How to enable Controlled folder access to protect data from ransomware on Windows 10

On Windows ten, "Controlled folder access" is an intrusion-prevention feature available with Microsoft Defender Exploit Guard, which is part of the Microsoft Defender Antivirus. It'due south been designed primarily to finish ransomware from encrypting and taking your data hostage, just it besides protects files from unwanted changes from other malicious applications.

The anti-ransomware feature is optional on Windows 10. When enabled, information technology uses a machinery to track the apps (executable files, scripts, and DLLs), trying to make changes to files in the protected folders. If the app is malicious or non recognized, the feature will block the attempt in real-time, and yous'll receive a notification of the suspicious activity.

If you want an extra layer of security to safeguard your data, you tin enable and customize Controlled folder access using the Windows Security app, Grouping Policy, and even PowerShell.

In this Windows 10 guide, we walk you through the steps to enable the Controlled binder admission feature to prevent ransomware attacks on your device.

How to enable ransomware protection using Security Center
How to enable ransomware protection using Grouping Policy
How to enable ransomware protection using PowerShell

How to enable ransomware protection using Security Centre

To enable Controlled folder access on Windows 10, use these steps:

Open Starting time.
Search for Windows Security and click the tiptop event to open the app.
Click on Virus & threat protection.
Nether the "Ransomware protection" section, click the Manage ransomware protection option.

Source: Windows Central
Plow on the Controlled folder access toggle switch.

Source: Windows Central

One time you complete the steps, Microsoft Defender Antivirus will start protecting your files and folders from unauthorized access by malicious programs similar ransomware.

View block history

To view a list of blocked items by the anti-ransomware solution, apply these steps:

Open Start.
Search for Windows Security and click the height result to open the app.
Click on Virus & threat protection.
Under the "Ransomware protection" section, click the Manage ransomware protection option.

Source: Windows Fundamental
Click the Cake history option.

Source: Windows Central
Confirm the items that take been blocked.

Source: Windows Cardinal

The folio is the same folio to view the protection history available through the main page of the Microsoft Defender Antivirus. However, accessing it from this expanse applies a filter to listing only the history of "Controlled folder admission."

Add new location for protection

By default, the security feature protects the Documents, Pictures, Videos, Music, Desktop, and Favorites folders. Although it's not possible to modify the default listing, if you have files in a dissimilar location, you can manually add other paths.

To add a new binder location for protection, employ these steps:

Open Start.
Search for Windows Security and click the elevation consequence to open the app.
Click on Virus & threat protection.
Under the "Ransomware protection" department, click the Manage ransomware protection choice.

Source: Windows Primal
Click the Protected folders pick.

Source: Windows Key
Click the Add a protected folder button.

Source: Windows Fundamental
Select the new location.
Click the Select Binder button.

After you consummate the steps, the anti-ransomware feature will monitor and protect the new locations.

If the storage configuration changes and you need to remove a location, you can follow the same instructions, simply on step No. 5, select the location and click the Remove button.

Whitelist apps with Controlled folder access

On Windows 10, Controlled folder access tin detect the apps that tin can safely admission your files, just in the case one of the apps y'all trust is blocked, yous'll need to permit the app manually.

To whitelist an app with Controlled folder access, use these steps:

Open Start.
Search for Windows Security and click the top result to open up the app.
Click on Virus & threat protection.
Nether the "Ransomware protection" section, click the Manage ransomware protection option.

Source: Windows Primal
Click the Allow an app through Controlled folder access option.

Source: Windows Central
Click the Add an allowed app button.
Select the Recently blocked apps option to whitelist an app you trust has been flagged equally malicious. Or click the Browse all apps selection.

Source: Windows Primal
Select the app executable (for example, chrome.exe) you want to allow through this feature.
Click the Open push.

In one case y'all consummate the steps, the app won't exist blocked past the feature, and it'll be able to make changes to files.

How to enable ransomware protection using Group Policy

To enable Windows ten's ransomware protection with Group Policy, use these steps:

Open Start.
Search for gpedit and click the tiptop outcome to open the Local Group Policy Editor.
Browse the following path:

Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access

Quick note: If you're still on Windows 10 version 1909 or earlier, the path is slightly dissimilar: Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Windows Defender Exploit Baby-sit > Controlled Folder Access
Double-click the Configure Controlled folder access policy on the right side.

Source: Windows Primal
Select the Enabled option.
Under the "Options" section, use the drib-downwards menu and select the Block option.

Source: Windows Central
Click the Apply button.
Click the OK button.

After you complete the steps, Controlled binder access will enable you to start monitoring and protecting your files stored in the default organization folders.

The only caveat of using this method is that whatsoever future configuration volition have to be fabricated through Group Policy. If yous open up Windows Security, you'll notice the "This setting is managed by your administrator" bulletin, and the Controlled folder access pick will announced grayed out.

You tin revert the changes using the aforementioned instructions, but on step No. v, select the Not Configured option.

Add new location for protection

If you must protect information located in a different location, you can utilise the "Configure protected folders" policy to add together the new binder.

To include a new location for protection with Control folder access, use these steps:

Open up Start.
Search for gpedit and click the top outcome to open the Local Group Policy Editor.
Browse the post-obit path:

Estimator Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Binder Access
Double-click the Configure protected folders policy on the right side.

Source: Windows Central
Select the Enabled option.
Under the "Options" department, click the Testify button.

Source: Windows Primal
Specify the locations y'all want to protect past entering the path of the folder in the "Value proper name" field and adding 0 in the "Value" field.

This instance adds the "MyData" folder in the "F" bulldoze for protection:

F:\MyData

Source: Windows Central
Echo footstep No. 7 to add more locations.
Click the OK button.
Click the Apply button.
Click the OK push.

Once you lot complete the steps, the new folder will be added to the protection list of Controlled binder admission.

To revert the changes, use the same instructions, simply on step No. 5, select the Not Configured option.

Whitelist apps with Controlled folder access

To whitelist an app through the anti-ransomware feature on Windows 10, use these steps:

Open Start.
Search for gpedit and click the elevation result to open the Local Grouping Policy Editor.
Browse the following path:

Calculator Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Binder Access
Double-click the Configure allowed applications policy on the right side.

Source: Windows Central
Select the Enabled selection.
Under the "Options" section, click the Evidence button.

Source: Windows Primal
Specify the location of the .exe file for the app (such as C:\path\to\app\app.exe) you lot want to allow in the "Value name" field and add 0 in the "Value" field.

This example allows the Chrome app when Controlled binder admission is enabled:

C:\Programme Files (x86)\Google\Chrome\Application\chrome.exe

Source: Windows Fundamental
Echo step No. 7 to add more locations.
Click the OK push button.
Click the Utilize push button.
Click the OK push.

Subsequently yous complete the steps, the app won't be blocked, and it'll be able to make changes to protected files and folders.

How to enable ransomware protection using PowerShell

Alternatively, you can as well enable and configure Controlled folder access using PowerShell commands.

To enable Controlled binder access with PowerShell, use these steps:

Open Get-go.
Search for PowerShell, right-click the top outcome, and click the Run as ambassador option.
Blazon the following command to enable the feature and press Enter:

Prepare-MpPreference -EnableControlledFolderAccess Enabled

Source: Windows Central
(Optional) Type the following command to disable the security feature and press Enter:

Gear up-MpPreference -EnableControlledFolderAccess Disabled

One time you complete the steps, Controlled folder access volition enable on your computer to protect files and folders from ransomware attacks.

Add new location for protection

To allow Controlled folder admission to protect an additional folder, employ these steps:

Open Get-go.
Search for PowerShell, right-click the acme result, and click the Run as administrator pick.
Blazon the following control to add a new location and press Enter:

Add-MpPreference -ControlledFolderAccessProtectedFolders "F:\folder\path\to\add"

In the command, brand certain to change the path for the location and executable of the app yous want to let.

For example, this command adds the "MyData" folder in the "F" bulldoze to list of protected folders:

Add-MpPreference -ControlledFolderAccessProtectedFolders "F:\MyData"

Source: Windows Cardinal
(Optional) Type the following command to remove a folder and press Enter:

Disable-MpPreference -ControlledFolderAccessProtectedFolders "F:\folder\path\to\remove"

After you lot consummate the steps, the anti-ransomware feature will protect the contents inside the new location.

Whitelist apps with Controlled folder access

To let an app in Controlled binder access with PowerShell, employ these steps:

Open Beginning.
Search for PowerShell, right-click the meridian result, and click the Run equally ambassador choice.
Type the following command to permit an app and printing Enter:

Add together-MpPreference -ControlledFolderAccessAllowedApplications "F:\path\to\app\app.exe"

In the command, make sure to modify the path for the location and executable of the app yous want to allow.

For example, this control adds Chrome to the list of allowed apps:

Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"

Source: Windows Central
(Optional) Type the post-obit command to remove an app and press Enter:

Remove-MpPreference -ControlledFolderAccessAllowedApplications "F:\path\to\app\app.exe"

In one case you complete the steps, the app will be allowed to run and make changes to your files when the characteristic is available.

Controlled folder access is 1 of the intrusion-prevention features of the Microsoft Defender Exploit Baby-sit, which is part of the Microsoft Defender Antivirus. This means that the security feature won't be bachelor if you utilise a third-party antivirus.