SCCM | Controlled Folder Access

With companies being hacked on the weekly, making the most of inbuilt Windows security can be a real help in thwarting malicious attacks. Ransomware is becoming more and more popular for the wrong reason but Windows 10 and above does have some tools which can help prevent these types of attack.

There’s always a way to get around a defence so I’m not saying this is a one stop shop but as a built free feature I think its well worth the time to implement anything that would help.

Controlled folder Access, part of the Exploit Guard toolset, is a feature within Windows 10 that prevents applications from editing, creating or deleting items within a user’s home directory. With most types of ransomware encrypting your files or deleting them, controlled folder access can help.

Combined with SCCM or Microsoft Endpoint Manager its even easier to enable.

Navigate to SCCM console, under Assets and Compliance expand the Endpoint Protection folder.

Select Windows Defender Exploit Guard

If you’ve already configured Exploit Guard policies, you can either add the Controlled Folder Access configuration to that policy or create a new policy

If you’ve opted to create a new policy enter a name and description for the new policy. If you’ve like to enable other security features as part of this policy, select those security settings at the bottom of the window and select Controlled Folder Access.

The next window will present the main options that can be configured as part of the Controlled Folder Access. The setting ‘Configure Controlled Folder Access’ is essentially turning the feature on. It can be enabled in four different ways, these will be explained in the next step. The ‘Allow apps through Controlled Folder Access’ is excatley how it sounds. These exceptions will include applications such as Word to be able to export files directly to the users home directory folders such as Desktop and Documents. The final option ‘Additional protected folders’ is to add any custom folders that need protecting with Controlled Folder Access. These may include financial folders located under C:/. Both allowing apps and additional protected folders are both configurable through this page. 

The four configurable methods are as below:

  • Block – Malicious and suspicious apps won’t be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
  • Block disk sectors only – Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log
  • Audit – Changes will be allowed if a malicious or suspicious app attempts to make a change to a file in a protected folder. However, it will be recorded in the Windows event log where you can assess the impact on your organization
  • Audit disk sectors only – Only attempts to write to protected disk sectors will be recorded in the Windows event log

To allow a new or additional application to modify or create file within protected folders, select the ‘Set’ folder and enter in the full path of the application 


A tip to note is that the string entered must be ending in lower case characters. The path provided whilst auditing maybe in upper character which SCCM will not accept


Adding additional protected folders works the same way as adding applications, selecting ‘Set’ and adding in the full path of the folder

Once happy with all the settings select Next and complete the wizard. The policy will need to be deployed to a collection after the policy is complete. 

I would recommend setting Controlled Folder Access to Audit to start off with. Reviewing client log files at:

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx

Microsoft Link: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-controlled-folders?view=o365-worldwide

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.