Home Defender for Endpoint - Controlled Folder Access
Post
Cancel

Defender for Endpoint - Controlled Folder Access

Defender for Endpoint - Controlled Folder Access

Docs and Sources

DescriptionLink
MSLearn Controlled Folder AccessMSLearn - Controlled Folder Access
  

Requirements

  • Defender for Endpoint P1 / P2
  • Windows 10, version 1709 and later
  • Windows 11
  • Windows 2012 R2, 2016, 2019, 2022

Description

The Controlled Folder Access feature in Microsoft Defender for Endpoint is designed to safeguard critical files and folders on Windows devices against unwanted alterations by malicious activities or ransomware. It monitors and restricts access to selected directories to maintain the integrity of sensitive data. Its recommended to use this feature in Audit Mode first to analyse the impact on the environment!

Configuration

Configuration by Intune Policy

  1. Intune → Endpoint Security → Attack Surface Reduction → Create Policy
  2. Select Windows 10, Windows 11, and Windows Server
  3. Select Attack Surface Reduction Rules

Controlled Folder Access Configuration

Troubleshooting

Check CFA Status:

  • 0 - Disabled
  • 1 - Enabled
  • 2 - Audit Mode
1
Get-MpPreference | select EnableControlledFolderAccess

Change CFA Status:

  • Enabled
  • AuditMode
  • Disabled
1
Set-MpPreference -EnableControlledFolderAccess Enabled

Check CFA Alerts:

Defender Advanced Hunting Query:

| where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')

Add Application to Allow List (Nur bei Notfällen)

1
Add-MpPreference -ControlledFolderAccessAllowedApplications "<Application Path>"

Add Folder to Protected Folder List (Nur bei Notfällen)

1
Add-MpPreference -ControlledFolderAccessProtectedFolders "<Folder Path>"
This post is licensed under CC BY 4.0 by the author.