Controlled folder access (CFA) demonstration test tool (block script)
Applies to:
Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Microsoft Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
Scenario requirements and setup
- Windows 10 1709 build 16273
- Microsoft Defender Antivirus (active mode)
PowerShell commands
Set-MpPreference -EnableControlledFolderAccess <State>
Rule states
| State | Mode | Numeric value |
|---|---|---|
| Disabled | = Off | 0 |
| Enabled | = Block mode | 1 |
| Audit | = Audit mode | 2 |
Verify configuration
Get-MpPreference
Scenario
Setup
Download and run this setup script. Before running the script set execution policy to Unrestricted using this PowerShell command:
Set-ExecutionPolicy Unrestricted
You can perform these manual steps instead:
- Turn on CFA using PowerShell command:
Set-MpPreference -EnableControlledFolderAccess Enabled
- Download the CFA test tool
- Execute the PowerShell commands above
Scenario: Use the CFA test tool to simulate an untrusted process writing to a protected folder
- Launch CFA test tool
- Select the desired folder and create file
- You can find more information here.
Clean-up
Download and run this cleanup script. You can perform these manual steps instead:
Set-MpPreference -EnableControlledFolderAccess Disabled
See also
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for