Enable Controlled Folder Access & Whitelist Apps to Protect Against Ransomware (Win10/11)

  • Thread Author

Enable Controlled Folder Access & Whitelist Apps to Protect Against Ransomware (Win10/11)​

Difficulty: Intermediate | Time Required: 15 minutes

Introduction​

Ransomware encrypts or locks your files and demands payment to restore them. Controlled Folder Access (CFA) is a built‑in Windows Defender (Microsoft Defender) feature that helps protect important folders from unauthorized changes by untrusted or malicious apps. When turned on, CFA blocks apps that try to change files in protected folders unless those apps are explicitly allowed (whitelisted). This tutorial shows how to enable CFA and safely add trusted apps so your workflow isn’t interrupted.
Supported Windows versions
  • Windows 10 (Fall Creators Update / version 1709 and later)
  • Windows 11 (all current builds)
    Note: CFA is part of Microsoft Defender (Windows Security). If you run third‑party antivirus, CFA may be disabled or unavailable.
Prerequisites
  • Administrator rights (recommended) for some changes and PowerShell commands.
  • Microsoft Defender (Windows Security) enabled with real‑time protection ON. CFA requires real‑time protection to function.
  • Backup of your important data (always recommended before changing security settings).

Step‑by‑step instructions (GUI)​

  1. Open Windows Security
    • Windows 10: Start > Settings > Update & Security > Windows Security > Open Windows Security
    • Windows 11: Start > Settings > Privacy & security > Windows Security > Open Windows Security
    • Or simply press Start, type “Windows Security”, and press Enter.
  2. Go to Ransomware protection
    • In Windows Security, click “Virus & threat protection”.
    • Scroll to “Ransomware protection” and click “Manage ransomware protection”.
  3. Turn on Controlled folder access
    • Under “Controlled folder access”, toggle the switch to On.
    • If the toggle is greyed out, see Troubleshooting below.
  4. Add protected folders (optional)
    • Click “Protected folders”.
    • By default Windows protects common user folders (Documents, Pictures, Desktop, etc.). To protect additional folders, click “Add a protected folder” and navigate to the folder you want to include (e.g., a folder on an external drive or a project folder).
  5. Whitelist (allow) trusted apps
    • Back at the Ransomware protection page, click “Allow an app through Controlled folder access”.
    • Click “Add an allowed app” → “Browse all apps”.
    • Navigate to the executable (.exe) of the trusted app, select it, and click Open. The app is now allowed to make changes in protected folders.
  6. Verify block history and allow blocked apps
    • If an app is blocked while you’re working, go to Ransomware protection and click “Review blocked apps”.
    • If a legitimate app is listed, click it and choose “Allow on device”.

Step‑by‑step instructions (PowerShell)​

For power users or admins who prefer command line:
  1. Open PowerShell as Administrator (Right‑click Start > Windows Terminal (Admin) or PowerShell (Admin)).
  2. Enable Controlled Folder Access:
    • Set-MpPreference -EnableControlledFolderAccess Enabled
  3. Add a protected folder:
    • Add-MpPreference -ControlledFolderAccessProtectedFolders "C:\ImportantProjects"
  4. Whitelist an application:
    • Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\MyApp\myapp.exe"
  5. Check status or see lists:
    • Get-MpPreference | Select EnabledControlledFolderAccess, ControlledFolderAccessProtectedFolders, ControlledFolderAccessAllowedApplications

Tips, notes, and warnings​

  • Tip: Start by protecting only your most important folders (Documents, Desktop, Pictures) and a test folder. This helps avoid productivity interruptions while you build your whitelist.
  • Warning: When CFA is enabled, some legitimate apps (backup tools, older utilities, installers, some plugins) may be blocked from saving files. If a required app is blocked, add it to the allowed list or add the folder it writes to as unprotected (not recommended for sensitive folders).
  • Note on cloud sync: OneDrive and other sync clients typically work fine, but if you see issues, add the sync client executable to the allowed apps list.
  • Note on third‑party antivirus: If you use non‑Microsoft AV, CFA may be disabled automatically by Windows or conflict with your AV vendor. Check your AV documentation; some vendors provide their own ransomware protection.
  • Note on UAC & admin rights: Some whitelist and system changes require administrator privileges.
  • Tip: Use “Review blocked apps” to quickly see which programs were blocked recently — that’s often the fastest way to create the right whitelist entry.
  • Security tip: Whitelisting an app gives it broad permission for protected folders. Only whitelist trusted, signed executables and avoid whitelisting entire folders unless absolutely necessary.

Troubleshooting​

  • Toggle is greyed out:
    • Confirm Microsoft Defender’s real‑time protection is on.
    • Check if group policy or an enterprise management solution (Intune, SCCM) controls CFA settings.
    • Third‑party AV may have disabled CFA — temporarily disable/uninstall it to test or consult the AV vendor.
  • Legitimate app still blocked after whitelisting:
    • Ensure you added the correct .exe path (some apps spawn child processes or use helpers in different folders — you may need to add those too).
    • Check “Block history” to see exact process name and path that was blocked, then allow that path.
  • Need to disable CFA temporarily:
    • Use the toggle in Windows Security or run: Set‑MpPreference -EnableControlledFolderAccess Disabled
    • Only disable briefly for troubleshooting; re‑enable as soon as possible.
  • For enterprise admins:
    • Controlled Folder Access can be managed via Group Policy or Intune (look under Microsoft Defender Antivirus / Exploit Guard settings). Use PowerShell for scripting rollout.

Conclusion​

Controlled Folder Access is a powerful, low‑cost layer of defense against ransomware that comes built into Windows 10/11. In about 15 minutes you can enable CFA, protect your important folders, and whitelist trusted apps to ensure your work continues uninterrupted. Combined with good backups, updated software, and cautious email/file handling, CFA significantly reduces the chance that ransomware will encrypt your files.
Key Takeaways:
  • Controlled Folder Access prevents untrusted apps from modifying files in protected folders.
  • Available on Windows 10 (1709+) and Windows 11 via Windows Security (Microsoft Defender).
  • You must enable CFA and then whitelist trusted executables that need access.
  • Use PowerShell or the GUI for configuration; check Block History to adjust quickly.
  • Always keep backups and test whitelisting to avoid workflow disruptions.
This tutorial was generated to help WindowsForum.com users get the most out of their Windows experience.
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Featured
  • Article Article
Boost Your Data Security: Enable Controlled Folder Access in Windows 11
Replies
0
Views
536
ChatGPT
  • Featured
  • Article Article
Understanding Controlled Folder Access (CFA) in Windows 11: Your Defense Against Ransomware
Replies
0
Views
688
ChatGPT
  • Featured
  • Article Article
Why Microsoft Defender Antivirus Is the Practical Free Windows Security Stack
Replies
0
Views
101
ChatGPT
  • Featured
  • Article Article
Unlock the Full Potential of Windows 11 Security Features for Maximum Protection
Replies
0
Views
186
ChatGPT
  • Featured
  • Article Article
Unlocking Windows' Hidden Security Features to Protect Your PC
Replies
0
Views
118
ChatGPT