How to Add or Remove Protected Folders for Controlled Folder Access in Windows 10
Starting with Windows 10 build 16232, Controlled folder access is introduced in Windows Defender Antivirus.
When Controlled folder access is turned on, it helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of Windows Defender Exploit Guard.
Controlled folder access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
You can add additional folders to be protected, but you cannot remove the default folders in the default list.
Adding other folders to Controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
You can also add network shares and mapped drives.
For more details about Controlled folder access, see:
- Help prevent ransomware and threats from encrypting and changing files | Microsoft Docs
- See how CFA can help protect files from being changed by malicious apps | Microsoft Docs
- Turn on the protected folders feature in Windows 10 | Microsoft Docs
- Add additional folders and apps to be protected by Windows 10 | Microsoft Docs
- Stopping ransomware where it counts: Protecting your data with Controlled folder access Microsoft Secure
This tutorial will show you how to add and remove protected folders for the Controlled folder access feature of Windows Defender Exploit Guard in Windows 10.
You must be signed in as an administrator to add or remove protected folders for Controlled folder access.
Contents
- Option One: Add Protected Folders to Controlled Folder Access in Windows Security
- Option Two: Remove Protected Folders from Controlled Folder Access in Windows Security
- Option Three: Add Protected Folders to Controlled Folder Access in PowerShell
- Option Four: Remove Protected Folders from Controlled Folder Access in PowerShell
- Option Five: Configure Protected Folders Policy for Controlled Folder Access in Local Group Policy Editor
- Option Six: Configure Protected Folders Policy for Controlled Folder Access in Registry Editor
The list of allowed apps is stored in the registry key below.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders
1 Open the Windows Security, and click/tap on the Virus & threat protection icon. (see screenshot below)
2 Click/tap on the Manage ransomware protection link under the Ransomware protection section. (see screenshot below)
3 Click/tap on the Protected folders link. (see screenshot below)
4 Click/tap on Yes when prompted by UAC to approve.
5 Click/tap on Add a protected folder. (see screenshot below)
6 Navigate to and select the folder (ex: "D:\My protected folder") you want to add as a protected folder, and click/tap on Select Folder. (see screenshot below)
7 When finished adding folders, you can close Windows Defender Security Center if you like.
1 Open the Windows Security, and click/tap on the Virus & threat protection icon. (see screenshot below)
2 Click/tap on the Manage ransomware protection link under the Ransomware protection section. (see screenshot below)
3 Click/tap on the Protected folders link. (see screenshot below)
4 Click/tap on Yes when prompted by UAC to approve.
5 Click/tap on an added folder (ex: "D:\My protected folder") you want to remove, and click/tap on Remove. (see screenshot below)
6 Click/tap on OK to confirm. (see screenshot below)
7 When finished removing folders, you can close Windows Defender Security Center if you like.
1 Open an elevated PowerShell.
2 Type the command below into the elevated PowerShell, and press Enter. (see screenshot below)
Add-MpPreference -ControlledFolderAccessProtectedFolders "Full path of folder"
Substitute Full path of folder in the command above with the actual full path of the folder (ex: "D:\My protected folder") you want to add as a protected folder.
For example:Add-MpPreference -ControlledFolderAccessProtectedFolders "D:\My protected folder"
3 You can now close the elevated PowerShell if you like.
1 Open an elevated PowerShell.
2 Type the command below into the elevated PowerShell, and press Enter. (see screenshot below)
Remove-MpPreference -ControlledFolderAccessProtectedFolders "Full path of folder"
Substitute Full path of folder in the command above with the actual full path of the folder (ex: "D:\My protected folder") you want to remove as a protected folder.
For example:Remove-MpPreference -ControlledFolderAccessProtectedFolders "D:\My protected folder"
3 You can now close the elevated PowerShell if you like.
Protected folders you add using this option cannot be removed using Option Two and Option Four.
The Local Group Policy Editor is only available in the Windows 10 Pro, Enterprise, and Education editions.
All editions can use Option Six below for this policy.
1 Open the Local Group Policy Editor.
2 In the left pane of Local Group Policy Editor, navigate to the location below. (see screenshot below)
Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access
3 In the right pane of Controlled Folder Access in Local Group Policy Editor, double click/tap on the Configure protected folders policy to edit it. (see screenshot above)
4 Do step 5 (default) or step 6 (configure) below for what you would like to do.
A) Select (dot) Not Configured or Disabled, click/tap on OK, and go to step 7 below. (see left screenshot below)
Not Configured is the default setting.
A) Select (dot) Enabled, and click/tap on the Show button in Options. (see left screenshot below)
B) In the Value name column, type the full path of the folder (ex: "D:\My protected folder") you want to add as a protected folder. (see right screenshot below)
You will need to double click/tap in the field to be able to enter the full path.
C) In the Value column to the right of the added folder, type the number 0. (see right screenshot below)
You will need to double click/tap in the field to be able to enter the number.
D) If you want to remove an added folder, double click/tap on the Value name and Value fields for the app you want to remove, and edit them out until blank. (see right screenshot below)
E) When finished adding and removing folders, click/tap on OK. (see right screenshot below)
F) Click/tap on OK, and go to step 7 below. (see left screenshot below)
7 When finished, close the Local Group Policy Editor.
Protected folders you add using this option cannot be removed using Option Two and Option Four.
This option is for the same policy in Option Five.
1 Do step 2 (default), step 3 (add apps), or step 4 (remove apps) below for what you would like to do.
This is the default setting. It will remove all apps added using this policy.
A) Click/tap on the Download button below to download the file below.
B) Save the .reg file to your desktop.
C) Double click/tap on the downloaded .reg file to merge it.
D) When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.
A) Click/tap on the Download button below to download the file below.
This downloadable .reg file will add the registry keys for you to make it easier to set in this step.
B) Save the .reg file to your desktop.
C) Double click/tap on the downloaded .reg file to merge it.
D) When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.
E) Press the Win + [/key]R[/key] keys to open Run, type regedit into Run, and click/tap on OK to open Registry Editor.
F) Navigate to the key below in the left pane of Registry Editor. (see screenshot below)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders
G) In the right pane of the ProtectedFolders key, right click on an empty space, click/tap on New, and click/tap on String Value. (see screenshot above)
H) Type the full path of the folder (ex: "D:\My protected folder") you want to add as the name of this string value, and press Enter. (see screenshot below)
I) Double click/tap on this string value (ex: "D:\My protected folder") to modify it. (see screenshot above)
J) Type the number 0, and click/tap on OK. (see screenshot below)
K) Repeat steps 3G to 3J if you want to add anymore folders as protected folders.
L) When finished adding folders, you can close Registry Editor if you like.
A) Press the Win + [/key]R[/key] keys to open Run, type regedit into Run, and click/tap on OK to open Registry Editor.
B) Navigate to the key below in the left pane of Registry Editor. (see screenshot below)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders
C) In the right pane of the ProtectedFolders key, right click on the string value (REG_SZ) of the folder (ex: "D:\My protected folder") you want to remove, and click/tap on Delete. (see screenshot above)
D) Click/tap on Yes to confirm. (see screenshot below)
E) When finished removing folders, you can close Registry Editor if you like.
That's it,
Shawn
Related Tutorials
- How to Enable or Disable Windows Defender Exploit Guard Controlled Folder Access in Windows 10
- How to Add Turn On or Off Controlled Folder Access context menu Windows 10
- How to Add or Remove Allowed Apps through Controlled Folder Access in Windows 10
- How to Add Allow App through Controlled Folder Access context menu in Windows 10