Controlled Folder Access is a Microsoft Defender Exploit Guard feature that is built in to Windows 10 Pro, Enterprise, and Windows Server 2019. Using this feature, you can mitigate ransomware attacks by identifying protected folders and controlling which applications have access to modify the folder and its contents. It is a free, built-in way for your Windows device to tell ransomware actors to F*** OFF! In this comprehensive post, I will discuss the purpose and benefits of Controlled Folder Access, considerations before deployment, how to configure Controlled Folder Access in Intune (AKA Microsoft Endpoint Manager admin center) for Windows 10 devices , and how to validate and test the profile deployment.
According to Microsoft documentation, “Controlled folder access works only by allowing trusted apps to access protected folders.” Admins (and/or Users) can define which apps are trusted, and which folders are protected. This bit can get tricky, as you have to know the full file paths for both the application you define as trusted, as well as the folders you wish to protect.
Trusted Applications = Applications that have access to write to, or make changes on protected disks/folders.
Protected Folders = Folders that cannot be written to or modified by applications that are not on the Trusted Applications list.
As with all things Microsoft 365, if you have the more expensive licensing options that include Microsoft Defender for Endpoint (the service formerly known as Microsoft Defender Advanced Threat Protection), you do get some additional configuration options, as well as advanced monitoring and reporting from the Security Center Console. But since I don’t have one of those licenses, so those advanced features are not included in this post.
Microsoft Defender Antivirus real-time protection enabled
In addition to using Intune, Controlled Folder Access can be configured via PowerShell (and subsequently MEM-CM), group policy, or the Windows 10 security app (Microsoft Defender UI), so an extensive device management or deployment infrastructure is not necessary. Worst case scenario, you can write a PS script, email it to the device user, and have them run the script to enable protection with your specified trusted apps and protected folders. As I noted in the intro, Controlled Folder Access settings are available for Windows Server 2019, in addition to Windows 10. However, since Intune does not configure Windows Servers, this post will not cover any of the (similar) settings and configuration options for Windows Servers. Refer to the Microsoft documentation linked above for GPO and PS options to configure Controlled Folder Access on Windows Servers.
Extensive time should be spent considering and evaluating the trusted apps and protected folders before you configure Controlled Folder Access in Intune. While it is easy and straightforward to change these definitions in later in the process, tit can take a considerable amount of time to sync settings and policy from Intune to devices. On-the-fly changes may take some time to take effect, which may slow users productivity. For comprehensive protection, identify apps that are frequently used on your devices, and understand where the execute from, and which folders they write to. While there is an “audit mode” that can be used to evaluate and measure the impact of controlled folder access, the option does not provide the best benefits if you do not have a reporting mechanism available. Without a reporting environment, I think it is best to understand and evaluate your organizations applications, the folders that need to be accessed and protected, and deploy to a test collection with minimal settings. You can add (and remove) additional trusted applications and protected folders as your evaluation continues.
In addition to the above software requirements to configure Controlled Folder Access in Intune, I recommend also creating a test device group/collection in Intune. I feel obligated to say that “Test = Production is a bad practice”. Creating test groups in Intune is simple and straightforward. There’s no cost, so there’s no reason why you cannot create a small group of devices to test the deployment process and settings. The groups can be re-named or deleted whenever the testing is complete, or re-used for other deployment testing.
Microsoft Testing and Validation Resources:
Microsoft provides some configuration and testing/validation resources at https://demo.wd.microsoft.com/Page/CFA (requires Microsoft account login to access). For this configuration demo, I will not the PowerShell setup script or cmdlets. I am manually creating the “C:\Demo” folder on the test/demo devices. I will also manually copy the provided “clean file”, “test file” , and “encrypt/decrypt file” to both test devices. I will also demo another option to validate the configuration, if you are unable to access and use the test files.
*NOTE* Downloading and running the ransomware test file should generate some Microsoft Windows Defender warnings that you will have to acknowledge and bypass.
Configure a Controlled Folder Access Deployment in Intune
Oh Snap! Right off the bat, there is an error in Microsoft’s documentation. It suggests using the Azure Portal to access Intune, but everyone knows they want you using the Endpoint Manager admin center at https://endpoint.microsoft.com to handle Endpoint Management. The Azure Portal > Intune link emphasizes this:
As of writing, you configure a Controlled Folder Access deployment in Intune using Device Configuration Policies. There is an Endpoint Security tab in the Endpoint Manager admin center, but there are no controlled folder access settings within the dedicated security settings…Yet. So for now, select Devices > Configuration profiles.
You can lump these settings in within an existing Endpoint Protection profile, but for troubleshooting, configuration reporting, and testing, I think creating a separate profile for each feature is a best practice. So, select Create Profile.
In the Create a profile options, your Platform = Windows 10 and later, and Profile = Endpoint protection. Select Create.
As with all Intune configuration profiles, provide a Name and Description for the profile. I think it is a best practice to include the creation date and creators name in the description, for the benefit of any other admins that may need to review the profiles. Click Next when complete.
In the Configuration Settings, select Microsoft Defender Exploit Guard > Controlled folder access. Initially this will show as Not configured.
From the drop-down menu, select either Enable, Audit only, Block disk modification, or Audit disk modification.
Not configured = default setting. No controlled folder access protection is enabled.
Enable = applies and enforces controlled folder access as defined by the provided Trusted Apps and Protected Folders
Audit only = Audits the controlled folder access settings defined by the provided Trusted Apps and Protected Folders. These settings are not enforced, just reported.
Block disk modification = Attempts by untrusted apps to write to all disk sectors will be blocked. No Protected Folder configuration is needed.
Audit disk modification = Attempts to write to protected disk sectors will be recorded in the Windows Event Log. Attempts to modify or delete are not recorded. Nothing is blocked; only the write actions are recorded for validation.
For this demo, I will select Enable.
For the Microsoft test file and app, no App configuration is needed. However, for my testing/demo, I will configure PowerShell as a Trusted App. The default path is:
For the Microsoft test file and app, only the C:\Demo folder needs to be configured as a Protected Folder. In addition, I am also going to configure C:\Users\Public\Desktop as a Protected Folder for demonstration purposes.
There is a convenient option to import .CSV files for either setting. This will make it easier to update the profile settings after you identify all of the application file paths that you want to trust, and folder paths that you want to protect.
Click Next when complete.
Select which groups this profile will be assigned to. After testing, you can easily assign this profile to All Devices, and create Exclusion groups, or create a new profile with identical settings for production. Select Next to advance.
Define any Applicability Rules. For this policy, this setting is not necessary. But it is a pretty helpful option if you know that certain versions of Windows 10 versions or editions are not compatible with the profile settings. Leave these fields blank and select Next at the bottom of the page to advance.
Review all of your configuration options, confirm they are correct, and select Create to create and deploy the profile.
Validate Profile Application
There are multiple ways to validate that the configuration profile has applied to you device(s) before testing.
In the Configuration Profile Overview page, Intune will display the assignment status. This page can take some time to update. On my one device in my isolated lab environment, it took about 15 minutes before this page was updated. I was able to confirm on the device that the profile applied within 5 minutes, but it took just a bit longer for this page to reflect the status.
You can click on the graphic or any of the Monitor\Status options to drill-down on the Profile Assignment Status to validate the status for each device, user or setting. This is helpful for troubleshooting, so that you can identify if there are any conflicts or errors with each individual setting.
On the device itself, you can validate via PowerShell and the Registry.
To validate that your settings applied via PowerShell, on the device enter:
If enabled with defined trusted applications and protected folders, the following properties will display values:
ControlledFolderAccessAllowedApplications = will contain any trusted applications defined by the profile
ControlledFolderAccessProtectedFolders = will contain any folders defined as protected by the profile
EnableControlledFolderAcces = “1” indicates that protection is Enabled
With Controlled Folder Access Configured in Intune use the settings outlined above:
Settings without Controlled Folder Access enabled:
To validate the Controlled Folder Access settings via registry, in your Registry Editor navigate to:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager
The keys and values you can reference are:
Allowed Applications = displays the file path of the applications you have trusted.
If enabled: EnableControlledFolderAccess = 0x00000001 (1)
AllowedApplications = [paths of applications defined as trusted]
ProtectedFolders = [paths of folders defined as protected]
This section will include a few different examples of Controlled Folder Access at work.
1)Microsoft’s Controlled Folder Access test tool, which acts similar to ransomware and attempts to encrypt c:\Demo\testfile_safe.txt. I will use this test tool on both the Windows 10 device previously configured in Intune, as well as a device without Controlled Folder Access protection.
2) Changes to C:\Users\Public\Desktop with both PowerShell and PowerShell ISE. If configured correctly, PowerShell should be able to write to this folder, while PowerShell ISE – and other applications – should be declined. I will also demo this on both the Windows 10 device previously configured in Intune, as well as a device without Controlled Folder Access protection.
Example 1) Demos on a non-protected device.
On the non-configured test device I first created the folder C:\Demo. I downloaded both the file “testfile_safe.txt” and the “ransomware_testfile_unsigned.exe” tool from the Microsoft test site. There were a number of warnings from Windows Defender about the .exe being malware. While it kind of is malware, it is built with by Microsoft with a very specific purpose and for testing, it can be trusted. I’ll definitely delete it when I’m done though.
After moving the .txt file to C:\Demo, I ran the .exe. This was allowed, and an audio recording played, stating and repeating “I have encrypted files in your Demo folder and subfolders”. I was also prompted to open a web browser, where this image was displayed:
The test file in C:\Demo was renamed to “testfile_safe.txt.encrypted!” and could not be opened with any software that I had installed. (Note: to decrypt the file when testing is complete, run the “ransomware_testfile_unsigned.exe” again)
Next, on the unprotected device, I ran the following commands:
New-Item -Path C:\Users\Public\Desktop\test1.txt
In PowerShell ISE:
New-Item -Path C:\Users\Public\Desktop\test2.txt
As you can see, both files were created on the desktop.
Example 2) Now for the fun part. Test and validate Controlled Folder Access on the protected machine.
Just like the first device, on the configured test device I first created the folder C:\Demo. I downloaded both the file “testfile_safe.txt” and the “ransomware_testfile_unsigned.exe” tool from the Microsoft test site. Again, there were a number of warnings from Windows Defender about the .exe being malware. It’s cool.
Now for the moment of truth…After moving the .txt file to C:\Demo, I ran the .exe. And…
An audible warning alert tone and Windows Security toast notification!
And the PowerShell test…
New-Item -Path C:\Users\Public\Desktop\test1.txt
In PowerShell ISE:
New-Item -Path C:\Users\Public\Desktop\test2.txt
PowerShell is allowed, because it is defined as a Trusted App. The test1.txt file is created on the desktop.
With ISE however…the command is denied in-console, and another Windows Security pop-up warns the user. Again, this is because ISE is not a Trusted App for this folder.
However, if we use ISE to create a file on the current User’s desktop, the action is allowed because the folder is not defined as a protected folder.
These events are logged in 2 locations. First, and easiest to find, is in the Windows Security center by clicking on the actual pop-up warning. It displays the Protection History for Controlled (Blocked) Folder Access, among other history.
Additionally, in the Event Viewer, navigate to Applications and Services Logs > Microsoft > Windows Defender > Operational. The Event you are looking for is:
1123 = Blocked controlled folder access event
Similar to the Windows Security logging, the event viewer will display the app that was blocked and the folder that was protected, with a date and time stamp.
Administrative Remote Monitoring
Without the advanced subscriptions, there are no administrative monitoring, alerting, or reporting solutions. When you configure Controlled Folder Access with Intune, the device user will see a toast notification on-screen when an action is blocked, and the activity is logged in the Event Viewer and Windows 10 security app, but there is no additional reporting to administration monitoring services. I’m trying to get creative with some ideas though, so keep an eye on this blog for some follow-up./
Controlled Folder Access in Windows 10 and Windows Server 2019 is a relatively easy and built-in (read: FREE) way to protect your Windows devices from ransomware. Some work is needed on an administrators part to identify trusted apps and which folders should be protected. But after evaluating your environment and endpoints, this a relatively sound and robust way to enable protection on your devices.