Enable Controlled Folder Access To Protect Data Using Intune

In this post, you will learn how to enable Controlled Folder Access To Protect Data Using Intune MEM Portal. Controlled folder access in Windows Security reviews the apps that can make changes to files in protected folders and blocks unauthorized or unsafe apps from accessing or changing files in those folders.

Controlled folder access is especially useful in helping to protect your documents and information from ransomware. In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder.

Windows system folders are protected by default, and Controlled folder access applies to many system folders and default locations, including folders such as DocumentsPictures, and Movies. You can add other folders to be protected, but you cannot remove the default folders in the default list.

Adding other folders to Controlled folder access can be helpful for cases when you don’t store files in the default Windows libraries, or you’ve changed the default location of your libraries.

Patch My PC

The protected folders include common system folders (including boot sectors), and you can add more folders. You can also allow apps to give them access to the protected folders. You could use audit mode to evaluate how controlled folder access would impact your organization if enabled.

Enable Controlled Folder Access To Protect Data Using Intune

The following steps help you to enable Controlled folder access using Intune MEM Portal –

  • Sign in to the Endpoint Manager Intune portal https://endpoint.microsoft.com/
  • Select Endpoint security, Navigate to Attack Surface Reduction > Create Policy

Note – The policy settings can also be accessible by selecting Devices > Windows > Configuration profiles > Create profile.

Create Policy - Enable Controlled Folder Access To Protect Data Using Intune 1
Create Policy – Enable Controlled Folder Access To Protect Data Using Intune 1

In Create Profile, Select Platform, Windows 10 and later, and ProfileDevice control. Click on Create button. 

Select Platform, Profile type - Enable Controlled Folder Access To Protect Data Using Intune 2
Select Platform, Profile type – Enable Controlled Folder Access To Protect Data Using Intune 2

On the Basics tab, enter a descriptive name, such as Enable Controlled Folder Access to Protect Data. Optionally, enter a Description for the policy, then select Next.

Provide Basic Information - Enable Controlled Folder Access To Protect Data Using Intune 3
Provide Basic Information – Enable Controlled Folder Access To Protect Data Using Intune 3

On the Configuration settings page, configure the following settings and click Next.

  • Enable Controlled Folder Access: Select Enabled to enforce controlled folder access
  • Controlled Folder Access Protected Folders: Select a List of additional folders that need to be protected and add the folders that need to be protected.
  • Controlled Folder Access Allowed Applications: Select a List of apps that have access to protected folders and add the apps that have access to protected folders.
Configure Controlled Folder Access - Enable Controlled Folder Access To Protect Data Using Intune 4
Configure Controlled Folder Access – Enable Controlled Folder Access To Protect Data Using Intune 4

In Scope tags, you can assign a tag to filter the profile to specific IT groups. Add scope tags (if required) and click Next.

Under Assignments, In Included groups, select Add groups and select groups to include one or more groups. Select Next to continue.

Group Assignment - Enable Controlled Folder Access To Protect Data Using Intune 5
Group Assignment – Enable Controlled Folder Access To Protect Data Using Intune 5

In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned.

Review Policy - Enable Controlled Folder Access To Protect Data Using Intune 6
Review Policy – Enable Controlled Folder Access To Protect Data Using Intune 6

A notification will appear automatically in the top right-hand corner with a message. You can see that the Policy “Enable Controlled Folder Access To Protect Data” created successfully. The policy is shown in the Endpoint security.

Endpoint security - Enable Controlled Folder Access
Endpoint security – Enable Controlled Folder Access

Your groups will receive your profile settings when the devices check in with the Intune service the policy applies to the device.

Intune MDM Event Log 814

The Intune event ID 814 indicates that a string policy is applied on Windows 11 or 10 devices. You can also see the exact value of the policy being applied to those devices.

MDM PolicyManager: Set policy string, Policy: (ControlledFolderAccessProtectedFolders), Area: (Defender), EnrollmentID requesting merge: (6C05885D-4A9C-4EF9-A8A7-1EE0190B36A9), Current User: (Device), String: (C:\HTMD), Enrollment Type: (0x6), Scope: (0x0).

Event Logs - Controlled Folder Access Enabled
Event Logs – Controlled Folder Access Enabled

You can use REGEDIT.exe on a target computer to view the registry settings that store group policy settings. These settings are located at the registry path

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager ValueName ProtectedFolders

Registry - Controlled Folder Access Enabled
Registry – Controlled Folder Access Enabled

Intune Reporting – Enable Controlled Folder Access Using Intune Policy

You can check the Intune reports to confirm whether the client sends the policy deployment status back to the server or service. The policy got successfully deployed on multiple devices.

Intune Reporting – Enable Controlled Folder Access Using Intune Policy
Intune Reporting – Enable Controlled Folder Access Using Intune Policy

Controlled Folder Access in Windows Security

On your Windows 10 or  Windows 11 Device, Click on the Start button.

Type Windows Security in the search box. Click on Virus & threat protection directly from search results.

Scroll down to the Virus & threat protection settings, and select Manage settings. Here you can see Controlled folder access is turned on, and clicking on Protected folders redirect you to look in the Windows system folders protected by default and the folder you added.

Protected Folders - Controlled Folder Access in Windows Security
Protected Folders – Controlled Folder Access in Windows Security

Windows system folders are protected by default, along with several other folders, The protected folders include common system folders (including boot sectors), and you can add additional folders.

You can also allow apps to give them access to the protected folders. The Windows systems folders that are protected by default are:

  • c:\Users\<username>\Documents
  • c:\Users\Public\Documents
  • c:\Users\<username>\Pictures
  • c:\Users\Public\Pictures
  • c:\Users\Public\Videos
  • c:\Users\<username>\Videos
  • c:\Users\<username>\Music
  • c:\Users\Public\Music
  • c:\Users\<username>\Favorites
Windows System Protected Folders
Windows System Protected Folders

Author

About Author – Jitesh, Microsoft MVP, has over five years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.