Windows Defender Controlled Folder Access: How to Configure Ransomware Protection Without Breaking Your Applications

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Controlled Folder Access is one of the most underused Windows Defender features. Most organizations do not deploy it because the initial enablement blocks legitimate applications and the support tickets arrive immediately. The solution is a structured deployment: audit mode first, allow-list the legitimate applications you discover, then switch to enforcement. This guide covers the complete deployment workflow so you can reach a stable enforced state without disrupting productivity.
Enable in Audit Mode First
Never enable CFA in enforcement mode without a prior audit phase. Enforcement mode blocks writes from unlisted applications immediately, which will break any application that writes to the Documents or Desktop folder without using the standard Windows file APIs in a way Defender recognizes. Enable audit mode via PowerShell: Set-MpPreference -EnableControlledFolderAccess AuditMode. Via Group Policy: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access > Configure Controlled Folder Access = Audit Mode. Via Intune: Endpoint Security > Attack Surface Reduction policy > Controlled Folder Access = Audit. After enabling audit mode, run it for 2 to 4 weeks. During this period, check the Windows Event Log under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational, filtering for Event ID 1124 (audit block) -- these are all the applications that WOULD be blocked if enforcement were active. Build your allow-list from these events.
Build the Application Allow-List
Event ID 1124 shows the process that attempted the blocked write. Collect all unique processes over your audit period: Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational'; Id=1124} | Select-Object @{Name='Process';Expression={$.Properties[5].Value}}, @{Name='Folder';Expression={$.Properties[4].Value}} | Sort-Object Process -Unique. For each process in the output: verify it is a legitimate business application (not a script or an unexpected binary). Add it to the CFA allow-list: Add-MpPreference -ControlledFolderAccessAllowedApplications 'C:\path\to\application.exe'. Via GPO: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access > Configure allowed applications. Via Intune: in the Attack Surface Reduction policy, add the process paths to the 'Additional controlled folder access allowed applications' list. Common applications that need allow-listing: line-of-business applications that save to Documents, PDF creators, screen capture tools, sync clients (OneDrive is auto-allowed by Microsoft, but some third-party sync tools are not), and backup agents that write to local user directories.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Add Protected Folders Beyond the Defaults
The default six protected folders cover personal user data. For business environments, add additional protected folders where sensitive data lives: network mapped drives (CFA can protect mapped drive letters on the local endpoint), application data directories that contain business-critical files, custom document repositories outside the standard user profile. Via PowerShell: Add-MpPreference -ControlledFolderAccessProtectedFolders 'D:\BusinessData'. Via GPO: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access > Configure protected folders. Add the additional folder paths. Note: CFA protects folder contents at the local file system level. For network shares and file servers, a different control is appropriate -- ransomware encrypting a file server via SMB must be detected via share access monitoring and honeypot files, not CFA on the endpoint (CFA on the endpoint does not protect network shares the endpoint accesses). CFA on the file server itself protects the file server's local storage, but most ransomware that targets file servers does so via SMB from a compromised client, not local execution.
Switch to Enforcement and Monitor
After completing the audit phase and building the allow-list, switch to enforcement: Set-MpPreference -EnableControlledFolderAccess Enabled. In enforcement mode, Event ID 1123 logs each blocked attempt with the process name and targeted folder. Event ID 1124 no longer fires (that was audit-mode only). Monitor for new Event ID 1123 events in the first week after enabling enforcement -- these represent applications not in the audit-period data (less common applications, newly installed software). Add legitimate applications to the allow-list as they appear. When a user reports they cannot save a file: check Event ID 1123 on their device, identify the process, verify it is legitimate, and add it to the allow-list via Intune or GPO within 30 minutes. The allow-list update propagates via policy and does not require a reboot. For executive escalations where you need to immediately unblock a user: temporarily set CFA back to Audit mode on that specific device while you update the policy, then re-enable enforcement after the allow-list update propagates.
Test CFA Is Actually Working
After enforcement, verify CFA blocks write attempts from unlisted processes. Safe test: create a simple PowerShell script that attempts to write a file to the Documents folder (not a Defender-trusted process). Confirm the write is blocked and Event ID 1123 appears. Do not test with actual ransomware simulators on production systems unless they are isolated VMs. KnowBe4 RanSim and similar ransomware simulators can be used in a test VM to verify CFA blocks the simulated encryption pattern. The Microsoft documentation includes a simple test: create a text file, rename it to test.exe, and attempt to write to the Documents folder from it -- CFA should block it. Verify via Defender for Endpoint (if deployed) that CFA events appear in the device's timeline in the Microsoft 365 Defender portal. This confirms both that CFA is enforcing and that the telemetry is reaching your security platform.
The bottom line
Controlled Folder Access provides meaningful ransomware protection for user workstations at zero additional cost. The deployment process (audit, allow-list, enforce) takes two to four weeks. The ongoing maintenance is adding new applications to the allow-list as they are deployed. The payoff is that even if ransomware executes on an endpoint, it cannot encrypt the protected folders where users store their most important files. Deploy in audit mode today and you will have enforcement ready in a month.
Frequently asked questions
Does Controlled Folder Access stop all ransomware?
No. CFA blocks ransomware from encrypting files in protected folders only. Ransomware can still execute, encrypt files outside protected folders, exfiltrate data, encrypt files on network shares (unless CFA is also enabled on the file server), and cause other damage. CFA specifically targets the most common ransomware behavior (encrypting user documents) and limits that specific impact. It should be paired with behavioral detection (Defender for Endpoint), email filtering (Defender for Office 365), backup, and network segmentation for a complete ransomware defense strategy.
Will Controlled Folder Access protect network drives?
CFA protects locally mapped drive letters on the endpoint -- if you map Z: to a file server, CFA on the endpoint protects the Z: drive from local processes. However, ransomware that runs on a different compromised endpoint and encrypts files on the file server via SMB bypasses CFA on the victim endpoint entirely. Protecting file servers from ransomware requires monitoring at the file server level (share access rate monitoring, honeypot files, canary documents), not relying on CFA from the attacking endpoint.
Can ransomware bypass Controlled Folder Access by injecting into a trusted process?
Yes. Sophisticated ransomware can inject code into a trusted application (like explorer.exe or a business application that is allow-listed) and write to protected folders using that trusted process's handle. CFA does not protect against process injection. This is why CFA is a complementary control alongside behavioral detection, not a standalone defense. Defender for Endpoint's behavioral engine detects many process injection techniques and should be the primary detection layer, with CFA adding a write-blocking layer for the cases behavioral detection misses.
How do I manage the allow-list at scale across thousands of endpoints?
Use Intune (Endpoint Security > Attack Surface Reduction) or Group Policy for centralized allow-list management. Add applications to the central policy and they propagate to all managed endpoints. Do not manage CFA allow-lists per-device -- that creates an unmanageable sprawl. The standard pattern is one or two CFA policies in Intune: one for standard workstations (baseline allow-list), one for specific endpoint types that need different applications (e.g., developer machines). Use the audit-mode event collection phase to build the right baseline before deploying enforcement.
Which folders does Controlled Folder Access protect by default?
By default, CFA protects: Documents, Pictures, Videos, Music, Desktop, and Favorites for each user profile. Additionally, it protects the Windows system folders (Windows, Program Files, Program Files (x86)). You can add custom folders via Intune or Group Policy -- common additions are the user's OneDrive sync folder and any shared department folders mapped locally. Protect the folders where users actually store their working files; the default list covers the most common ransomware targets but may miss organization-specific locations. Check your CFA audit events (Event ID 1123 in audit mode) to see which protected folders ransomware would have targeted.
What is the deployment process for rolling out Controlled Folder Access across an enterprise without disrupting users?
A staged rollout is essential because CFA in block mode immediately stops unallowed applications from writing to protected folders, which can break software that stores data in user profile directories. Stage 1: Enable CFA in audit mode enterprise-wide via Intune or GPO. Audit mode records what would have been blocked (Event ID 1123) without actually blocking. Collect audit events for 2-4 weeks. Stage 2: Identify all applications generating audit events. For each application, determine whether it is legitimate (add to the allow-list) or unknown (investigate). Build your allow-list from the audit data. Stage 3: Enable block mode in a pilot group (IT department, 50-100 users with good support coverage) with the allow-list in place. Monitor for additional missed applications for 2 weeks. Stage 4: Roll out block mode to the full fleet in waves, starting with the lowest-risk user population (kiosk machines, standard users with limited software variety) and ending with power users (developers, engineers) who use the most diverse software.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
