Updated: Mar 23
Controlled Folder Access (CFA) is a security feature in Windows 10 that helps protect your important files and folders from unauthorized access, modification, and encryption by malicious software, such as ransomware. In this article, we will guide you on how to configure Controlled Folder Access in Windows 10/11.
CFA works by monitoring the changes made to files and folders in the protected locations and allows only trusted apps to access and modify them. Any unauthorized access attempt or suspicious activity is blocked, and a notification is displayed to the user to take action.
By default, the feature is turned off, but you can enable it through the Windows Defender Security Center or by using Group Policy or PowerShell. Once enabled, you can add folders to the list of protected locations, or allow apps that you trust to access the protected folders.
CFA is a useful security feature that can help protect your files and folders from malware attacks, but it may also cause issues with some apps or programs that need to access the protected folders. In such cases, you may need to add exceptions or disable the feature temporarily to allow the apps to function properly.
How to configure Controlled Folder Access in Windows 10/11
We have two methods to configure Controlled Folder Access:
Using Local Group Policy Editor
Method 1: Configure Controlled Folder Access using Local Group Policy Editor
To configure Controlled Folder Access using Group Policy, you first need to enable this feature.
If Controlled folder access is enabled, the basic folders are added by default. If you must protect data located in a different location, then you can use the Configure protected folders policy to add the new folder. Follow the below steps to do so:
STEP 1: Press the Windows key + R. Type gpedit.msc and hit Enter.
STEP 2: Inside the Local Group Policy Editor, use the left pane to navigate to the path below:
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access
STEP 3: Double-click the Configure protected folders policy on the right pane to edit its properties.
STEP 4: Select the Enabled radio button.
STEP 5: Under the Options section, click the Show button.
STEP 6: Specify the locations you want to protect by entering the path of the folder (eg; F:\MyData) in the Value name field and adding 0 in the Value field. Repeat this step to add more locations. Click the OK button.
STEP 7: Click the OK button followed by Apply.
The new folder(s) will now be added to the protection list of Controlled folder access. To revert the changes, follow the instructions above, but select the Not Configured or Disabled option.
Method 2: Configure Controlled Folder Access using PowerShell
To configure Controlled Folder Access using Group Policy, you first need to enable the feature. Once done, you can proceed to configure the following:
STEP 1: Open PowerShell and select "run as administrator".
STEP 2: Now, type in the command below and hit Enter.
Add-MpPreference -ControlledFolderAccessProtectedFolders "F:\folder\path\to\add"
STEP 3: In the command, substitute the F:\folder\path\to\add placeholder with the actual path for the location and executable of the app you want to allow. So for example, your command should look like the following:
Add-MpPreference -ControlledFolderAccessProtectedFolders "F:\MyData"
STEP 4: To remove a folder, type the command below and hit Enter:
Disable-MpPreference -ControlledFolderAccessProtectedFolders "F:\folder\path\to\remove"
STEP 5: To remove an app, type the command below and hit Enter:
Remove-MpPreference -ControlledFolderAccessAllowedApplications "F:\path\to\app\app.exe"
STEP 6: Close the PowerShell Window and restart your PC to apply the changes.