Evaluate controlled folder access

Applies to:

Platforms

  • Windows

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Controlled folder access is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2022, Windows Server 2019, and client devices running Windows 10 or Windows 11.

It's especially useful in helping protect against ransomware that attempts to encrypt your files and hold them hostage.

This article helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization.

Use audit mode to measure impact

Enable the controlled folder access in audit mode to see a record of what could occur if it were enabled. Test how the feature works in your organization to ensure it doesn't affect your line-of-business apps. You can also get an idea of how many suspicious attempts to modify files generally occur over a certain period of time.

To enable audit mode, use the following PowerShell cmdlet:

Set-MpPreference -EnableControlledFolderAccess AuditMode

Note

  • To see how controlled folder access would work in your organization, use a management tool to deploy it to devices in your network. You can also use Group Policy, Intune, mobile device management (MDM), or Microsoft Configuration Manager to configure and deploy the setting, as described in Protect important folders with controlled folder access.

  • If your workflow involves usage of shared network folders, enabling controlled folder access can result in significant network performance reduction, if the shared network folders are accessed by an untrusted process, particularly because of many queries to the file share server. Make sure your file servers are optimized for increased network traffic, especially if you're using shared network folders for offline files.

  • Some types of endpoint security or asset management software inject code into every process that starts on the system. These may result in controlled folder access no longer trusting known applications like Office programs. You can see the reason for controlled folder access detections by using the MDEClientAnalyzer tool's -cfa argument. If you're affected, consider adding an antivirus exclusion for the injecting process, or consult your management software vendor about signing all their binaries.

Review controlled folder access events in Windows Event Viewer

The following controlled folder access events appear in Windows Event Viewer under Microsoft/Windows/Windows Defender/Operational folder.

Event ID Description
5007 Event when settings are changed
1124 Audited controlled folder access event
1123 Blocked controlled folder access event

Tip

You can configure a Windows Event Forwarding subscription to collect the logs centrally.

Customize protected folders and apps

During your evaluation, you might want to add to the list of protected folders, or allow certain apps to modify files.

See Protect important folders with controlled folder access for configuring the feature with management tools, including Group Policy, PowerShell, and MDM configuration service providers (CSPs).

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.