Skip to main content

How to enable Controlled folder access to protect data from ransomware on Windows 10

Windows 10 Controlled Folder Access
Windows 10 Controlled Folder Access (Image credit: Windows Central)

On Windows 10, "Controlled folder access" is an intrusion-prevention feature available with Microsoft Defender Exploit Guard, which is part of the Microsoft Defender Antivirus. It's been designed primarily to stop ransomware from encrypting and taking your data hostage, but it also protects files from unwanted changes from other malicious applications.

The anti-ransomware feature is optional on Windows 10. When enabled, it uses a mechanism to track the apps (executable files, scripts, and DLLs), trying to make changes to files in the protected folders. If the app is malicious or not recognized, the feature will block the attempt in real-time, and you'll receive a notification of the suspicious activity.

If you want an extra layer of security to safeguard your data, you can enable and customize Controlled folder access using the Windows Security app, Group Policy, and even PowerShell.

In this Windows 10 guide, we walk you through the steps to enable the Controlled folder access feature to prevent ransomware attacks on your device.

How to enable ransomware protection using Security Center

To enable Controlled folder access on Windows 10, use these steps:

  1. Open Start.
  2. Search for Windows Security and click the top result to open the app.
  3. Click on Virus & threat protection.
  4. Under the "Ransomware protection" section, click the Manage ransomware protection option.

Source: Windows Central (Image credit: Source: Windows Central)
  1. Turn on the Controlled folder access toggle switch.

Source: Windows Central (Image credit: Source: Windows Central)

Once you complete the steps, Microsoft Defender Antivirus will start protecting your files and folders from unauthorized access by malicious programs like ransomware.

View block history

To view a list of blocked items by the anti-ransomware solution, use these steps:

  1. Open Start.
  2. Search for Windows Security and click the top result to open the app.
  3. Click on Virus & threat protection.
  4. Under the "Ransomware protection" section, click the Manage ransomware protection option.

Source: Windows Central (Image credit: Source: Windows Central)
  1. Click the Block history option.

Source: Windows Central (Image credit: Source: Windows Central)
  1. Confirm the items that have been blocked.

Source: Windows Central (Image credit: Source: Windows Central)

The page is the same page to view the protection history available through the main page of the Microsoft Defender Antivirus. However, accessing it from this area applies a filter to list only the history of "Controlled folder access."

Add new location for protection

By default, the security feature protects the Documents, Pictures, Videos, Music, Desktop, and Favorites folders. Although it's not possible to modify the default list, if you have files in a different location, you can manually add other paths.

To add a new folder location for protection, use these steps:

  1. Open Start.
  2. Search for Windows Security and click the top result to open the app.
  3. Click on Virus & threat protection.
  4. Under the "Ransomware protection" section, click the Manage ransomware protection option.

Source: Windows Central (Image credit: Source: Windows Central)
  1. Click the Protected folders option.

Source: Windows Central (Image credit: Source: Windows Central)
  1. Click the Add a protected folder button.

Source: Windows Central (Image credit: Source: Windows Central)
  1. Select the new location.
  2. Click the Select Folder button.

After you complete the steps, the anti-ransomware feature will monitor and protect the new locations.

If the storage configuration changes and you need to remove a location, you can follow the same instructions, but on step No. 5, select the location and click the Remove button.

Whitelist apps with Controlled folder access

On Windows 10, Controlled folder access can detect the apps that can safely access your files, but in the case one of the apps you trust is blocked, you'll need to allow the app manually.

To whitelist an app with Controlled folder access, use these steps:

  1. Open Start.
  2. Search for Windows Security and click the top result to open the app.
  3. Click on Virus & threat protection.
  4. Under the "Ransomware protection" section, click the Manage ransomware protection option.

Source: Windows Central (Image credit: Source: Windows Central)
  1. Click the Allow an app through Controlled folder access option.

Source: Windows Central (Image credit: Source: Windows Central)
  1. Click the Add an allowed app button.
  2. Select the Recently blocked apps option to whitelist an app you trust has been flagged as malicious. Or click the Browse all apps option.

Source: Windows Central (Image credit: Source: Windows Central)
  1. Select the app executable (for example, chrome.exe) you want to allow through this feature.
  2. Click the Open button.

Once you complete the steps, the app won't be blocked by the feature, and it'll be able to make changes to files.

How to enable ransomware protection using Group Policy

To enable Windows 10's ransomware protection with Group Policy, use these steps:

  1. Open Start.
  2. Search for gpedit and click the top result to open the Local Group Policy Editor.
  3. Browse the following path:Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder AccessQuick note: If you're still on Windows 10 version 1909 or earlier, the path is slightly different: Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access
  4. Double-click the Configure Controlled folder access policy on the right side.

Source: Windows Central (Image credit: Source: Windows Central)
  1. Select the Enabled option.
  2. Under the "Options" section, use the drop-down menu and select the Block option.

Source: Windows Central (Image credit: Source: Windows Central)
  1. Click the Apply button.
  2. Click the OK button.

After you complete the steps, Controlled folder access will enable you to start monitoring and protecting your files stored in the default system folders.

The only caveat of using this method is that any future configuration will have to be made through Group Policy. If you open Windows Security, you'll notice the "This setting is managed by your administrator" message, and the Controlled folder access option will appear grayed out.

You can revert the changes using the same instructions, but on step No. 5, select the Not Configured option.

Add new location for protection

If you must protect data located in a different location, you can use the "Configure protected folders" policy to add the new folder.

To include a new location for protection with Control folder access, use these steps:

  1. Open Start.
  2. Search for gpedit and click the top result to open the Local Group Policy Editor.
  3. Browse the following path:Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access
  4. Double-click the Configure protected folders policy on the right side.

Source: Windows Central (Image credit: Source: Windows Central)
  1. Select the Enabled option.
  2. Under the "Options" section, click the Show button.

Source: Windows Central (Image credit: Source: Windows Central)
  1. Specify the locations you want to protect by entering the path of the folder in the "Value name" field and adding 0 in the "Value" field.This example adds the "MyData" folder in the "F" drive for protection:F:\MyData

Source: Windows Central (Image credit: Source: Windows Central)
  1. Repeat step No. 7 to add more locations.
  2. Click the OK button.
  3. Click the Apply button.
  4. Click the OK button.

Once you complete the steps, the new folder will be added to the protection list of Controlled folder access.

To revert the changes, use the same instructions, but on step No. 5, select the Not Configured option.

Whitelist apps with Controlled folder access

To whitelist an app through the anti-ransomware feature on Windows 10, use these steps:

  1. Open Start.
  2. Search for gpedit and click the top result to open the Local Group Policy Editor.
  3. Browse the following path:Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access
  4. Double-click the Configure allowed applications policy on the right side.

Source: Windows Central (Image credit: Source: Windows Central)
  1. Select the Enabled option.
  2. Under the "Options" section, click the Show button.

Source: Windows Central (Image credit: Source: Windows Central)
  1. Specify the location of the .exe file for the app (such as C:\path\to\app\app.exe) you want to allow in the "Value name" field and add 0 in the "Value" field.This example allows the Chrome app when Controlled folder access is enabled:C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Source: Windows Central (Image credit: Source: Windows Central)
  1. Repeat step No. 7 to add more locations.
  2. Click the OK button.
  3. Click the Apply button.
  4. Click the OK button.

After you complete the steps, the app won't be blocked, and it'll be able to make changes to protected files and folders.

How to enable ransomware protection using PowerShell

Alternatively, you can also enable and configure Controlled folder access using PowerShell commands.

To enable Controlled folder access with PowerShell, use these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and click the Run as administrator option.
  3. Type the following command to enable the feature and press Enter:Set-MpPreference -EnableControlledFolderAccess Enabled

Source: Windows Central (Image credit: Source: Windows Central)
  1. (Optional) Type the following command to disable the security feature and press Enter:Set-MpPreference -EnableControlledFolderAccess Disabled

Once you complete the steps, Controlled folder access will enable on your computer to protect files and folders from ransomware attacks.

Add new location for protection

To allow Controlled folder access to protect an additional folder, use these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and click the Run as administrator option.
  3. Type the following command to add a new location and press Enter:Add-MpPreference -ControlledFolderAccessProtectedFolders "F:\folder\path\to\add"In the command, make sure to change the path for the location and executable of the app you want to allow.For example, this command adds the "MyData" folder in the "F" drive to list of protected folders:Add-MpPreference -ControlledFolderAccessProtectedFolders "F:\MyData"

Source: Windows Central (Image credit: Source: Windows Central)
  1. (Optional) Type the following command to remove a folder and press Enter:Disable-MpPreference -ControlledFolderAccessProtectedFolders "F:\folder\path\to\remove"

After you complete the steps, the anti-ransomware feature will protect the contents inside the new location.

Whitelist apps with Controlled folder access

To allow an app in Controlled folder access with PowerShell, use these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and click the Run as administrator option.
  3. Type the following command to allow an app and press Enter:Add-MpPreference -ControlledFolderAccessAllowedApplications "F:\path\to\app\app.exe"In the command, make sure to change the path for the location and executable of the app you want to allow.For example, this command adds Chrome to the list of allowed apps:Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"

Source: Windows Central (Image credit: Source: Windows Central)
  1. (Optional) Type the following command to remove an app and press Enter:Remove-MpPreference -ControlledFolderAccessAllowedApplications "F:\path\to\app\app.exe"

Once you complete the steps, the app will be allowed to run and make changes to your files when the feature is available.

Controlled folder access is one of the intrusion-prevention features of the Microsoft Defender Exploit Guard, which is part of the Microsoft Defender Antivirus. This means that the security feature won't be available if you use a third-party antivirus.

Mauro Huculak is technical writer for WindowsCentral.com. His primary focus is to write comprehensive how-tos to help users get the most out of Windows 10 and its many related technologies. He has an IT background with professional certifications from Microsoft, Cisco, and CompTIA, and he's a recognized member of the Microsoft MVP community.

17 Comments
  • I tried this as soon as it was available. Problem is when it blocks a file change it produces an alert in the action centre but there's not enough room to display the whole path, so you get a contracted version showing only the beginning and the end. This makes it rather hard to track down what happened and assess the situation (no, clicking on the notification does nothing except clear it). So I've had to switch it off. Nice idea, but poor implementation.
  • I totally agree! It was the first thing, which I tried right after the Fall Creators Update. The really good thing about this protection is: It really aggressively blocks nearly any access to protected files. And the bad thing is: At the moment, you cannot simply click on the notification and say "Allow this app!". That was also the reason, why I disabled this feature for now. It's a really cool feature, but the usability is ugly as hell. (May this be the reason, why Microsoft has disabled this feature by default? I think so.)
  • I have it active since two weeks and MS has clearly not finished the UI for this nor the intellegience for the initial start! I guess thats why this is also a little bit hidden in the setings. There is a workaround for that problem: open the Eventviewer (eventvwr.msc) and make your own view(user defined view) To select the filter from the following: (maybed called other in english) Application and Services Logs->Microsoft->Windows->Windows-Defender  as Event ID you use 1123 and save the view! Now you can look for every Application which was denied writing acces and where it is stored to put them in the allowed collum.   People which have this activated should keep that in mind, because a lot of programms doesnt work properly anymore!!!!!!! For example other Browsers than Edge even IE, you can start Overwatch and play but cannot alter game settings or save a higglight on the harddrive! Nearly every  program has to write in this folder at one time. Windows own MAR-Tool(Nov 2017)failed with the Updates.
  • Yes. I wish Mauro had thought to include this. To make this feature usable, you need to create a custom view in the Event Viewer to audit blocked applications, so you can determine the correct file path to add to the whitelist. See the discussion on this page for instructions. https://docs.microsoft.com/en-us/windows/threat-protection/windows-defen...
  • Glad I'm not the only one who found the current implementation more than just a little clumsy.
  • Is fall creator update is available on asia Nepal?
  • Pretty poor when you use 7ZIP and get error messages. Need to add 7zip to the allow list - but it is an annoying and too techie process.
  • I really hope they make it smarter over time. I've been using it ever since FCU came out, and it produces dozens of notifications per day. And it's usually stuff like msdiag, cmd, powershell. Also, I failed to whitelist a game once, and it was unable to save, and I lost progress... But hey, at least I'm sure that my laptop is quite virus-proof. It sure is good in blocking *everything*.
  • I tried it but found it far to frustrating in it's current form
  • I really want to run with this enabled, but it gives me warnings even for the built in photos app. I know I can allow that, but it's poor user experience when default apps get blocked.
  • Can't even run Adobe Lightroom with it turned on as it thinks the catalog is bad.  Turn it off, and LR runs fine.
  • Did anyone notice the typo in the description under Controlled Folder Access? The word "changed" should be "changes". Opps....
  • And now I can't edit my typo. lol. Should be "Oops...."
  • I tried it, and while attempting to find the path of the file it wouldn't allow the program to write, it caused a BSOD.  it is now turned back off permanently.
  • Perhaps you would write a feature about how controlled folder access integrates with OneDrive. Including what, if any, impact it has on sharing a link. Also, if there is a speed impact. Many keep all their data in OneDrive and virtually none on the PC HD/SSD.
  • Only a false assurance...!
  • I am the only user of my PC and yet I am blocked from accessing certain folders (for example: "C:\Program Files\WindowsApps\..."); I was hoping this article would give me access but it didn't. Any other suggestions?
    Thanks in advance to all who reply,
    Dan