Configure Controlled folder access


Enable or disable controlled folder access for untrusted applications. You can choose to block, audit, or allow attempts by untrusted apps to:
- Modify or delete files in protected folders, such as the Documents folder
- Write to disk sectors

You can also choose to only block or audit writes to disk sectors while still allowing the modification or deletion of files in protected folders.

Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting.
Default system folders are automatically protected, but you can add folders in the Configure protected folders GP setting.

Block:
The following will be blocked:
- Attempts by untrusted apps to modify or delete files in protected folders
- Attempts by untrusted apps to write to disk sectors
The Windows event log will record these blocks under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123.


Disabled:
The following will not be blocked and will be allowed to run:
- Attempts by untrusted apps to modify or delete files in protected folders
- Attempts by untrusted apps to write to disk sectors
These attempts will not be recorded in the Windows event log.


Audit Mode:
The following will not be blocked and will be allowed to run:
- Attempts by untrusted apps to modify or delete files in protected folders
- Attempts by untrusted apps to write to disk sectors
The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124.


Block disk modification only:
The following will be blocked:
- Attempts by untrusted apps to write to disk sectors
The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123.

The following will not be blocked and will be allowed to run:
- Attempts by untrusted apps to modify or delete files in protected folders
These attempts will not be recorded in the Windows event log.


Audit disk modification only:
The following will not be blocked and will be allowed to run:
- Attempts by untrusted apps to write to disk sectors
- Attempts by untrusted apps to modify or delete files in protected folders
Only attempts to write to protected disk sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124).
Attempts to modify or delete files in protected folders will not be recorded.

Not configured:
Same as Disabled.

Supported on: At least Windows Server, Windows 10 Version 1709

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access
Value NameEnableControlledFolderAccess
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

Configure the guard my folders feature


  1. Disable (Default)
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access
    Value NameEnableControlledFolderAccess
    Value TypeREG_DWORD
    Value0
  2. Block
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access
    Value NameEnableControlledFolderAccess
    Value TypeREG_DWORD
    Value1
  3. Audit Mode
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access
    Value NameEnableControlledFolderAccess
    Value TypeREG_DWORD
    Value2
  4. Block disk modification only
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access
    Value NameEnableControlledFolderAccess
    Value TypeREG_DWORD
    Value3
  5. Audit disk modification only
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access
    Value NameEnableControlledFolderAccess
    Value TypeREG_DWORD
    Value4


windowsdefender.admx

Administrative Templates (Computers)

Administrative Templates (Users)