How to enable or disable Controlled Folder Access in Windows 11

If you are concerned about Ransomware and the security of your files in Windows 11There's a built-in feature you probably have disabled that can make a big difference: Controlled Folder Access. It's not magic, and it doesn't replace backups, but it adds an extra layer of protection, and if you need to adjust permissions, you can... assign permissions to folders and fileswhich makes life much more complicated for malware that tries to encrypt or delete your most important documents.

This feature is included in Windows 11, Windows 10, and various versions of Windows Server and it integrates with Microsoft Defender. By default, it's usually disabled because it can be somewhat strict and sometimes blocks legitimate programs, but you can adjust it to your liking. change default location, add extra folders, allow specific applications and even manage it through group policy, Intune, Configuration Manager or PowerShell, both on home computers and in corporate environments.

What exactly is controlled folder access?

Controlled folder access is a feature of Microsoft Defender Antivirus designed to stop ransomware and other types of malware that attempt to modify or delete files in certain protected locations. Instead of blocking everything that runs, it only allows applications deemed trusted to make changes to those folders.

In practice, this protection is based on a list of trusted applications and another list of protected folders. The apps Apps with a good reputation and high prevalence in the Windows ecosystem are automatically allowed, while unknown or suspicious applications will not be able to modify or delete files in controlled paths, although they can read them.

It is important to understand that this function It does not prevent malware from copying or reading dataWhat it blocks are actions to modify, encrypt, or delete protected files. If an attacker manages to infiltrate your system, they could still exfiltrate information, but it will be much more difficult for them to compromise your key documents.

Controlled Folder Access is designed to work side-by-side with Microsoft Defender for Endpoint and the Microsoft Defender Portalwhere you can see detailed reports of what has been blocked or audited, very useful especially in companies to investigate security incidents.

Compatible operating systems and prerequisites

Before you consider activating it, it's a good idea to know which platforms it works on. Controlled folder access is available on Windows 11, Windows 10, and various editions of Windows Server, in addition to some specific Microsoft systems such as Azure Stack HCI.

More specifically, the function is supported in Windows 10 and Windows 11 in their editions with Microsoft Defender as an antivirus, and on the server side it is supported in Windows Server 2016 and later versions, Windows Server 2012 R2, Windows Server 2019 and successors, as well as in the Azure Stack HCI operating system from version 23H2.

A key detail is that controlled access to folders It only works when the active antivirus is Microsoft Defender.If you use a third-party antivirus that disables Defender, the settings for this feature will disappear from the Windows Security app or become inoperative, and you will have to rely on the anti-ransomware protection of the product you have installed.

In managed environments, in addition to Defender, the following are required tools such as Microsoft Intune, Configuration Manager, or compatible MDM solutions to be able to centrally deploy and manage controlled folder access policies across multiple devices.

How controlled folder access works internally

The behavior of this function is based on two pillars: on the one hand, the folders that are considered protected and on the other hand the applications that are considered trustworthyAny attempt by an untrusted app to write, modify, or delete files in those folders is blocked or audited, depending on the configured mode.

When the feature is enabled, Windows marks a number of things as protected. very common user foldersThis includes files such as Documents, Pictures, Videos, Music, and Favorites, from both the active account and public folders. Additionally, certain system profile paths (for example, Documents folders in the system profile) and critical areas of the system are also included. Boot.

The list of allowed applications is generated from the Reputation and prevalence of the software in the Microsoft ecosystemWidely used programs that have never shown malicious behavior are considered trustworthy and are authorized automatically. Other less well-known applications, homebrew tools, or portable executables may be blocked until you manually approve them.

In business organizations, in addition to automatic lists, administrators can add or allow specific software through Microsoft Intune, Configuration Manager, group policies or MDM configurations, fine-tuning what is blocked and what is not within the corporate environment.

To assess the impact before applying the hard block, there is a audit mode This allows applications to function normally but logs in the events what would have been blocked. This allows for a detailed review of whether switching to strictly blocking mode would interrupt business processes or critical applications.

Why is it so important against ransomware?

Ransomware attacks are aimed at encrypt your documents and demand a ransom to restore your access. Controlled folder access focuses precisely on preventing unauthorized applications from modifying the files that matter most to you, which are usually located in Documents, Pictures, Videos, or other folders where you store your projects and personal data.

When an unknown application tries to access a file in a protected folder, Windows generates a notification on the device alerting of the blockThis alert can be customized in business environments with internal contact information so that users know who to contact if they need help or if they believe it is a false positive.

In addition to the usual user folders, the system also protects system folders and boot sectorsreducing the attack surface of malware that attempts to manipulate system startup or critical Windows components.

Another advantage is being able to activate the first audit mode to analyze the impactThis way you can see which programs would have been blocked, review the logs, and adjust lists of allowed folders and applications before taking the step to a strict block, avoiding surprises in a production environment.

Folders protected by default in Windows

By default, Windows marks a number of common file locations as protected. This includes both user profile folders as public foldersso that most of your documents, photos, music, and videos are protected without you having to configure anything additional.

Among others, routes such as c:\Users\ \Documents and c:\Users\Public\Documentsequivalents for Pictures, Videos, Music and Favorites, as well as the same equivalent paths for system accounts such as LocalService, NetworkService or systemprofile, provided the folders exist on the system.

These locations are visibly displayed on the user's profile, within “This PC” in File ExplorerTherefore, these are usually the ones you use daily without thinking too much about the internal folder structure of Windows.

It's important to know that The default protected folders cannot be removed from the listYou can add more of your own folders in other locations, but the ones that come from the factory always remain under protection to minimize the risk of accidentally disabling the defense in key areas.

How to enable Controlled Folder Access from Windows Security

For most home users and many small businesses, the easiest way to activate this feature is Windows Security application included in the systemThere's no need to install anything extra, just change a few options.

First, open the Start menu, type “Windows Security” or “Windows Security” and open the application. On the main panel, go to the "Virus & threat protection" section, which is where Defender's malware-related options are located.

Within that screen, scroll down until you find the section for “Protection against ransomware” and click on “Manage ransomware protection”. If you are using a third-party antivirus, you may see a reference to that product here and You will not be able to use this feature while that antivirus is active.

On the ransomware protection screen you will see a toggle switch called “Controlled access to folders”Activate it and, if the system displays a User Account Control (UAC) warning, accept it to apply the changes with administrator privileges.

Once enabled, several additional options will be displayed: Block history, Protected folders and the ability to allow applications through controlled folder access. From here you can fine-tune the settings as needed.

Configure and adjust controlled folder access

Once the function is running, it is normal that most of the time don't notice anything unusual in your daily lifeHowever, you may occasionally receive warnings if an application you use attempts to write to a protected folder and is not on the trusted list.

If you receive notifications, you can return to Windows Security at any time and enter Antivirus and threat protection > Manage ransomware protectionFrom there you will have direct access to the settings for blocking, folders and allowed apps.

The section of “Block history” shows the list of all blocks The report details the incidents: which file or executable was stopped, when, which protected folder it was attempting to access, and the severity level (low, moderate, high, or severe). If you are certain it is a trusted program, you can select it and choose "Allow on device" to unblock it.

In the "Protected Folders" section, the application displays all the paths that are currently under Controlled Folder Access protection. From there you can add new folders or remove the ones you've addedHowever, default Windows folders, such as Documents or Pictures, cannot be removed from the list.

If at any point you find the feature too intrusive, you can always disable the controlled folder access switch again From the same screen. The change is immediate and everything returns to how it was before activating it, although you will obviously lose that extra barrier against ransomware.

Add or remove additional protected folders

Not everyone saves their documents in the standard Windows libraries. If you usually work from other drives, project folders, or custom pathsYou are interested in including them within the scope of protection for controlled access to folders.

Using the Windows Security app, the process is very simple: in the ransomware protection section, go to “Protected folders” and accept the UAC notice If it appears, you'll see a list of currently protected folders and an "Add a protected folder" button.

Pressing that button will open a browser window so that Select the folder you want to addChoose the path (for example, a folder on another drive, a working directory for your projects, or even a mapped network drive) and confirm. From that moment on, any attempt to modify the folder from an untrusted app will be blocked or audited.

If you later decide that you no longer want a specific folder to be protected, you can Select it from the list and press “Remove”You can only delete the additional folders that you have added; those that Windows marks as protected by default cannot be deleted to avoid leaving critical areas unprotected without you realizing it.

In addition to local units, you can specify network shares and mapped drivesIt is possible to use environment variables in paths, although wildcards are not supported. This provides considerable flexibility for securing locations in more complex environments or with automated configuration scripts.

Allow trusted apps that have been blocked

It's quite common that, after activating the feature, some legitimate applications are affected, especially if It saves data in Documents, Pictures, or in a protected folder.PC games, less well-known office tools, or older programs may encounter a freeze when attempting to type.

For these cases, Windows Security itself offers the option “Allow an application through controlled folder access”From the ransomware protection panel, go to this section and click on “Add an allowed application”.

You can choose to add applications from the list of “Recently blocked apps” (very convenient if something has already been blocked and you just want to allow it) or browse through all the applications to anticipate and mark as trusted certain programs that you know will need to write to protected folders.

When adding an application, it is important that specify the exact path to the executableOnly that specific location will be allowed; if the program exists in another path with the same name, it will not be automatically added to the allowed list and may still be blocked by controlled folder access.

It's important to keep in mind that, even after allowing an app or service, Ongoing processes may continue to generate events until they stop and restart. In other words, you may need to restart the application (or the service itself) for the new exception to take full effect.

Advanced enterprise management: Intune, Configuration Manager, and group policy

In corporate environments, it's not common practice to go team by team changing settings manually, but define centralized policies that are deployed in a controlled manner. Controlled folder access is integrated with various Microsoft device management tools.

With Microsoft Intune, for example, you can create a Attack Surface Reduction Directive For Windows 10, Windows 11, and Windows Server. Within the profile, there is a specific option to enable controlled access to folders, allowing you to choose between modes such as "Enabled," "Disabled," "Audit mode," "Block disk modification only," or "Audit disk modification only."

From that same directive in Intune it is possible add additional protected folders (which sync with the Windows Security app on devices) and also specify trusted apps that will always have permission to write to those folders. This complements Defender's automatic reputation-based detection.

If your organization uses Microsoft Configuration Manager, you can also deploy policies for Windows Defender Exploit GuardFrom “Assets and Compliance > Endpoint Protection > Windows Defender Exploit Guard” a vulnerability protection policy is created, the controlled folder access option is selected and you choose whether to block changes, only audit, allow other apps or add other folders.

On the other hand, this function can be managed in a very granular way using Group Policy Objects (GPOs). Group Policy Management EditorWithin Computer Configuration > Administrative Templates, you can access the Windows components corresponding to Microsoft Defender Antivirus and its Exploit Guard section, where there are several policies related to controlled access to folders.

These policies include the following: “Configure controlled access to folders”, which allows you to set the mode (Enabled, Disabled, Audit mode, Block disk modification only, Audit disk modification only), as well as entries for "Configured protected folders" or "Configure allowed applications", where folder and executable paths are entered along with the indicated value to mark them as allowed.

Using PowerShell and MDM CSP to automate configuration

For administrators and advanced users, PowerShell offers a very straightforward way to activate, deactivate or adjust controlled access to folders using Microsoft Defender cmdlets. This is especially useful for deployment scripts, automation, or applying changes in batches.

To begin, open a PowerShell window with elevated privileges: search “PowerShell” in the Start menu, right-click and choose “Run as administrator”Once inside, you can activate function using the cmdlet:

Example: Set-MpPreference -EnableControlledFolderAccess Enabled

If you want to evaluate behavior without actually blocking anything, you can use the audit mode By replacing Enabled with AuditMode, and if at any point you want to disable it completely, simply specify Disabled in that same parameter. This allows you to quickly switch from one mode to another as needed.

To protect additional folders from PowerShell, there is the cmdlet Add-MpPreference -ControlledFolderAccessProtectedFolders, to which you pass the path of the folder you want to protect, for example:

Example: Add-MpPreference -ControlledFolderAccessProtectedFolders "c:\apps/"

Similarly, you can allow specific applications with the cmdlet Add-MpPreference -ControlledFolderAccessAllowedApplicationsspecifying the full path to the executable. For example, if you want to authorize a program called test.exe in c:\apps, you would use:

Example: Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe"

In management scenarios mobile devices (MDM), the configuration is exposed through different Configuration service providers (CSPs), such as Defender/GuardedFoldersList for protected folders or Defender/ControlledFolderAccessAllowedApplications for allowed applications, which allows these policies to be integrated into compatible MDM solutions in a centralized manner.

Event logging and incident monitoring

To fully understand what's happening with your teams, it's key to review the events generated by controlled access to folders when it blocks or audits actions. This can be done both from the Microsoft Defender portal and directly in the Windows Event Viewer.

In companies that use Microsoft Defender for endpoints, the Microsoft Defender portal offers detailed reports of events and blockages related to Controlled Folder Access, integrated within the usual alert investigation scenarios. There, you can even launch advanced searches (Advanced Hunting) to analyze patterns across all devices.

For example, a DeviceEvents query A typical example might be:

Example: DeviceEvents | where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')

In individual teams, you can rely on the Windows Event ViewerMicrosoft provides a custom view (cfa-events.xml file) that can be imported to view only controlled folder access events in a concentrated way. This view collects entries such as event 5007 (configuration change), 1123 and 1124 (controlled folder access blocking or auditing), and 1127/1128 (protected disk sector write blocking or auditing).

When a block occurs, the user usually also sees a notification in the system indicating that unauthorized changes have been blockedFor example, with messages like “Controlled folder access blocked C:\…\ApplicationName… from making changes to memory”, and the protection history reflects events like “Protected memory access blocked” with date and time.

Controlled folder access becomes a very powerful tool for to seriously hinder ransomware and other threats that try to destroy your files, while remaining flexible thanks to audit modes, lists of allowed folders and applications, and integration with administrative tools. When properly configured and combined with regular backups and up-to-date antivirus software, it's one of the best features Windows 11 offers for keeping your most important documents safe.