Controlled folder access (CFA) is a security feature in Microsoft Defender Antivirus designed to prevent unauthorized applications from modifying files in protected directories. When you enable it, CFA blocks untrusted or unknown apps from making changes to user folders. This can protect your data from tampering and exfiltration and improve network security.
For IT admins and power users, managing controlled folder access in Defender could improve a managed environment’s security framework. This guide provides steps to enable or disable controlled folder access in Windows 11 using various methods, including Windows Security, PowerShell, Group Policy, and the Registry Editor.
How to manage controlled folder access in Defender
Before you can enable or disable controlled folder access in Microsoft Defender, you need to fulfill the following prerequisites:
- Microsoft Defender should be up and running. If you’re using a third-party antivirus, disable it first, then activate Microsoft Defender. Note that CFA settings won’t appear if another antivirus solution has replaced it.
- Real-time Protection should be on. Real-time Protection should be turned on to monitor and block untrusted activity.
- You need to have administrative rights. You need to be an administrator to enable or disable controlled folder access on PowerShell, Registry, and Group Policy.
- Windows 11 Edition concerns. The Group Policy and PowerShell options require Windows 11 Pro, Enterprise, or Education.
Method 1: Enable or disable controlled folder access via Windows Security (GUI)
This is the most straightforward method of managing CFA, though it is best for individual devices rather than bulk configurations.
⚠️ For this method to work, Microsoft Defender must be fully enabled, and no third-party cybersecurity platforms should be active. Otherwise, some of the menus below will not appear.
- Press Win + I to open Settings, then navigate to Privacy & Security > Windows Security > Virus & threat protection. This will open the Windows Security in another window.
- Next, scroll down and click Manage ransomware protection. This option is under the Ransomware protection section.
- Here, you can then toggle controlled folder access.
- Set the switch to On to enable CFA. This will block untrusted or unknown apps from accessing files in protected folders.
- Set it to Off to disable CFA. All applications will be able to access protected folders without restriction.
- Optional: If you want to protect additional locations or exclude default ones, you can add or remove protected folders via Protected Folders. By default, folders like Documents, Pictures, and Desktop are included.
- When a trusted app is blocked from making changes to a protected folder, you can manually allow it. You can do so by clicking the Allow an app through controlled folder access to add it to the allowlist.
Method 2: Configure controlled folder access via Group Policy (for enterprise or managed environments)
This method is ideal for enterprise and managed environments. It allows admins and IT managers to enforce or test controlled folder access in Windows Defender across numerous machines.
- Open the Group Policy Editor. Use the Win + R shortcut, type gpedit.msc, and press Enter.
- Next, navigate to this CFA Policy Path:
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access. - Next, tweak the CFA Policy. Double-click Configure controlled folder access and set the policy to Enabled.
- After this, you can then pick any of the enforcement modes:
- Enable controlled folder access – this will block unauthorized changes to protected folders.
- Disable controlled folder access – this will completely turn off CFA.
- Audit Mode – this logs CFA events to Windows Event Viewer without blocking any apps. This is best for testing.
- Click Apply, open the Command Prompt, and use this command to apply the changes immediately: gpupdate /force.
Method 3: Enable or disable controlled folder access using Windows PowerShell
Using PowerShell, you can enable, disable, or audit controlled folder access. It is best used in scripts, remote management, and automated deployments.
First, open PowerShell as an admin, then use the following commands to manage CFA:
- Run the following command to check CFA status:
Get-MpPreference | Select ControlledFolderAccessEnabled.
These returns will tell you if it is on, deactivated, or in audit mode.- 0 = Disabled
- 1 = Enabled
- 2 = Audit mode
- Meanwhile, to enable controlled folder access, use this command:
Set-MpPreference -EnableControlledFolderAccess 1
- To disable controlled folder access, use this command:
Set-MpPreference -EnableControlledFolderAccess 0
- If you want to set CFA to Audit Mode, use this:
Set-MpPreference -EnableControlledFolderAccess 2
Method 4: Configure controlled folder access via Registry Editor
The Windows Registry Editor allows IT admins to tweak controlled folder access (CFA) directly when deploying settings via Intune custom policies.
- To start, open the Registry Editor. Use the Win + R shortcut, type regedit, and press Enter.
- Next, navigate to the CFA Registry Path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\controlled folder access
- Create the CFA setting or make existing tweaks.
- To create, right-click in the right pane and select New > DWORD (32-bit) Value.
- Next, name it EnableControlledFolderAccess.
- Set the value based on your desired configuration:
- 0 = Disabled
- 1 = Enabled
- 2 = Audit Mode
- Apply the changes by restarting your computer. Alternatively, you can also use the Command Prompt (Admin) and run this command: sc stop WinDefend && sc start WinDefend. This will restart Microsoft Defender Antivirus and apply the registry change.
Factors to consider when managing controlled folder access
When tweaking controlled folder access, it’s essential to balance protection without sacrificing access and functionality.
Here are a few things you need to consider:
- When enabled, CFA may block legitimate apps from writing to protected folders. This may disrupt your workflow.
To prevent this, perform step 5 in method 1 or use this command on PowerShell:- Add-MpPreference -ControlledFolderAccessAllowedApplications “C:\Path\To\App.exe”
- Replace the path with the exact location of the executable. By running the command several times, you can easily add multiple apps.
- CFA logs all blocked actions on Event Viewer, making troubleshooting issues or refining your allowlist easier.
To view the logs, follow this path:- Event Viewer > Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational.
- By default, CFA protects key folders like Documents, Pictures, Videos, Music, Desktop, and Favorites. You can add protected folders via the GUI (follow method 1, step #4) or use the command in PowerShell – just replace “Your Custom Folder” with the folder’s path:
- Add-MpPreference -ControlledFolderAccessProtectedFolders “C:\Your\Custom\Folder”
- Add-MpPreference -ControlledFolderAccessProtectedFolders “C:\Your\Custom\Folder”
- Before implementing CFA, be sure to use Audit Mode to identify false positives before changing policies—test everything first.
Manage controlled folder access: Protect files while ensuring a smooth workflow
Controlled folder access is a powerful layer of ransomware protection built into Microsoft Defender Antivirus. Whether securing a personal device or managing hundreds of endpoints, Windows 11 provides multiple ways to enable, disable, or audit CFA based on your environment’s needs.
Use Windows Security for straightforward user-level configuration. For centralized management and automation, turn to Group Policy or PowerShell. Always begin with Audit Mode to identify and resolve compatibility issues before enforcement, and review event logs regularly to keep app allowlists clean and effective. With proper setup, CFA can protect critical data without disrupting essential workflows.
