Configure protected folders


Specify additional folders that should be guarded by the Controlled folder access feature.

Files in these folders cannot be modified or deleted by untrusted applications.

Default system folders are automatically protected. You can configure this setting to add additional folders.
The list of default system folders that are protected is shown in Windows Security.

Enabled:
Specify additional folders that should be protected in the Options section.

Disabled:
No additional folders will be protected.

Not configured:
Same as Disabled.

You can enable controlled folder access in the Configure controlled folder access GP setting.

Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting.

Supported on: At least Windows Server, Windows 10 Version 1709

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access
Value NameExploitGuard_ControlledFolderAccess_ProtectedFolders
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

Enter the folders that should be guarded:

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders
Value Name{number}
Value TypeREG_SZ
Default Value

windowsdefender.admx

Administrative Templates (Computers)

Administrative Templates (Users)