Solving Windows 11 Windows Defender Controlled Folder Access and Ransomware Mitigation Policy Configuration

Understanding Controlled Folder Access in Windows 11

As a seasoned IT professional, I’ve witnessed first-hand the increasing threat of ransomware and the devastating impact it can have on organizations. One of the most effective tools in the fight against these malicious attacks is Windows Defender’s Controlled Folder Access feature, introduced in Windows 10 and further refined in Windows 11.

Controlled Folder Access is a powerful security mechanism that helps protect your valuable data from unauthorized modifications by malicious apps or threats, such as ransomware. By monitoring and restricting access to specific folders, this feature acts as a safeguard, preventing unauthorized changes that could lead to data loss or system compromise.

In this comprehensive article, we’ll dive into the intricacies of configuring Controlled Folder Access on Windows 11, explore the various methods available, and discuss strategies for effectively integrating this security measure into your IT environment.

Enabling Controlled Folder Access

One of the primary ways to enable Controlled Folder Access is through the Windows Security app. This intuitive interface allows you to quickly turn on the feature and customize its settings to suit your organization’s needs.

To enable Controlled Folder Access via the Windows Security app:

1. Open the Windows Security app by selecting the shield icon in the taskbar or searching for “Windows Security” in the Start menu.
2. Navigate to the “Virus & threat protection” tile (or the shield icon on the left menu bar).
3. Locate the “Ransomware protection” section and toggle the switch for “Controlled folder access” to the “On” position.

Note: If Controlled Folder Access is configured using Group Policy, PowerShell, or Mobile Device Management (MDM) solutions, the state changes in the Windows Security app will only be reflected after restarting the device.

Configuring Controlled Folder Access in Audit Mode

While enabling Controlled Folder Access is a crucial first step, it’s often beneficial to start in audit mode to review the feature’s impact on your organization before fully implementing it. Audit mode allows you to monitor the behavior of applications without actively blocking any changes to protected folders.

To enable Controlled Folder Access in audit mode using Group Policy:

1. Open the Group Policy Management Console (GPMC) on your management device.
2. Navigate to “Computer Configuration” > “Administrative Templates” > “Windows Components” > “Microsoft Defender Antivirus” > “Microsoft Defender Exploit Guard” > “Controlled folder access”.
3. Double-click the “Configure Controlled folder access” setting and set it to “Enabled”.
4. In the options section, select “Audit Mode” from the dropdown menu.
5. Apply the policy and update the affected devices.

By monitoring the events generated in audit mode, you can identify any applications or processes that may require access to the protected folders, allowing you to make informed decisions about which apps to trust or add to the exclusion list.

Customizing Protected Folders and Allowed Applications

Controlled Folder Access comes with a default set of protected folders, including common system directories and user profile folders. However, you may need to add additional folders to the protection list or configure specific applications as trusted.

To add custom protected folders using Intune or Configuration Manager:

1. In the Intune admin center or Configuration Manager console, navigate to the Endpoint Security area.
2. Select the “Attack Surface Reduction” node and create a new policy.
3. In the policy settings, locate the “Controlled Folder Access Protected Folders” option and add the desired folders.

Note: Wildcards are not supported for folder paths, but you can protect entire directory trees by adding the top-level folder.

To allow specific applications to access the protected folders:

1. In the same policy, locate the “Controlled Folder Access Allowed Applications” setting.
2. Add the necessary applications, either by browsing for the executable files or entering the file paths directly.

Tip: Microsoft Defender Antivirus automatically determines which applications should be trusted, so use this setting only to specify additional applications that need access.

Leveraging Diagnostic Data and Reporting

Controlled Folder Access integration with Microsoft Defender for Endpoint (MDE) provides valuable insights and reporting capabilities. By enabling MDE, you can access detailed information about blocked actions, investigate events, and create custom detection rules to monitor your environment.

To view Controlled Folder Access events and blocks:

1. Open the Microsoft Defender Security Center.
2. Navigate to the “Alerts” queue to review events related to Controlled Folder Access blocks.
3. Utilize the “Device timeline” view and “Advanced hunting” capabilities to gain deeper visibility into the affected devices and activities.

Additionally, you can create custom detection rules to monitor Controlled Folder Access events and receive alerts based on your specific requirements.

Addressing Compatibility Challenges

While Controlled Folder Access is a powerful security feature, it may sometimes interfere with the normal operation of certain applications or processes. In such cases, you’ll need to identify and resolve any compatibility issues.

One common scenario is when Microsoft Defender Antivirus exclusions (process or path) are set for a particular binary, and Controlled Folder Access still blocks the application’s access to the protected folders. To address this, you can use the ./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders configuration service provider (CSP) to allow the trusted application to make changes to the protected folders.

Another potential challenge arises when Group Policy settings, such as those that disable local administrator list merging, override the Controlled Folder Access settings. In such cases, you’ll need to review and align the conflicting policy configurations to ensure a seamless implementation.

Integrating Controlled Folder Access with Endpoint Security Solutions

For a more comprehensive security approach, consider integrating Controlled Folder Access with your organization’s endpoint security solutions, such as Microsoft Defender for Endpoint (MDE) or third-party tools. This integration can provide advanced reporting, alerting, and investigation capabilities, further enhancing your ability to detect and respond to potential threats.

By leveraging the rich data and insights from MDE, you can gain a deeper understanding of Controlled Folder Access events, identify patterns, and create custom detection rules to monitor your environment more effectively.

Conclusion

Controlled Folder Access in Windows 11 is a powerful security feature that can help protect your organization from the devastating impact of ransomware and other malicious threats. By following the guidelines and best practices outlined in this article, you can successfully enable, configure, and integrate Controlled Folder Access into your IT environment, providing an additional layer of defense against data loss and system compromise.

Remember, the key to effective Controlled Folder Access implementation lies in a thorough understanding of the feature, its capabilities, and the various configuration options available. By staying vigilant, proactively addressing compatibility challenges, and leveraging advanced security tools, you can empower your organization to withstand even the most sophisticated cyber attacks.

For more information and resources on Controlled Folder Access and other Windows 11 security features, be sure to visit the IT Fix website. Our team of IT experts is dedicated to providing practical tips, in-depth insights, and comprehensive solutions to help you navigate the ever-evolving landscape of technology and computer security.