Solving Windows 11 Windows Defender Controlled Folder Access and Ransomware Mitigation

Safeguarding Your Data with Windows Defender Controlled Folder Access

As an experienced IT professional, I understand the critical importance of protecting your valuable data from malicious threats like ransomware. In this comprehensive guide, we’ll delve into the Windows Defender Controlled Folder Access feature, exploring its capabilities, configuration options, and practical strategies for leveraging it to enhance your organization’s security posture.

Understanding Controlled Folder Access

Windows Defender Controlled Folder Access is a powerful security feature introduced in Windows 10 and enhanced in Windows 11. Its primary function is to safeguard your data by restricting access to designated “protected folders” from untrusted applications, effectively shielding your important files from ransomware and other malicious activities.

The way Controlled Folder Access works is by maintaining a list of trusted applications that are granted permission to modify or delete files in the protected folders. Any application not on this trusted list will be blocked from performing such actions, helping to prevent unauthorized access and potential data loss.

Key Highlights of Controlled Folder Access:

• Ransomware Protection: Controlled Folder Access is particularly effective in mitigating the impact of ransomware attacks, as it prevents unauthorized encryption or deletion of files in the protected folders.
• Customizable Protection: You can specify which folders should be protected and which applications should be trusted, allowing you to tailor the feature to your organization’s unique needs.
• Audit Mode: Controlled Folder Access offers an “Audit Mode” option, enabling you to evaluate the impact of the feature on your environment before fully enabling it, ensuring a smooth and seamless transition.
• Detailed Reporting: When integrated with Microsoft Defender for Endpoint, Controlled Folder Access provides detailed reporting on blocked activities and events, giving you valuable insights for threat investigation and response.

Enabling Controlled Folder Access

There are several ways to enable and configure Controlled Folder Access, depending on your organization’s IT infrastructure and management preferences. Let’s explore the different methods:

Using the Windows Security App

The simplest way to enable Controlled Folder Access is through the Windows Security app. Follow these steps:

1. Open the Windows Security app by clicking the shield icon in the taskbar or searching for it in the Start menu.
2. Navigate to the “Virus & threat protection” section.
3. Under “Ransomware protection,” toggle the “Controlled folder access” setting to “On.”

This method is suitable for individual devices or small-scale deployments, but for enterprise-level management, you’ll want to explore the following options.

Configuring through Group Policy

If your organization uses Group Policy to manage system configurations, you can enable Controlled Folder Access through the Group Policy Editor. Here’s how:

1. Open the Group Policy Management Console (GPMC) and navigate to the desired Group Policy Object (GPO).
2. Edit the GPO and go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled folder access.
3. Double-click the “Configure Controlled folder access” setting and set it to “Enabled.”
4. In the options, select “Block” to fully enable the feature, or “Audit” to operate in a monitoring-only mode.

This approach allows you to centrally manage and deploy Controlled Folder Access settings across your organization’s devices.

Leveraging Microsoft Endpoint Configuration Manager (ConfigMgr)

For organizations using Microsoft Endpoint Configuration Manager (ConfigMgr), you can create a Controlled Folder Access policy within the Endpoint Protection workspace. Here’s a high-level overview of the process:

1. In the ConfigMgr console, navigate to Assets and Compliance > Endpoint Protection > Windows Defender Exploit Guard.
2. Select “Create Exploit Guard Policy” and choose “Controlled folder access” as the policy type.
3. Customize the settings, such as the protection mode (Block or Audit), allowed applications, and additional protected folders.
4. Assign the policy to the desired collection of devices or user groups.

This method integrates Controlled Folder Access management directly into your existing ConfigMgr infrastructure, streamlining the deployment and monitoring processes.

Implementing via Microsoft Intune

For organizations leveraging Microsoft Intune for device management, you can configure Controlled Folder Access through the Intune admin center. The steps are as follows:

1. Sign in to the Microsoft Intune admin center.
2. Navigate to Endpoint Security > Attack Surface Reduction > Policies.
3. Create a new policy and select “Windows 10, Windows 11, and Windows Server” as the platform.
4. Under the “Enable Controlled Folder Access” setting, choose the desired mode (Audit or Enabled).
5. Optionally, you can configure the “Controlled Folder Access Protected Folders” and “Controlled Folder Access Allowed Applications” settings.
6. Assign the policy to the appropriate user groups or device groups.

Intune’s integration with Controlled Folder Access allows for centralized management and deployment, making it a suitable choice for organizations with a strong Microsoft 365 and Azure ecosystem.

Customizing Controlled Folder Access

While the default protected folders and trusted applications provided by Controlled Folder Access are a good starting point, you may want to further customize the settings to meet your organization’s specific needs.

Adding Protected Folders

To protect additional folders beyond the default system folders, you can follow these steps:

1. Open the Windows Security app and navigate to the “Virus & threat protection” section.
2. Under “Ransomware protection,” select “Manage ransomware protection.”
3. Click “Add a protected folder” and select the desired folder(s) to be protected.

Important Considerations:
– Do not add local share paths (loopbacks) as protected folders. Use the local path instead.
– Subfolders are automatically included when you add a new folder to the list.
– You cannot remove the default Windows system folders from the protected list.

Allowing Trusted Applications

In some cases, you may need to grant certain applications access to the protected folders. You can do this by adding them to the Controlled Folder Access Allowed Applications list. Here’s how:

1. In the Group Policy Editor, navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled folder access.
2. Double-click the “Allow apps to access protected folders” setting and set it to “Enabled.”
3. In the “Options” section, click “Show” and add the paths or file names of the trusted applications.

Keep in mind that Microsoft Defender Antivirus automatically determines which applications should be trusted, so you should only use this setting to specify additional applications beyond the default list.

Monitoring and Troubleshooting Controlled Folder Access

Effective monitoring and troubleshooting are crucial for ensuring the optimal performance and impact of Controlled Folder Access. Let’s explore some key strategies and tools:

Leveraging Microsoft Defender for Endpoint

If your organization uses Microsoft Defender for Endpoint, you’ll gain access to advanced reporting and investigation capabilities. Controlled Folder Access events and blocks are integrated into the Defender for Endpoint platform, allowing you to:

• View detailed information about Controlled Folder Access events in the device timeline and alert investigation scenarios.
• Perform advanced hunting queries to analyze Controlled Folder Access data and identify potential issues or trends.
• Create custom detection rules to monitor and respond to Controlled Folder Access-related activities.

Analyzing Windows Event Logs

Even without Microsoft Defender for Endpoint, you can investigate Controlled Folder Access-related events by checking the Windows Event Logs. Follow these steps:

1. Open the Event Viewer and navigate to Windows Logs > Application.
2. Look for events with the source “Microsoft-Windows-Windows Defender” and the event IDs associated with Controlled Folder Access, such as 5007, 1124, and 1123.
3. Review the event details to understand the context and nature of the Controlled Folder Access events.

Troubleshooting Common Issues

If you encounter any problems with Controlled Folder Access, here are some common troubleshooting steps to consider:

• Verify Controlled Folder Access Configuration: Ensure that the feature is properly enabled and configured, either through the Windows Security app, Group Policy, ConfigMgr, or Intune.
• Check Allowed Applications: Review the list of trusted applications and confirm that any necessary programs are included. Remember that scripting engines, such as PowerShell, are not automatically trusted.
• Validate Protected Folder Settings: Ensure that the desired folders are properly added to the list of protected folders and that no local share paths (loopbacks) are included.
• Enable Audit Mode: If you’re unsure about the impact of Controlled Folder Access, consider running it in Audit Mode first to monitor events without directly blocking actions.

By leveraging these monitoring and troubleshooting techniques, you can effectively manage and optimize the Controlled Folder Access feature, ensuring its seamless integration into your organization’s security posture.

Conclusion: Empowering Your Organization’s Ransomware Resilience

Windows Defender Controlled Folder Access is a powerful tool in the fight against ransomware and other malicious threats. By understanding its capabilities, configuration options, and best practices, you can empower your organization to safeguard its valuable data and enhance its overall cybersecurity resilience.

Remember, the IT Fix blog is here to provide you with practical tips, in-depth insights, and expert guidance on all things technology, computer repair, and IT solutions. Stay tuned for more articles that can help you navigate the ever-evolving landscape of IT and security challenges.