Defender for Endpoint - Controlled Folder Access
Docs and Sources
Requirements
- Defender for Endpoint P1 / P2
- Windows 10, version 1709 and later
- Windows 11
- Windows 2012 R2, 2016, 2019, 2022
Description
The Controlled Folder Access feature in Microsoft Defender for Endpoint is designed to safeguard critical files and folders on Windows devices against unwanted alterations by malicious activities or ransomware. It monitors and restricts access to selected directories to maintain the integrity of sensitive data. Its recommended to use this feature in Audit Mode first to analyse the impact on the environment!
Configuration
Configuration by Intune Policy
- Intune → Endpoint Security → Attack Surface Reduction → Create Policy
- Select Windows 10, Windows 11, and Windows Server
- Select Attack Surface Reduction Rules
Troubleshooting
Check CFA Status:
- 0 - Disabled
- 1 - Enabled
- 2 - Audit Mode
1
| Get-MpPreference | select EnableControlledFolderAccess
|
Change CFA Status:
1
| Set-MpPreference -EnableControlledFolderAccess Enabled
|
Check CFA Alerts:
Defender Advanced Hunting Query:
| where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')
Add Application to Allow List (Nur bei Notfällen)
1
| Add-MpPreference -ControlledFolderAccessAllowedApplications "<Application Path>"
|
Add Folder to Protected Folder List (Nur bei Notfällen)
1
| Add-MpPreference -ControlledFolderAccessProtectedFolders "<Folder Path>"
|