Enable or disable controlled folder access for untrusted applications. You can choose to block, audit, or allow attempts by untrusted apps to:
- Modify or delete files in protected folders, such as the Documents folder
- Write to disk sectors
You can also choose to only block or audit writes to disk sectors while still allowing the modification or deletion of files in protected folders.
Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting.
Default system folders are automatically protected, but you can add folders in the Configure protected folders GP setting.
Block:
The following will be blocked:
- Attempts by untrusted apps to modify or delete files in protected folders
- Attempts by untrusted apps to write to disk sectors
The Windows event log will record these blocks under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123.
Disabled:
The following will not be blocked and will be allowed to run:
- Attempts by untrusted apps to modify or delete files in protected folders
- Attempts by untrusted apps to write to disk sectors
These attempts will not be recorded in the Windows event log.
Audit Mode:
The following will not be blocked and will be allowed to run:
- Attempts by untrusted apps to modify or delete files in protected folders
- Attempts by untrusted apps to write to disk sectors
The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124.
Block disk modification only:
The following will be blocked:
- Attempts by untrusted apps to write to disk sectors
The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123.
The following will not be blocked and will be allowed to run:
- Attempts by untrusted apps to modify or delete files in protected folders
These attempts will not be recorded in the Windows event log.
Audit disk modification only:
The following will not be blocked and will be allowed to run:
- Attempts by untrusted apps to write to disk sectors
- Attempts by untrusted apps to modify or delete files in protected folders
Only attempts to write to protected disk sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124).
Attempts to modify or delete files in protected folders will not be recorded.
Not configured:
Same as Disabled.
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access |
Value Name | EnableControlledFolderAccess |
Value Type | REG_DWORD |
Enabled Value | 1 |
Disabled Value | 0 |
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access |
Value Name | EnableControlledFolderAccess |
Value Type | REG_DWORD |
Value | 0 |
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access |
Value Name | EnableControlledFolderAccess |
Value Type | REG_DWORD |
Value | 1 |
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access |
Value Name | EnableControlledFolderAccess |
Value Type | REG_DWORD |
Value | 2 |
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access |
Value Name | EnableControlledFolderAccess |
Value Type | REG_DWORD |
Value | 3 |
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access |
Value Name | EnableControlledFolderAccess |
Value Type | REG_DWORD |
Value | 4 |