Windows 10 has a new security feature designed to protect your files and folders from ransomware, and this guide tells you the steps to enable it.

On Windows 10, "Controlled folder access" is a new intrusion-prevention feature that's part of the Windows Defender Exploit Guard included in the Fall Creators Update.

Controlled folder access is designed primarily to prevent ransomware from encrypting and taking your data hostage, but it also protects files from unwanted changes from other malicious programs.

It's an opt-in feature, and when enabled, it uses a mechanism to intelligently track the apps (executable files, scripts, and DLLs) trying to make changes to files in the protected folders. If the app is malicious, or it's not recognized, the feature will in real-time block the attempt, and you'll get a notification of the suspicious activity.

If you want to add an extra layer of security to keep your data safe, Controlled folder access can quickly be configured using the updated Windows Defender Security Center dashboard, as well as using Group Policy and PowerShell.

In this Windows 10 guide, we walk you through the steps to enable Controlled folder access using three different methods.

How to enable Controlled folder access using Security Center

The easiest way to enable and configure Controlled folder access is to use the Windows Defender Security Center dashboard. Here's how:

  1. Open Windows Defender Security Center.
  2. Click on Virus & threat protection.
  3. Click the Virus & threat protection settings option.

  4. Turn on the Controlled folder access toggle switch.

Once you complete the steps, Windows Defender Antivirus will continuously protect your files and folders from unauthorized access by malicious programs like ransomware.

Adding new locations

By default, this feature guards the Documents, Pictures, Videos, Music, Desktop, and Favorites folders. While you can't alter the default list of protected folders, if you have files stored in a different location, you can add the new drive or folder path manually. Here's how:

  1. Open Windows Defender Security Center.
  2. Click on Virus & threat protection.
  3. Click the Virus & threat protection settings option.
  4. Under "Controlled folder access," click the Protected folders link.

  5. Click the Add a protected folder button.

  6. Navigate to the new location you want to add and click the Select folder button.

If your storage configuration changes and you need to remove a folder location, you can follow the same steps, but on step No. 5, select the location and click the Remove button.

Allowing specific apps

Controlled folder access should be smart enough to detect which apps can safely access your files, but it the case an app you trust is blocked, you'll need to allow the app manually. This is how to do it:

  1. Open Windows Defender Security Center.
  2. Click on Virus & threat protection.
  3. Click the Virus & threat protection settings option.
  4. Under "Controlled folder access," click the Allow an app through Controlled folder access link.

  5. Click the Add an allowed app button.

  6. Navigate the new location you want to add and click the Select folder button.

In the case that you no longer want to allow a previously whitelisted app, you can use the same steps, but on step No. 5, select the app you want and click the Remove button.

How to enable Controlled folder access using Group Policy

If you're running Windows 10 Pro or Enterprise, it's also possible to configure Controlled folder access using the Local Group Policy Editor. Here's how:

  1. Use the Windows key + R keyboard shortcut to open the Run command.
  2. Type gpedit.msc and click OK to open the Local Group Policy Editor.
  3. Browse the following path:

    Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access

  4. On the right side, double-click the Configure Controlled folder access policy.

  5. Select the Enabled option.
  6. Under "Options," select the Block option using the drop-down menu.

  7. Click Apply.
  8. Click OK.

Once you complete the steps, the security feature will guard your files and folders stored in the default locations.

The only caveat of using this method is that any other configuration will have to be changed using Group Policy. If you open Windows Defender Security Center, you'll notice the "This setting is managed by your administrator" message and the Controlled folder access option will appear grayed out.

At any time, you can revert the changes following the same steps, but on step No. 5 select the Not Configured option.

Adding new locations

In the case you must protect files and folders located in a different folder, you can use the "Configure protected folders" policy to add the new location. Just follow these steps:

  1. Use the Windows key + R keyboard shortcut to open the Run command.
  2. Type gpedit.msc and click OK to open the Local Group Policy Editor.
  3. Browse the following path:

    Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access

  4. On the right side, double-click the Configure protected folders policy.

  5. Select the Enabled option.
  6. Under "Options," click the Show button.
  7. Define the locations you want to protect by entering the path of the folder in the "Value name" field and adding 0 in the "Value" field.

  8. Repeat step No. 7 to add more locations, and then click OK.
  9. Click Apply.
  10. Click OK.

To revert the changes, follow the same steps, but on step No. 5 select the Not Configured option.

Allowing specific apps

When using Group Policy to configure Controlled folder access, you can use the "Configure allowed applications" policy to whitelist apps you trust that are getting blocked. Here's how:

  1. Use the Windows key + R keyboard shortcut to open the Run command.
  2. Type gpedit.msc and click OK to open the Local Group Policy Editor.
  3. Browse the following path:

    Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access

  4. On the right side, double-click the Configure allowed applications policy.

  5. Select the Enabled option.
  6. Under "Options," click the Show button.

  7. Define the location of the app's .exe file (such as, D:\path\to\app\app.exe) you want to allow in the "Value name" field and add 0 in the "Value" field.

  8. Repeat step No. 7 to add more locations, and then click OK.
  9. Click Apply.
  10. Click OK.

You can always revert the changes following the same steps, but on step No. 5 select the Not Configured option.

How to enable Controlled folder access using PowerShell

Alternatively, you can also enable and configure Controlled folder access using PowerShell commands. This is how:

  1. Open Start.
  2. Search for Windows PowerShell, right-click the result, and click Run as administrator.
  3. Type the following command to enable the feature and press Enter:

    Set-MpPreference -EnableControlledFolderAccess Enabled

After completing the steps, Controlled folder access will actively monitor your files and folders for unauthorized access, such as from those nasty ransomware.

If you want to disable the security feature, you can follow the same instructions, but on step No. 3 use this command:

Set-MpPreference -EnableControlledFolderAccess Disabled

Adding new locations

To guard files that are not located in the default protected folders, you can use a single PowerShell command to add the new path. Here's how:

  1. Open Start.
  2. Search for Windows PowerShell, right-click the result, and click Run as administrator.
  3. Type the following command to add a new location and press Enter:

    Add-MpPreference -ControlledFolderAccessProtectedFolders "D:\folder\path\to\add"

In the case you want to remove a folder, you can use the same instructions, but on step No. 3 use the following command:

Disable-MpPreference -ControlledFolderAccessProtectedFolders "D:\folder\path"\to\remove

Allowing specific apps

If you have an app that you know and trust that is getting blocked by Controlled folder access, you can use PowerShell to whitelist the app. Just follow these steps:

  1. Open Start.
  2. Search for Windows PowerShell, right-click the result, and click Run as administrator.
  3. Type the following command to allow an app and press Enter:

    Add-MpPreference -ControlledFolderAccessAllowedApplications "D:\path\to\app\app.exe"

If you have to remove an application, you can use the same instructions, but on step No. 3 use the following command:

Remove-MpPreference -ControlledFolderAccessAllowedApplications "D:\path\to\app\app.exe"

Wrapping things up

Controlled folder access is one of the intrusion prevention features of Windows Defender Exploit Guard, which is part of the Windows Defender Antivirus. This means the feature won't be available if you use a third-party antivirus solution.

More Windows 10 resources

For more helpful articles, coverage, and answers to common questions about Windows 10, visit the following resources: