Privacy and Security Add or Remove Protected Folders for Controlled Folder Access in Windows 11


Windows_Security_banner.png

This tutorial will show you how to add and remove protected folders for Controlled Folder Access in Microsoft Defender Antivirus in Windows 11.

Microsoft Defender Antivirus is an antivirus software that is included in Windows 11 and can help protect your device from viruses, malware, and other threats.

Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. In a ransomware attack, your files can get encrypted and held hostage.

Controlled folder access protects your data by checking apps against a list of known, trusted apps. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder.

Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders.

Windows system folders are protected by default, along with several other folders:
  • C:\Users\<username>\Documents
  • C:\Users\Public\Documents
  • C:\Users\<username>\Pictures
  • C:\Users\Public\Pictures
  • C:\Users\Public\Videos
  • C:\Users\<username>\Videos
  • C:\Users\<username>\Music
  • C:\Users\Public\Music
  • C:\Users\<username>\Favorites
You can add other folders to be protected, but you cannot remove the default folders above in the default list. You can specify folders, drives, network shares, and mapped drives. Environment variables and wildcards are supported.

Reference:


You must be signed in as an administrator to add or remove protected folders for Controlled folder access.

It is required to turn on Controlled Folder Access to be able to add and remove protected folders.



Contents

  • Option One: Add or Remove Protected Folders for Controlled Folder Access in Windows Security
  • Option Two: Add or Remove Protected Folders for Controlled Folder Access using Command
  • Option Three: Configure Protected Folders Policy for Controlled Folder Access in Local Group Policy Editor
  • Option Four: Configure Protected Folders Policy for Controlled Folder Access in Registry Editor





OPTION ONE

Add or Remove Protected Folders for Controlled Folder Access in Windows Security


1 Open Windows Security.

2 Click/tap on Virus & threat protection. (see screenshot below)

Microsoft_Defender_Controlled_Folder_Access-1.png

3 Perform one of the following actions below: (see screenshots below)
  • Click/tap on the Manage ransomware protection link under Ransomware protection.
  • Click/tap on the Manage settings link under Virus & threat protection settings, and click/tap on the Manage Controlled folder access link under Controlled folder access.

Microsoft_Defender_Controlled_Folder_Access-2.png
Microsoft_Defender_Controlled_Folder_Access-3.png

4 Click/tap on the Protected folders link. (see screenshot below)

Microsoft_Defender_Controlled_Folder_Access-4.png

5 If prompted by UAC, click/tap on Yes to approve.

6 Do step 7 (add) or step 8 (remove) below for what you want.


 7. Add Protected Folders to Controlled Folder Access for Microsoft Defender Antivirus

A) Click/tap on Add a protected folder. (see screenshot below)​

Microsoft_Defender_Controlled_Folder_Access-5.png

B) Navigate to and select the drive or folder you want to add, and click/tap on Select Folder. (see screenshot below)​

Microsoft_Defender_Controlled_Folder_Access-6.png

C) Go to step 9


 8. Remove Protected Folders from Controlled Folder Access for Microsoft Defender Antivirus

A) Click/tap on the protected folder you want to remove to expand it open. (see screenshot below)​

B) Click/tap on Remove.​

Microsoft_Defender_Controlled_Folder_Access-7.png

C) Click/tap on OK to confirm. (see screenshot below)​

Microsoft_Defender_Controlled_Folder_Access-8.png

D) Go to step 9.​

9 When finished adding or removing protected folders, you can close Windows Security if you like.





OPTION TWO

Add or Remove Protected Folders for Controlled Folder Access using Command


1 Open Windows Terminal (Admin), and select either Windows PowerShell or Command Prompt.

2 Type the command below you want to use into Windows Terminal (Admin), and press Enter. (see screenshots below)

(Add Protected Folder to Controlled Folder Access)
PowerShell Add-MpPreference -ControlledFolderAccessProtectedFolders "<full path>"

OR​

(Remove Protected Folder from Controlled Folder Access)
PowerShell Remove-MpPreference -ControlledFolderAccessProtectedFolders "<full path>"

Substitute <full path> in the commands above with the actual full path of the drive or folder you want to add or remove as a protected folder.

For example:
PowerShell Add-MpPreference -ControlledFolderAccessProtectedFolders "Z:\"

PowerShell Remove-MpPreference -ControlledFolderAccessProtectedFolders "Z:\"


3 You can now close Windows Terminal (Admin) if you like.

Controlled_Folder_Access_add_folder_command.png

Controlled_Folder_Access_remove_folder_command.png






OPTION THREE

Configure Protected Folders Policy for Controlled Folder Access in Local Group Policy Editor


The Local Group Policy Editor is only available in the Windows 11 Pro, Enterprise, and Education editions.

All editions can use Option Four for the same policy.


1 Open the Local Group Policy Editor (gpedit.msc).

2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below)

Computer Configuration>Administrative Templates>Windows Components>Microsoft Defender Antivirus>Microsoft Defender Exploit Guard>Controlled folder access

Microsoft_Defender_Controlled_Folder_Access_gpedit-1.png

3 In the right pane of Controlled folder access in the Local Group Policy Editor, double click/tap on the Configure protected folders policy to edit it. (see screenshot above)

4 Do step 5 (add), step 6 (remove), or step 7 (default) below for what you want.


5 Add Protected Folder to Controlled Folder Access for Microsoft Defender Antivirus

Folders added using this option cannot be removed using Option One and Option Two.


A) Select (dot) Enabled. (see left screenshot below)​

B) Click/tap on the Show button for Enter the folders that should be guarded under Options. (see left screenshot below)​

C) In the Value name column, type the full path of the drive or folder (ex: "Z:\") you want to add as a protected folder. (see right screenshot below)​

You will need to double click/tap in the field to be able to enter the full path.


D) In the Value column to the right of the added drive or folder, type the number 0. (see right screenshot below)​

You will need to double click/tap in the field to be able to enter the number.


E) When finished adding drives and/or folders, click/tap on OK. (see right screenshot below)​

F) Click/tap on OK. (see left screenshot below)​

G) Go to step 8.​

Microsoft_Defender_Controlled_Folder_Access_gpedit-3.png
Microsoft_Defender_Controlled_Folder_Access_gpedit-4.png

6 Remove Protected Folder from Controlled Folder Access for Microsoft Defender Antivirus

Folders added using Option One and Option Two will not be listed here.


A) Select (dot) Enabled. (see left screenshot above)​

B) Click/tap on the Show button for Enter the folders that should be guarded under Options. (see left screenshot above)​

C) Delete the Value name column and Value column for the drive(s) and/or folder(s) you want to remove. (see right screenshot above)​

D) When finished removing drives and/or folders, click/tap on OK. (see right screenshot above)​

E) Click/tap on OK. (see left screenshot above)​

F) Go to step 8.​

7 Undo Configure Protected Folders Policy

This is the default setting.


A) Select (dot) Not Configured. (see screenshot below)​

B) Click/tap on OK.​

C) Go to step 8.​

Microsoft_Defender_Controlled_Folder_Access_gpedit-2.png

8 You can now close the Local Group Policy Editor if you like.





OPTION FOUR

Configure Protected Folders Policy for Controlled Folder Access in Registry Editor


1 Do step 2 (add), step 3 (remove), or step 4 (default) below for what you want.


2 Add Protected Folder to Controlled Folder Access for Microsoft Defender Antivirus

Folders added using this option cannot be removed using Option One and Option Two.


A) Click/tap on the Download button below to download the file below to add the needed registry keys and values.​

Configure_protected_folders_group_policy.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access]
"ExploitGuard_ControlledFolderAccess_ProtectedFolders"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders]

B) Save the .reg file to your desktop.​

C) Double click/tap on the downloaded .reg file to merge it.​

D) When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.​

E) You can now delete the downloaded .reg file if you like.​

F) Open Registry Editor (regedit.exe).​

G) Navigate to the key below in the left pane of Registry Editor. (see screenshot below step 2H)​

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders

H) In the right pane of the ProtectedFolders key, right click on an empty space, click/tap on New, and click/tap on String Value. (see screenshot below)​

Microsoft_Defender_Controlled_Folder_Access_regedit-1.png

I) Type the full path of the drive or folder (ex: "Z:\") you want to add as the name of this string value, and press Enter. (see screenshot below step 2J)​

J) Double click/tap on this string value (ex: "Z:\") to modify it. (see screenshot below)​

Microsoft_Defender_Controlled_Folder_Access_regedit-2.png

K) Type the number 0, and click/tap on OK. (see screenshot below)​

Microsoft_Defender_Controlled_Folder_Access_regedit-3.png

L) When finished adding drive(s) and/or folder(s), you can close Registry Editor if you like.​

3 Remove Protected Folder from Controlled Folder Access for Microsoft Defender Antivirus

Folders added using Option One and Option Two will not be listed here.


A) Open Registry Editor (regedit.exe).​

B) Navigate to the key below in the left pane of Registry Editor. (see screenshot below step 3H)​

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders

C) In the right pane of the ProtectedFolders key, right click on the string value (REG_SZ) of the drive or folder (ex: "Z:\") you want to remove, and click/tap on Delete. (see screenshot below)​

Microsoft_Defender_Controlled_Folder_Access_regedit-4.png

D) Click/tap on Yes to confirm. (see screenshot below)​

Microsoft_Defender_Controlled_Folder_Access_regedit-5.png

E) When finished removing drive(s) and/or folder(s), you can close Registry Editor if you like.​

4 Undo Configure Protected Folders Policy

This is the default setting.


A) Click/tap on the Download button below to download the file below.​

Undo_Configure_protected_folders_group_policy.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access]
"ExploitGuard_ControlledFolderAccess_ProtectedFolders"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders]

B) Save the .reg file to your desktop.​

C) Double click/tap on the downloaded .reg file to merge it.​

D) When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.​

E) You can now delete the downloaded .reg file if you like.​


That's it,
Shawn Brink


 

Attachments

Last edited:
Back
Top Bottom