Evaluate controlled folder access
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
- Microsoft Defender Antivirus
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
Controlled folder access is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11 clients.
It's especially useful in helping protect against ransomware that attempts to encrypt your files and hold them hostage.
This article helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization.
Use audit mode to measure impact
Enable the controlled folder access in audit mode to see a record of what could occur if it were enabled. Test how the feature works in your organization to ensure it doesn't affect your line-of-business apps. You can also get an idea of how many suspicious attempts to modify files generally occur over a certain period of time.
To enable audit mode, use the following PowerShell cmdlet:
Set-MpPreference -EnableControlledFolderAccess AuditMode
If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s). You can also use Group Policy, Intune, mobile device management (MDM), or Microsoft Configuration Manager to configure and deploy the setting, as described in the main controlled folder access topic.
Review controlled folder access events in Windows Event Viewer
The following controlled folder access events appear in Windows Event Viewer under Microsoft/Windows/Windows Defender/Operational folder.
|Event when settings are changed
|Audited controlled folder access event
|Blocked controlled folder access event
You can configure a Windows Event Forwarding subscription to collect the logs centrally.
Customize protected folders and apps
During your evaluation, you might want to add to the list of protected folders, or allow certain apps to modify files.
See Protect important folders with controlled folder access for configuring the feature with management tools, including Group Policy, PowerShell, and MDM configuration service providers (CSPs).
- Protect important folders with controlled folder access
- Evaluate Microsoft Defender for Endpoint
- Use audit mode
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.