Controlled Folder Access

Scenario description

Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Microsoft Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.

Scenario requirements and setup

Windows 10 1709 build 16273
Microsoft Defender AV

PowerShell commands

Set-MpPreference -EnableControlledFolderAccess Enabled

Enabled = Block mode (1)
AuditMode = Audit Mode (2)
Disabled = Off (0)

Verify configuration

Get-MpPreference

Scenario

Setup:

Download and run this setup script. Before running the script set execution policy to Unrestricted using this PowerShell command: Set-ExecutionPolicy Unrestricted
Downloaded CFA tool will be in the c:/demo/CFATestFiles folder.

You can perform these manual steps instead:

Turn on CFA using powershell command: Set-MpPreference -EnableControlledFolderAccess Enabled
Download the CFA test tool
Execute PowerShell commands above

Scenario 1: Use the CFA test tool to simulate an untrusted process writing to a protected folder

Launch CFA test tool
Select the desired folder and create file
You can find more information here

Clean-up

Download and run this cleanup script. You can perform these manual steps instead:

Set-MpPreference -EnableControlledFolderAccess Disabled