Add or Remove Allowed Apps for Controlled Folder Access in Windows 10  

Page 1 of 2 12 LastLast
    Add or Remove Allowed Apps for Controlled Folder Access in Windows 10

    Add or Remove Allowed Apps for Controlled Folder Access in Windows 10

    How to Add or Remove Allowed Apps through Controlled Folder Access in Windows 10
    Published by Category: Security System
    23 Jun 2020
    Designer Media Ltd

    How to Add or Remove Allowed Apps through Controlled Folder Access in Windows 10


    Starting with Windows 10 version 2004, Windows Defender Antivirus as been renamed to Microsoft Defender Antivirus.

    Starting with Windows 10 build 16232, Controlled folder access is introduced in Microsoft Defender Antivirus.

    When Controlled folder access is turned on, it helps you protect valuable data from malicious apps and threats, such as ransomware.

    You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the Controlled folder access feature.

    By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Defender Security Center app. You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.

    When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by Controlled folder access.

    For more details about Controlled folder access, see:

    This tutorial will show you how to add and remove if specific apps are allowed through the Controlled folder access feature of Windows Defender Exploit Guard in Windows 10.

    You must be signed in as an administrator to add or remove an allowed app through Controlled folder access.



    Contents

    • Option One: Add an Allowed App through Controlled Folder Access in Windows Defender Security Center
    • Option Two: Remove Allowed App from Controlled Folder Access in Windows Defender Security Center
    • Option Three: Add an Allowed App through Controlled Folder Access in PowerShell
    • Option Four: Remove Allowed App from Controlled Folder Access in PowerShell
    • Option Five: Configure Allowed Apps Policy for Controlled Folder Access in Local Group Policy Editor
    • Option Six: Configure Allowed Apps Policy for Controlled Folder Access in Registry Editor






    OPTION ONE

    Add an Allowed App through Controlled Folder Access in Windows Defender Security Center


    The list of allowed apps is stored in the registry key below.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications


    1 Open Windows Security, and click/tap on the Virus & threat protection icon. (see screenshot below)

    Add or Remove Allowed Apps for Controlled Folder Access in Windows 10-windows_defender_controlled_folder_access-1.jpg

    2 Click/tap on the Manage ransomware protection link under the Ransomware protection section. (see screenshot below)

    Add or Remove Allowed Apps for Controlled Folder Access in Windows 10-windows_defender_controlled_folder_access-2.jpg

    3 Click/tap on the Allow an app through Controlled folder access link. (see screenshot below)

    Add or Remove Allowed Apps for Controlled Folder Access in Windows 10-windows_defender_controlled_folder_access-3.jpg

    4 Click/tap on Yes when prompted by UAC to approve.

    5 Click/tap on Add an allowed app, and click/tap on Browse all apps (build 17704 and later). (see screenshot below)

    Starting with Windows 10 build 17704, when an app is blocked, it will appear in a recently blocked apps list. Click/tap on the plus Add an allowed app button and choose Recently blocked apps. Select any of the apps to add them to the allowed list. You can also Browse all apps from this page as well to manually add a selected app.

    Add or Remove Allowed Apps for Controlled Folder Access in Windows 10-windows_defender_controlled_folder_access-4.jpg

    6 Navigate to and select the app (ex: "notepad.exe") you want to allow through Controlled folder access, and click/tap on Open. (see screenshot below)

    Add or Remove Allowed Apps for Controlled Folder Access in Windows 10-windows_defender_controlled_folder_access-5.png

    7 When finished adding apps, you can close Windows Defender Security Center if you like. (see screenshot below)

    Sometimes you may need to restart the computer to apply.

    Add or Remove Allowed Apps for Controlled Folder Access in Windows 10-windows_defender_controlled_folder_access-6.jpg






    OPTION TWO

    Remove Allowed App from Controlled Folder Access in Windows Defender Security Center


    1 Open Windows Security, and click/tap on the Virus & threat protection icon. (see screenshot below)

    Add or Remove Allowed Apps for Controlled Folder Access in Windows 10-windows_defender_controlled_folder_access-1.jpg

    2 Click/tap on the Manage ransomware protection link under the Ransomware protection section. (see screenshot below)

    Add or Remove Allowed Apps for Controlled Folder Access in Windows 10-windows_defender_controlled_folder_access-2.jpg

    3 Click/tap on the Allow an app through Controlled folder access link. (see screenshot below)

    Add or Remove Allowed Apps for Controlled Folder Access in Windows 10-windows_defender_controlled_folder_access-3.jpg

    4 Click/tap on Yes when prompted by UAC to approve.

    5 Click/tap on an added app (ex: "notepad.exe") you want to remove, and click/tap on Remove. (see screenshot below)

    Add or Remove Allowed Apps for Controlled Folder Access in Windows 10-windows_defender_controlled_folder_access-7.jpg

    6 When finished removing apps, you can close Windows Defender Security Center if you like.






    OPTION THREE

    Add an Allowed App through Controlled Folder Access in PowerShell


    1 Open an elevated PowerShell.

    2 Type the command below into the elevated PowerShell, and press Enter. (see screenshot below)

    Add-MpPreference -ControlledFolderAccessAllowedApplications "Full path of app's .exe or .com file"

    Substitute Full path of app's .exe or .com file in the command above with the actual full path (ex: "C:\Windows\notepad.exe") of the app (Notepad) you want to allow through Controlled folder access.[

    For example: Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Windows\notepad.exe"


    3 You can now close the elevated PowerShell if you like.

    Add or Remove Allowed Apps for Controlled Folder Access in Windows 10-windows_defender_controlled_folder_access_allowed_app_powershell-1.jpg






    OPTION FOUR

    Remove Allowed App from Controlled Folder Access in PowerShell


    1 Open an elevated PowerShell.

    2 Type the command below into the elevated PowerShell, and press Enter. (see screenshot below)

    Remove-MpPreference -ControlledFolderAccessAllowedApplications "Full path of app's .exe or .com file"

    Substitute Full path of app's .exe or .com file in the command above with the actual full path (ex: "C:\Windows\notepad.exe") of the allowed app (Notepad) you want to remove from Controlled folder access.

    For example: Remove-MpPreference -ControlledFolderAccessAllowedApplications "C:\Windows\notepad.exe"


    3 You can now close the elevated PowerShell if you like.

    Add or Remove Allowed Apps for Controlled Folder Access in Windows 10-windows_defender_controlled_folder_access_allowed_app_powershell-2.jpg






    OPTION FIVE

    Configure Allowed Apps Policy for Controlled Folder Access in Local Group Policy Editor


    Apps you add using this option to allow through Controlled folder access cannot be removed using Option Two and Option Four.

    The Local Group Policy Editor is only available in the Windows 10 Pro, Enterprise, and Education editions.

    All editions can use Option Six below for this policy.


    1 Open the Local Group Policy Editor.

    2 In the left pane of Local Group Policy Editor, navigate to the location below. (see screenshot below)

    Computer Configuration\Administrative Templates\Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access

    Add or Remove Allowed Apps for Controlled Folder Access in Windows 10-windows_defender_controlled_folder_access_allowed_app_gpedit-1.png

    3 In the right pane of Controlled Folder Access in Local Group Policy Editor, double click/tap on the Configure allowed applications policy to edit it. (see screenshot above)

    4 Do step 5 (default) or step 6 (configure) below for what you would like to do.


    5 To Not "Configure allowed applications" for Controlled Folder Access

    A) Select (dot) Not Configured or Disabled, click/tap on OK, and go to step 7 below. (see left screenshot below)

    Not Configured is the default setting.



    6 To "Configure allowed applications" for Controlled Folder Access

    A) Select (dot) Enabled, and click/tap on the Show button in Options. (see left screenshot below)

    B) In the Value name column, type the full path (ex: "C:\Windows\notepad.exe") of the app's .exe or .com file you want to add and allow through Controlled folder access. (see right screenshot below)

    You will need to double click/tap in the field to be able to enter the full path.


    C) In the Value column to the right of the added app, type the number 0. (see right screenshot below)

    You will need to double click/tap in the field to be able to enter the number.


    D) If you want to remove an added app, double click/tap on the Value name and Value fields for the app you want to remove, and edit them out until blank. (see right screenshot below)

    E) When finished adding and removing apps, click/tap on OK. (see right screenshot below)

    F) Click/tap on OK, and go to step 7 below. (see left screenshot below)

    Add or Remove Allowed Apps for Controlled Folder Access in Windows 10-windows_defender_controlled_folder_access_allowed_app_gpedit-2.jpg Add or Remove Allowed Apps for Controlled Folder Access in Windows 10-windows_defender_controlled_folder_access_allowed_app_gpedit-3.png

    7 When finished, close the Local Group Policy Editor.






    OPTION SIX

    Configure Allowed Apps Policy for Controlled Folder Access in Registry Editor


    Apps you add using this option to allow through Controlled folder access cannot be removed using Option Two and Option Four.

    This option is for the same policy in Option Five.


    1 Do step 2 (default), step 3 (add apps), or step 4 (remove apps) below for what you would like to do.

    2 To Not "Configure allowed applications" for Controlled Folder Access

    This is the default setting. It will remove all apps added using this policy.

    A) Click/tap on the Download button below to download the file below.

    Undo_Configure_allowed_applications_group_policy.reg

    Download

    B) Save the .reg file to your desktop.

    C) Double click/tap on the downloaded .reg file to merge it.

    D) When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.


    3 "Configure allowed applications" to Add App and Allow through Controlled Folder Access

    A) Click/tap on the Download button below to download the file below.

    This downloadable .reg file will add the registry keys for you to make it easier to set in this step.

    Configure_allowed_applications_group_policy.reg

    Download

    B) Save the .reg file to your desktop.

    C) Double click/tap on the downloaded .reg file to merge it.

    D) When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

    E) Press the Win + R keys to open Run, type regedit into Run, and click/tap on OK to open Registry Editor.

    F) Navigate to the key below in the left pane of Registry Editor. (see screenshot below)

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications

    Add or Remove Allowed Apps for Controlled Folder Access in Windows 10-windows_defender_controlled_folder_access_allowed_app_regedit-1.jpg

    G) In the right pane of the AllowedApplications key, right click on an empty space, click/tap on New, and click/tap on String Value. (see screenshot above)

    H) Type the full path (ex: "C:\Windows\notepad.exe") of the app you want to add as the name of this string value, and press Enter. (see screenshot below)

    Add or Remove Allowed Apps for Controlled Folder Access in Windows 10-windows_defender_controlled_folder_access_allowed_app_regedit-2.jpg

    I) Double click/tap on this string value (ex: "C:\Windows\notepad.exe") to modify it. (see screenshot above)

    J) Type the number 0, and click/tap on OK. (see screenshot below)

    Add or Remove Allowed Apps for Controlled Folder Access in Windows 10-windows_defender_controlled_folder_access_allowed_app_regedit-3.png

    K) Repeat steps 3G to 3J if you want to add anymore apps to allow through Controlled folder access.

    L) When finished adding apps, you can close Registry Editor if you like.


    4 "Configure allowed applications" to Remove Added App Allowed through Controlled Folder Access

    A) Press the Win + R keys to open Run, type regedit into Run, and click/tap on OK to open Registry Editor.

    B) Navigate to the key below in the left pane of Registry Editor. (see screenshot below)

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications

    Add or Remove Allowed Apps for Controlled Folder Access in Windows 10-windows_defender_controlled_folder_access_allowed_app_regedit-4.png

    C) In the right pane of the AllowedApplications key, right click on the string value (REG_SZ) of the app (ex: "C:\Windows\notepad.exe") you want to remove, and click/tap on Delete. (see screenshot above)

    D) Click/tap on Yes to confirm. (see screenshot below)

    Add or Remove Allowed Apps for Controlled Folder Access in Windows 10-windows_defender_controlled_folder_access_allowed_app_regedit-5.png

    E) When finished removing apps, you can close Registry Editor if you like.


    That's it,
    Shawn






  1. Posts : 103
    Windows 7-pro-sp1 and windows 10-pro-1803
       #1

    I've been trying to learn to use controlled folders. I'm annoyed that when Defender notifies that something is blocked, showing the exact path of the application they block, there's no way answer that alert and pick up the path, and I have to go through browsing for the application.
    Until this tutorial. Though having to logout and login as admin, do it, logout, logme in ... it's still a pain, but context menu sounds good. Thank you for the tutorials :)
    This section isn't too clear to me:
    [quote]You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the Controlled folder access feature.[\quote]
    Windows has some hidden list what they protect and I added few folders.
    But what you wrote implies, I think, that if I add some .exe file it'll have a blanket permission to everything including the folders windows added. Doesn't seem safe to me.
    I may want excel or word to access Documents, but not everything in the system.
    What do you think?
      My Computer


  2. Posts : 68,668
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #2

    Hello 91fw,

    Here's the context menu for adding apps to the allowed list to help.

    Add Allow App through Controlled Folder Access context menu Windows 10 | Windows 10 Tutorials

    That quote means that you can add an .exe file you consider to be safe to be allowed access to your protected folders. Basically, an app exception list.
      My Computers


  3. Posts : 103
    Windows 7-pro-sp1 and windows 10-pro-1803
       #3

    Please clarify "your protected folders" - Does it mean access to just the few folders I added or the entire list that is currently visible in defender's GUI?
    Another question: example - defender is blocking access of SeaMonkey (browser) to user profile\desktop. Does it mean the shortcuts on my screen? or perhaps folders or files (if any)? The blocking seems to have no effect on SeaMonkey so I change nothing. Let'm block.
      My Computer


  4. Posts : 68,668
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #4

    Protected folders are the ones below that are included by default and any you manually add.

    Add Protected Folders to Controlled Folder Access in Windows 10 | Windows 10 Tutorials
      My Computers


  5. Posts : 103
    Windows 7-pro-sp1 and windows 10-pro-1803
       #5

    Understood. Thank you, Brink :)
      My Computer


  6. Posts : 68,668
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #6

    You're most welcome.
      My Computers


  7. Posts : 1
    Win 10 1709
       #7

    Hi,

    1.Feature seems like a good idea - but its awfully implemented

    2.It blocks my Adobe Suite apps from functioning

    3.other apps such as winrar also seems to not function correctly

    4.My plan - to add all current application to "allowed list"

    5.I have created list with all *.exe files, but how do i BATCH add the txt/csv list of allowed applications to the Ransomware registry? which is located here:
    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications

    Thank you for any input!
      My Computer


  8. Posts : 68,668
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #8

    Hello @Frosti7, and welcome to Ten Forums.

    The registry key you posted above is a protected key, and you would have to take ownership and change permissions to allow full control of it before you will be able to add apps via a .batch file.


    If you like, you might see if adding the context menu below may help to make it easier to add allowed apps as needed via Windows Security.

    Add Allow App through Controlled Folder Access context menu Windows 10 | Windows 10 Tutorials
      My Computers


  9. Posts : 68
    10 Pro
       #9

    Hey Shaun

    Hope you're doing well in this lockdown!
    I would like to exempt a particular program (for encrytped usb stick), however the drive letters are various/ can change.
    Is there a wildcard I could use? or would I actually need to use a separate entry using every drive letter?

    Thanks mate.
      My Computer


 

Tutorial Categories

Add or Remove Allowed Apps for Controlled Folder Access in Windows 10 Tutorial Index Network & Sharing Instalation and Upgrade Browsers and Email General Tips Gaming Customization Apps and Features Virtualization BSOD System Security User Accounts Hardware and Drivers Updates and Activation Backup and Restore Performance and Maintenance Mixed Reality Phone


  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 20:43.
Find Us




Windows 10 Forums