Rediger

Controlled folder access (CFA) overview

  • Gælder for: Microsoft Defender for Endpoint Plan 1, Microsoft Defender for Endpoint Plan 2

Controlled folder access (CFA) in Microsoft Defender Antivirus helps protect your valuable data from malicious apps and threats, such as ransomware. It's one of the attack surface reduction capabilities in Microsoft Defender for Endpoint.

Ransomware encrypts your files and holds them hostage. CFA counters this threat by allowing only trusted apps to change files in protected folders. When an untrusted app tries to change a file in a protected folder, CFA blocks the attempt and notifies you.

CFA is based on the following elements:

  • Protected folders: The folders that CFA guards. Untrusted apps can't modify or delete files in these folders. CFA protects an unmodifiable set of default system folders, and you can add other folders.
  • Trusted apps: The apps that are allowed to change files in protected folders. Microsoft Defender Antivirus assesses every type of executable file (including .exe, .scr, and .dll files) and automatically trusts most apps based on their prevalence and reputation. You can allow other apps that you trust if CFA blocks them.
  • Disk sectors: The low-level disk sectors that store the boot record on protected devices. Untrusted apps can't write directly to these sectors. This protection helps block boot-level threats such as bootkits and disk-wiper malware that try to overwrite the boot record. Unlike protected folders and trusted apps, disk sector protection rarely conflicts with everyday apps, so you can apply it on its own. For more information, see Modes for CFA.

When an app with an unknown reputation triggers CFA, the following events happen:

CFA works best with Microsoft Defender for Endpoint, which provides detailed reporting on events and blocks as part of the usual alert investigation scenarios.

Requirements for CFA

CFA requires Microsoft Defender Antivirus as the primary antivirus app on Windows devices:

  • Microsoft Defender Antivirus must be enabled and in Active mode. Specifically, it can't be in any of the following modes:

    • Passive
    • Passive Mode with Endpoint Detection and Response (EDR) in Block Mode
    • Limited periodic scanning (LPS)
    • Off

    For more information about modes in Microsoft Defender Antivirus, see How Microsoft Defender Antivirus affects Defender for Endpoint functionality.

  • Real-time protection in Microsoft Defender Antivirus must be on.

  • Although CFA doesn't require Microsoft 365 E5, Microsoft recommends the security capabilities of E5 or equivalent subscriptions to take advantage of the following advanced management capabilities:

    • Monitoring, analytics, and workflows in Defender for Endpoint.
    • Reporting and configuration capabilities in the Microsoft Defender XDR portal.

    Advanced management capabilities aren't available with other licenses (for example, Windows Professional or Microsoft 365 E3). However, you can develop your own monitoring and reporting tools based on the CFA events generated in Windows Event Viewer on each device (for example, Windows Event Forwarding).

    To learn more about Windows licensing, see Windows Licensing and get the Microsoft Volume Licensing Reference Guide.

Supported operating systems for CFA

CFA is a Microsoft Defender Antivirus feature available on any edition of Windows that includes Microsoft Defender Antivirus (for example, Windows 11 Home). For the methods you can use to turn it on, see Deployment and configuration methods for CFA.

Centralized management, reporting, and alerting for CFA in Microsoft Defender for Endpoint are available in the following editions and versions of Windows:

  • Pro and Enterprise editions of Windows 10 or later.
  • Windows Server 2012 R2 or later.
  • Azure Local (formerly known as Azure Stack HCI) version 23H2 or later.

Note

CFA is a Windows feature. It isn't available on Linux or macOS devices, even those onboarded to Microsoft Defender for Endpoint.

Modes for CFA

CFA is turned off by default. To use it, you turn it on and select one of the following modes:

Mode Code Description
Disabled (default) 0 CFA is off. All apps can modify or delete files in protected folders and write to disk sectors.
Enabled or
Block		 1 Untrusted apps can't modify or delete files in protected folders or write to disk sectors.
Audit Mode 2 Untrusted apps can modify or delete files in protected folders and write to disk sectors, but these attempts are recorded.

Use this mode to assess the effect of CFA on your organization without blocking apps.
Block disk modification only 3 Untrusted apps are blocked from writing to disk sectors, and these attempts are recorded. Untrusted apps can still modify or delete files in protected folders.
Audit disk modification only 4 Attempts by untrusted apps to write to disk sectors are recorded. Attempts to modify or delete files in protected folders aren't recorded, and no apps are blocked.

For the Windows event IDs that each mode generates, see CFA events in Windows Event Viewer.

Microsoft recommends running CFA in Audit Mode first to assess its effect before you move to Enabled (block) mode. By monitoring audit events and allowing the apps your users need, you can enable CFA without reducing productivity.

The Block disk modification only and Audit disk modification only modes act only on writes to the disk sectors that store the boot record. They don't affect files in protected folders. Consider one of these modes in the following scenarios:

  • You want to protect the boot record from bootkits and disk-wiper malware, but full protected-folder protection blocks too many of your line-of-business apps or requires too much tuning. Disk sector writes rarely come from legitimate apps, so this protection generates few false positives.
  • You already protect user files another way (for example, OneDrive Known Folder Move with versioning, or a separate backup or anti-ransomware control), so you only need the boot record protection that CFA adds.
  • You want to limit the performance effect of evaluating file writes, especially for shared network folders.
  • You want to roll out protection in stages. For example, you can turn on Block disk modification only in production right away while you run protected-folder protection in Audit Mode and build your list of allowed apps.

Use Audit disk modification only first to confirm that no legitimate software (for example, disk-imaging, backup, encryption, or partitioning tools) writes to disk sectors before you switch to Block disk modification only.

Not every configuration method for CFA supports every mode. The following table shows which modes each deployment and configuration method supports.

Mode Intune Configuration Manager MDM CSP Group Policy PowerShell Windows Security app
Disabled Yes Yes Yes Yes Yes Yes
Enabled (Block) Yes Yes Yes Yes Yes Yes
Audit Mode Yes Yes Yes Yes Yes No
Block disk modification only Yes No Yes Yes Yes No
Audit disk modification only Yes No Yes Yes Yes No

Deployment and configuration methods for CFA

Microsoft Defender for Endpoint supports CFA but doesn't include a built-in method to deploy the settings to devices. Instead, you use a separate deployment or management tool to create and distribute CFA settings.

The following table summarizes the available methods. For detailed configuration instructions, see Configure CFA.

Method Description
Microsoft Intune The recommended method. Configure and deploy CFA to devices by using endpoint security policies. Requires Microsoft Intune.
Any MDM solution using the Policy CSP Use the Windows Policy configuration service provider (CSP) with any mobile device management (MDM) solution.
Microsoft Configuration Manager Configure CFA in a Windows Defender Exploit Guard policy.
Group Policy Use centralized Group Policy to configure and deploy CFA to domain-joined devices, or configure Group Policy locally on individual devices.
PowerShell Configure CFA locally on individual devices.
Windows Security app Configure CFA locally on an individual device.

Default folders protected by CFA

By default, CFA protects the following locations on Windows devices:

  • Hard drive boot sectors

  • Windows system folders

  • The following folders for system accounts (for example, LocalService, NetworkService, and systemprofile) and user accounts:

    • C:\Users\<username>\Documents
    • C:\Users\<username>\Favorites
    • C:\Users\<username>\Music
    • C:\Users\<username>\Pictures
    • C:\Users\<username>\Videos
    • C:\Users\Public\Documents
    • C:\Users\Public\Music
    • C:\Users\Public\Pictures
    • C:\Users\Public\Videos

    Note

    The previous paths are the default locations. If a folder is redirected, CFA protects the folder in its redirected location. For example, when OneDrive Known Folder Move backs up your Documents, Pictures, or Desktop folder to C:\Users\<username>\OneDrive - <organization>\, CFA protects the folder in OneDrive.

    You can't modify the list of default protected folders.

    You can use either of the following methods to see the actual list of default protected folders on a Windows device:

    • Open the Windows Security app as described in Configure CFA in the Windows Security app. When CFA is turned on, the default folders appear at the bottom of the list.

    • In an elevated PowerShell session (a PowerShell window you opened by selecting Run as administrator), run the following command.

      (Get-MpPreference).ControlledFolderAccessDefaultProtectedFolders

      The command returns the list of default protected folders only when CFA is turned on.

Add other folders to CFA

Although you can't modify or remove the default folders from protection, you can add more folders to protect. When you add a folder, its subfolders are also protected.

Add folders when you store important data in locations that aren't already covered by the default protected folders.

When you specify more protected folders, keep these points in mind:

  • Network shares and mapped drives are supported.
  • Environment variables are supported, but wildcards aren't.
  • Don't add local share paths (loopbacks) as protected folders. Use the local path instead. For example, if you shared C:\demo as \\mycomputer\demo, use C:\demo, not \\mycomputer\demo.

Note

If your workflow involves shared network folders, enabling CFA can result in significant network performance reduction when an untrusted process accesses the shared network folders, particularly because of many queries to the file share server. Make sure your file servers are optimized for increased network traffic, especially if you use shared network folders for offline files.

For instructions, see Configure CFA.

Allow apps to modify files in protected folders

You can allow specific apps that you trust to make changes to files in protected folders. Allowing an app is useful when CFA blocks a known, trusted app. For instructions, see Configure CFA.

By default, Microsoft Defender Antivirus automatically trusts apps based on their prevalence and reputation, and adds them to the allowed list. The list of automatically trusted apps isn't shown in the Windows Security app or by the associated PowerShell cmdlets. You shouldn't need to add most apps. Add an app only if it's blocked and you can verify that it's trustworthy.

When you add an app, you specify the app's location. Only the app in that location is allowed to access protected folders. If an app with the same name is in a different location, it isn't added to the allowed list and might be blocked.

Unlike protected folders, allowed apps support both environment variables and wildcards (*) in the path. Use wildcards only in the folder portion of the path, not in the app's file name. Wildcards are useful when the executable lives in a folder whose name changes between versions or installations. The following examples show common patterns:

Pattern Example What it allows
Environment variable %ProgramFiles%\Contoso\PhotoVault\PhotoVault.exe A fixed install location, regardless of the system drive letter.
Wildcard for a version folder %ProgramFiles%\Fabrikam\DriveManager\*\DriveService.exe The executable under any version subfolder (for example, 1.2.0 or 1.3.0).
Environment variable and wildcard %LOCALAPPDATA%\Contoso\app-*\resources\helper.exe Per-update install folders such as app-2.1.7 in the user's profile.
Multiple wildcards %ProgramFiles(x86)%\Adatum\*\Plugins\*\update.exe An executable nested under more than one variable folder name.
Wildcard for randomly named folders C:\Windows\Temp\*\Setup\installer.exe An installer that extracts to a randomly named temporary folder.

Note

Unlike Microsoft Defender Antivirus and attack surface reduction (ASR) rule exclusions, which support only system environment variables, CFA allowed apps also support user environment variables such as %LOCALAPPDATA% and %USERPROFILE%. CFA resolves the path in the context of the user who runs the app.

An allowed app takes effect only when the app or service starts. For example, if you allow an update service that's already running, the update service continues to trigger CFA events until you restart the service.

You can also use Microsoft Defender for Endpoint indicators of compromise (IoCs) to allow signed executable files to access protected folders. For more information, see Create indicators based on certificates.

Note

Script engines like PowerShell aren't trusted by CFA, even if you create an "allow" indicator by using indicators of compromise (IoCs). The only way to allow script engines to modify protected folders is by adding them as an allowed app for CFA. For instructions, see Configure CFA.

Monitor CFA activity

For complete information, see Monitor attack surface reduction (ASR) rule activity.

Related content

  • Last updated on