This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 16%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECD%3C/text%3E%3C/svg%3E)
I have Controlled Folder Access set up on a Windows domain in audit mode.
Changes to files on mapped drives (network shares) are not being reported.
The drives are listed in the group policy setting by both drive letter and by FQDN.
I enabled Controlled Folder Access on a test computer and I get no notification or event log entry indicating CFA blocked the attempt.
I have searched high and low, but everyone says mapped drives can be protected by CFA.
Has something changed? Any secret to making this work?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,
First of all, it is suggested to confirm that the GPO was applied successfully. You can confirm that by running the following command (run the CMD as administrator):
Gpresult /h c:\report.html
And based on my understanding, the events will be logged only when the apps are suspicious or malicious.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access?view=o365-worldwide
Best Regards,
Thanks FanFan
I used rsop.msc to confirm GP is being applied each time I make a change to the GPO.
I have been using Microsoft's CFAtool to trigger event 1124 (CFA in audit mode) in the Windows Defender log.
I get log entries when I use CFAtool to create a test file in controlled folders on C:
But, when I use that same CFAtool to create a test file on a mapped drive (mapped to a network share) I get nothing. I have verified the mapped drive is listed in the rsop.msc results. The format I'm using in the policy is "P:\" and I also entered the FQDN to the network share. If I use the FQDN with the CFAtool I do get a log entry, but not when I use the mapped drive letter.
If possible, would you please share a screenshot of gpresult /h c:\report.html
Best Regards,
Hi,
Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,
Hi,
When i did more research about it, i find that we need to use the full path of the mapping drives.
Network shares and mapped drives can be protected, but Controlled Folder Access does not support the use of:
Environment Variables
Wildcards
The Windows drive (typically C:)
Seriously, don’t protect the entire Windows drive as Windows will be unable to function correctly and strange behavior will result.
https://labs.portcullis.co.uk/blog/windows-10s-controlled-folder-access-feature/
This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.
Best Regards,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 34%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Hello,
Did you ever get this to work? I'm having the exact same issue, no matter how I try to "protect" a mapped network drive, it is not protected.
I'm using the CFAtool.exe to test.
All my local folders are protected just fine.
I've tried with:
O:\
O:\Subfolder
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECD%3C/text%3E%3C/svg%3E)
No, gave up on CFA because #1 it does not protect mapped drives (another forum confirmed this), and #2 every time we want to install any type of exe we need to approve it in group policy, so if another admin fails to install a graphics driver update and CFA becomes a big headache.
Microsoft suggests the use of services on the Windows file server to protect against ransomware, but that involves a massive list of blocked extensions, and every encryption virus could just invent a new one that isn't blocked.
At this point I think a 3rd party solution is the only option to protect systems from ransomware.
Thank you very much for the reply.
My experience so far is also that CFA is just one big headache.. It states it can do something but infact it cannot.
Also they say that "known" applications won't be blocked, I've found this not being the case either.
Even internal "system" processes are being blocked left and right (like searchindexer.exe from system32).
We are going to look into 3rd party solutions for this, seems like there haven't been much development on CFA since they released it.
