Hinweis
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, sich anzumelden oder das Verzeichnis zu wechseln.
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, das Verzeichnis zu wechseln.
Controlled folder access (CFA) helps protect your valuable data from malicious apps and threats, such as ransomware, by preventing untrusted apps from changing files in protected folders. You can enable and configure CFA by using any of the methods in this article.
For best results, use an enterprise-level management solution such as Microsoft Intune or Microsoft Configuration Manager to manage CFA.
Prerequisites
CFA is available in the following operating systems:
- Windows 10 or later.
- Windows Server 2019 or later.
- Windows Server 2016 and Windows Server 2012 R2 as part of the modern, unified Microsoft Defender for Endpoint solution.
Configure CFA in Intune using endpoint security policies
Microsoft Intune is the recommended tool for configuring and distributing Defender for Endpoint features to devices. However, Intune is a separate product that isn't part of Defender for Endpoint, and it isn't included in all subscriptions. To use Intune, you need a subscription that includes it, or you can buy it separately as a standalone subscription or add-on. If you don't have Intune, you can use any of the other methods in this article. For more information, see Microsoft Intune licensing.
In Intune, endpoint security policies are the recommended method to deploy CFA.
To configure CFA using a Microsoft Intune Endpoint Security Attack surface reduction policy, see Create an endpoint security policy (opens in a new tab in the Intune documentation). When creating the policy, use these settings:
- Policy type: Attack surface reduction
- Platform: Windows
- Profile: Attack Surface Reduction Rules
- Configuration settings: After you configure the attack surface reduction (ASR) rules settings, configure the following CFA settings:
Enable controlled folder access: Select an available mode value. After you assess the effect of CFA in Audit Mode, you can set it to Enabled.
Controlled folder access protected folders: To add more folders that get CFA protection, use either of the following methods:
Select
Add. In the box that appears, enter the path to include. For example:C:\Data\ReportsC:\Data\Finance
Select
Import to import a CSV file that contains the paths to include. The CSV file uses the following format:ControlledFolderAccessProtectedFolders "C:\folder1" "C:\folder2" ...Tip
Double quotation marks around the values are optional, and are ignored (aren't used in the values) if you include them. Don't use single quotation marks around the values.
Controlled folder access allowed applications: To specify apps that are allowed to make changes to files in protected folders, use the same
Add or
Import methods described for Controlled folder access protected folders, specifying the path and file name of each app.The CSV file uses the following format:
ControlledFolderAccessAllowedApplications "C:\Apps\app1.exe" "%ProgramFiles%\Fabrikam\DriveManager\*\DriveService.exe" ...The path of each app can include environment variables and wildcards, as described in Allow apps to modify files in protected folders.
For more information about attack surface reduction profiles in Microsoft Intune, see Manage attack surface reduction settings with Microsoft Intune.
Configure CFA in any MDM solution using the Policy CSP
The Policy configuration service provider (CSP) enables enterprise organizations to configure CFA on Windows devices using any mobile device management (MDM) solution, not just Microsoft Intune. For more information, see Policy CSP.
Use the following CSPs from the Policy CSP - Defender area to configure CFA.
Enable CFA using the Policy CSP
Use the EnableControlledFolderAccess CSP to configure CFA and select the protection mode.
OMA-URI path: ./Device/Vendor/MSFT/Policy/Config/Defender/EnableControlledFolderAccess
Value: Enter one of the following mode values:
0: Disabled (default).1: Enabled (block).2: Audit Mode.3: Block disk modification only.4: Audit disk modification only.
Add folders to protected folders using the Policy CSP
CFA protects an unmodifiable list of common system folders. To add more folders that get CFA protection, use the ControlledFolderAccessProtectedFolders CSP:
OMA-URI path: ./Device/Vendor/MSFT/Policy/Config/Defender/ControlledFolderAccessProtectedFolders
Value: Enter one or more folder paths separated by the pipe (|) character.
For example, C:\Data\Reports|C:\Data\Finance.
Allow apps to modify files in protected folders using the Policy CSP
Use the ControlledFolderAccessAllowedApplications CSP to allow more apps to make changes to files in protected folders.
OMA-URI path: ./Device/Vendor/MSFT/Policy/Config/Defender/ControlledFolderAccessAllowedApplications
Value: Enter one or more app paths separated by the pipe (|) character. The path of each app can include environment variables and wildcards, as described in Allow apps to modify files in protected folders.
For example, C:\Apps\app1.exe|%ProgramFiles%\Fabrikam\DriveManager\*\DriveService.exe
Configure CFA in Microsoft Configuration Manager
In Microsoft Configuration Manager, you configure CFA in a Windows Defender Exploit Guard policy. For instructions, see the CFA information in Create and deploy an Exploit Guard policy.
Note
For considerations when you add protected folders or allow apps (such as wildcard support and the requirement to restart allowed apps), see Add other folders to CFA and Allow apps to modify files in protected folders.
Configure CFA in Group Policy
In Centralized Group Policy, open the Group Policy Management Console (GPMC) on your Group Policy management computer.
In the GPMC console tree, expand Group Policy Objects in the forest and domain containing the GPO you want to edit.
Right-click the GPO, and then select Edit.
In the Group Policy Management Editor, go to Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access.
In the details pane of Controlled Folder Access, the available settings are:
To open and configure a CFA setting, use any of the following methods:
- Double-click the setting.
- Right-click the setting, and then select Edit.
- Select the setting, and then select Action > Edit.
Tip
You can also configure Group Policy locally on individual devices by using the Local Group Policy Editor (gpedit.msc). Navigate to the same path: Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access.
The available settings are described in the following subsections.
Important
Quotation marks, leading spaces, trailing spaces, and extra characters aren't supported in any of the CFA values in Group Policy.
Enable CFA in Group Policy
In the details pane of Controlled Folder Access, open the Configure controlled folder access setting.
In the setting window that opens, configure the following options:
- Select Enabled.
- Configure the guard my folders feature: Select one of the following mode values:
- Disable (Default)
- Block
- Audit Mode
- Block disk modification only
- Audit disk modification only
Important
To fully enable CFA, you must set the Group Policy option to Enabled and select Block in the options drop-down menu.
Add folders to protected folders in Group Policy
In the details pane of Controlled Folder Access, open the Configure protected folders setting.
- Select Enabled.
- Enter the folders that should be guarded: Select Show....
- In the setting window that opens, configure the following options:
- Value name: Enter the path to include in CFA protection.
- Value: Enter the value
0.
Repeat this step as many times as necessary. When you're finished, select OK.
For considerations when you add folders (such as support for network shares, mapped drives, and environment variables), see Add other folders to CFA.
Allow apps to modify files in protected folders in Group Policy
In the details pane of Controlled Folder Access, open the Configure allowed applications setting.
- Select Enabled.
- Enter the applications that should be trusted: Select Show....
- In the setting window that opens, configure the following options:
- Value name: Enter the path and file name of the application that's allowed to make changes to files in protected folders.
- Value: Enter the value
0.
Repeat this step as many times as necessary. When you're finished, select OK.
For considerations when you allow apps (such as wildcard support and the requirement to restart allowed apps), see Allow apps to modify files in protected folders.
Enable and configure CFA in PowerShell
On the target device, run the commands in this section from an elevated PowerShell session (a PowerShell window you opened by selecting Run as administrator).
To turn on CFA and select the protection mode, use the following command:
Set-MpPreference -EnableControlledFolderAccess <Mode>
Valid values for the EnableControlledFolderAccess parameter are:
0orDisabled(default)1orEnabled2orAuditMode3orBlockDiskModificationOnly4orAuditDiskModificationOnly
To see the existing CFA mode on the device, run the following command:
Get-MpPreference | Format-Table EnableControlledFolderAccess
Note
In the following subsections, Set-MpPreference overwrites any existing protected folders or allowed apps with the values you specify. To see the list of existing values, run the following commands in an elevated PowerShell session:
$cfa = Get-MpPreference; "ProtectedFolders:"; "-"*25; $cfa.ControlledFolderAccessProtectedFolders | Sort-Object; "`n`n"; "AllowedApplications:"; "-"*25; $cfa.ControlledFolderAccessAllowedApplications | Sort-ObjectTo add other folders or allowed apps to CFA without affecting any existing values, use the Add-MpPreference cmdlet. To remove the specified folders or allowed apps from CFA without affecting other existing values, use the Remove-MpPreference cmdlet. The command syntax is identical for the three cmdlets.
The protected folders and allowed apps take effect only when CFA is turned on (the EnableControlledFolderAccess value isn't
0orDisabled).
Add folders to protected folders in PowerShell
To add more folders for CFA to protect, use the following syntax in an elevated PowerShell session:
<Add-MpPreference | Set-MpPreference | Remove-MpPreference> -ControlledFolderAccessProtectedFolders "<Path1>","<Path2>",..."<PathN>"
The following example adds the specified folders to the existing list of protected folders:
Add-MpPreference -ControlledFolderAccessProtectedFolders "C:\Folder1","C:\Folder2"
Allow apps to modify files in protected folders in PowerShell
To add allowed apps that can make changes to files in protected folders, use the following syntax in an elevated PowerShell session:
<Add-MpPreference | Set-MpPreference | Remove-MpPreference> -ControlledFolderAccessAllowedApplications "<PathAndFilename1>","<PathAndFilename2>",..."<PathAndFilenameN>"
The following example replaces any existing allowed apps with the specified apps. The path can include environment variables and wildcards, as described in Allow apps to modify files in protected folders:
Set-MpPreference -ControlledFolderAccessAllowedApplications "C:\Apps\app1.exe","%ProgramFiles%\Fabrikam\DriveManager\*\DriveService.exe"
Configure CFA in the Windows Security app
You can use the Windows Security app on individual devices to configure CFA. This method is useful for testing or for configuring a single device. To configure CFA on many devices, use one of the enterprise management methods described earlier in this article.
Note
The Windows Security app supports only On (equivalent to the Enabled mode) and Off (the Disabled mode). To use Audit Mode or the disk modification modes, use one of the other methods described in this article.
In the Windows security app on the device, go to Virus & threat protection.
In the Virus & threat protection pane, in the Virus & threat protection settings section, select Manage settings.
In the Virus & threat protection pane, in the Controlled folder access section, select Manage controlled folder access.
In the Ransomware protection pane, the following settings are available in the Controlled folder access section:
- Turn controlled folder access on or off
- Protected folders*
- Allow an app through Controlled folder access*
* This setting is available only when CFA is turned on.
The available settings are described in the following subsections.
Enable CFA in the Windows Security app
In the Controlled folder access section on the Ransomware protection pane, slide the toggle to
On.Select Yes in the User Account Control prompt.
If you previously specified protected folders and allowed apps before you disabled CFA, you're asked to confirm whether you want to keep those values.
Add folders to protected folders in the Windows Security app
- In the Controlled folder access section on the Ransomware protection pane, select Protected folders.
- Select Yes on the User Account Control prompt.
- In the pane that opens, select + Add a protected folder, and then find and select the folder. Repeat this step as many times as necessary.
Allow apps to modify files in protected folders in the Windows Security app
In the Controlled folder access section on the Ransomware protection pane, select Allow an app through Controlled folder access.
Select Yes on the User Account Control prompt.
In the Allow an app through the Controlled folder access pane, select + Add an allowed app, and then select one of the following values:
Recently blocked apps: In the Recently blocked apps dialog that opens, select an app from the list of recently blocked apps.
If no recently blocked apps are shown, select Browse all apps to find and select the .exe or .com file to add.
Browse all apps: Find and select the .exe or .com file to add.
Repeat this step as many times as necessary.