just click the On/Off toggle.

Step 3

Step 4

First thing first, select the "Protected folders" sub-option and add all the folders you want to restrict access to.

Step 4

Step 5

Now it's time to select the second option named "Allow an app through Controlled folder access." This option will whitelist the apps that are allowed to access, edit, create or remove files from protected folders.

Step 5

Other ways to enable Controlled Folder Access

Besides the instructions above, there are two other ways to enable Controlled Folder Access. The easiest way is by running the following Powershell command.

Set-MpPreference -EnableControlledFolderAccess Enabled

To disable the feature, just run the same command, but with the "Disabled" argument.

In addition, system administrators in large organizations can use the Group Policy Management Console to enable the feature for users across a local network.

Step 1: On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
Step 2: In the Group Policy Management Editor go to Computer configuration.
Step 3: Click Policies then Administrative templates.
Step 4: Expand the tree to Windows components ⋙ Windows Defender Antivirus ⋙ Windows Defender Exploit Guard ⋙ Controlled folder access.
 


Step 5: Double-click the Configure Controlled folder access setting and set the option to Enabled.

You can also use Group Policy to configure allowed applications and protected folders. This allows a a system administrator to easily push out lists of whitelisted programs and protected folders to every computer on a domain.

CFA policy allowed apps

CFA policy protected folders

When everything's up and running, if an unauthorized program tries to edit one of the files located in a Controlled access folder, users will get a warning through the Windows Notifications sidebar, while the app trying to make the edit will get stopped dead in its tracks. Further, Windows Defender will also record the unauthorized access in the Windows event log (with this dependency installed).

CFA error

In order for Control Folder Access to work, though, real-time protection must be enabled in Windows Defender.  Bleeping Computer has reached out to Microsoft about the possibility of offering Controlled Folder Access as a separate feature, and a company spokesperson said there are no such plans for the immediate future.

Testing Controlled Folder Access against Ransomware

BleepingComputer has tested Controlled Folder Access against ransomware samples that include the Asasin Locky variant, the x1881 CryptoMix variant, the Comrade HiddenTear variant, and the Wyvern BTCWare variant. The good news is that Controlled Folder Access achieved what it was designed to do; successfully block ransomware from encrypting files located in protected folders.

The bad news is that while your protected folders are safe, other non-protected folders will still be encrypted, ransom notes will still be displayed, and other behavior will still continue.

BTCWare Ransom Note
While protected files were not encrypted, the ransomware still encrypted unprotected folders

This is because Controlled Folder Access is not designed to terminate detected ransomware, but rather protect a folder from ANY unauthorized modifications. This includes any program not in a white list, which could be 3rd party text editors, word processing applications, or photo editing programs. 

Also, while testing Controlled Folder Access, an interesting side-effect was discovered when folders are whitelisted in Windows Defender. When executables are located in a whitelisted folder and attempt to modify a file in a protected folder, Controlled Folder Access will block the modification, but not display a toast alert notifying you that the program was blocked.

While BleepingComputer highly recommend that everyone use Controlled Folder Access, it should not be considered a full-fledged anti-ransomware feature, but more like a data protection feature. While in some ways this is the same, in many ways it is different.

Additional reporting by Lawrence Abrams