How to Enable Controlled Folder Access in Windows?


Controlled folder access is a feature on Windows 10 that stops hackers from getting in. It is part of Microsoft Defender Exploit Guard, which is part of Microsoft Defender Antivirus. Its main purpose is to stop ransomware from encrypting your files and holding them for ransom. It also stops other bad programs from making changes to your files that you don’t want.

You can choose whether or not to use anti-ransomware on Windows 10. It keeps track of apps, executable files, scripts, and DLLs that try to change files in protected folders when it is turned on. If the app is malicious or not known, the feature will block the attempt in real time and let you know.

What is Controlled Folder Access?

With controlled folder access, you can stop dangerous apps and threats like ransomware from getting to your important files. Controlled folder access is built into Windows 10, Windows 11, and Windows Server 2019.

Controlled folder access is also part of the modern, all-in-one solution for Windows Server 2012R2 and 2016. In Audit mode, you can try out how a feature would work and look back at events without changing how the device is usually used.

Group Policy settings that stop local administrators from merging their lists will override the settings for controlled folder access. They can also change what the local administrator has set up for protected folders and allowed apps through controlled folder access. One of these rules is:

  • Microsoft Defender Antivirus figure out how the local administrator will combine lists.
  • System Center Endpoint Protection should let users add exclusions and overrides.

How to Enable Controlled Folder Access?

The Windows Security antivirus app for Microsoft desktops has a feature called “controlled folder access.” This feature stops ransomware by making it impossible to change files in protected folders. When you turn on controlled folder access, malware and other apps you don’t trust won’t be able to change files in protected directories.

Some Windows 10 and 11 users like the extra security that controlled folder access gives them. Ransomware is not something to take lightly, and if you turn on this feature, system and user files will be even safer. This is how you can set up controlled folder access in Windows.

1. Controlled Folder Access Can Be Enabled in Windows Security

The “Controlled folder access” setting is buried in the “Protect against ransomware” section of the Windows Security app. But it’s easy to find and turn on or off once you know where it is. Here’s how to use the Windows Security app Controlled folder access setting.

  • To open the Windows Security app, double-click the shield icon in the system tray.
  • In Windows Security, click on the Virus and threat protection tab.
  • Click Manage ransomware protection to get to the Controlled folder access setting.
  • Now, turn on the Controlled folder access feature to use this feature.

When you turn on Controlled Folder Access, your user folders for Documents, Videos, Pictures, and Music will be safe. If you click the Protected folder button, you can see a list of the protected user directories. You can add more to the list by clicking the Add protected folder button, choosing a directory, and then clicking the Select Folder button.

2. Controlled Folder Access Can Be Turned on in Endpoint Manager

  • Sign in to Endpoint Manager, then go to Endpoint Security and open it.
  • Go to Attack Surface Reduction > Policy.
  • Select Platform, then Windows 10 and later, then Attack Surface Reduction rules, and then click Create.
  • Name the policy and say a few words about it. Pick Next.
  • Scroll down to the bottom, click the drop-down menu next to “Enable Folder Protection,” and then click “Enable.”
  • Choose List of additional folders that need to be protected, and then add the folders that need to be protected.
  • Select List of apps that can access protected folders and add the apps that can access protected folders.
  • Select Exclude files and paths from attack surface reduction rules, and then add the files and paths that should not be included in attack surface reduction rules.
  • Select the profile Assignments, assign it to All Users and All Devices, and click Save.
  • To save each open blade, click Next, and then click Create.

3. Add a New Place Where You Can Protect a Folder

The default setting for the security feature is to protect the Documents, Pictures, Videos, Music, Desktop, and Favorites folders. Even though you can’t change the default list, you can manually add other paths if your files are in a different place. To add a new place to protect a folder, do the following:

  • Open Start.
  • Just type “Windows Security” into the search bar and click on the first result to open the app.
  • Click on Virus and threat protection.
  • Under “Ransomware protection,” click on the link that says “Manage ransomware protection.”
  • Click on the “Protected folders” button.
  • Click on the lock-shaped button.
  • Pick the new spot.
  • Click the “Select Folder” button.

After you finish the steps, the anti-ransomware feature will keep an eye on the new places and protect them. If the way your storage is set up changes and you need to get rid of a location, you can still use these steps, but at step 5, you’ll have to choose the location and click the Remove button.

4. Controlled Folder Access Can Be Enabled Using REG File

To turn on or off controlled folder access, you can also make a shortcut in the context menu. Then you can change the setting for Turn on Control folder access right from the Windows desktop. To add a CFA option to the right-click menu, set up and run a registry script like this one:

  • Open Notepad.
  • Then, press Ctrl+C to copy the script text that starts with the heading below.[HKEY_CLASSES_ROOT\DesktopBackground\Shell\ControlledFolderAccess]
  • Click in the Notepad window and press Ctrl+V to paste the script.
  • Next, press Ctrl+Shift+S to bring up Notepad’s “Save as” window.
  • Type Turn on Control folder access.reg in the box for the file name.
  • Choose whether you want to save the script to the desktop.
  • Click Save to put the registry file for Turn on Control folder access on the desktop.
  • Close the Notepad editor and double-click the file Turn on Control folder access.reg on your desktop.
  • If you’re sure you can trust the script, choose “Yes.”
  • You can now turn on controlled folder access from the Windows context menu.
  • Right-click on an empty area of the desktop and choose Show more options from the menu that appears.
  • Move the cursor over the Turn On or Off Control submenu in the folder access submenu.
  • Click Turn on Control folder access and then click OK to use this Windows Security feature.

If you ever want to get rid of the option to control access to a folder from the context menu, you can do so by deleting the registry key for it.

Controlled Folder Access Can Be Enabled in PowerShell

  • Type “PowerShell” into the Start menu, then right-click “Windows PowerShell” and select “Run as administrator.”
  • Type the following line of commands:                                                                                                                  Set-MpPreference -EnableControlledFolderAccess On
  • You can turn on the feature while in audit mode if you use Audit Mode instead of Enabled.
  • Use “Disabled” if you want to turn off the feature.


When you use controlled folder access, only apps you know and trust can get into protected folders. When you set up controlled folder access, you choose which folders you want to protect. Most of the time, folders that are used often, like those for documents, pictures, downloads, and so on, are on the list of controlled folders.

Only apps on a list can be given access to a folder. The trusted software list has apps that work the way they should. Protected folders can’t be changed by apps that aren’t on the list. I hope that we were able to help you figure out how to turn on Controlled Folder Access, which you can do with the above solutions.

Leave A Reply

Your email address will not be published.