Controlled Folder Access Feature in Windows 10 Fall Creators Update Questions?

Dear Microsoft Answers,

I have a question about the optional Controlled Folder Access in Windows 10's Fall Creators Update, (Build 1709.)  Although turned off by default, when turned on, does the user get a User Account Control Message with an option to allow through a questioned file?  OR does the user have to go in and manually add the file to the Allowed Permissions Group?  Some are concerned that it is blocking too many known safe applications (i.e. False Positives.)

Have you had this feature on or off?

Jack 


 

Discussion Info


Last updated April 12, 2020 Views 2,092 Applies to:

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

Hi Jack. I'm Greg, a volunteer and 8 year Windows MVP here to help you.

Controlled folder access protects common folders where documents and other important data are stored. But it’s also flexible. You can add additional folders to protect, including those on other drives. You can also allow apps that you trust to access protected folders, so if you’re using unique or custom programs, your productivity is not affected.

The feature is explained here along with how to turn it on or off:
https://blogs.technet.microsoft.com/mmpc/2017/1...

I hope this helps. Feel free to ask back any questions and let us know how it goes. I will keep working with you until it's resolved.
----------------------------------
I am a volunteer and not Microsoft.

Over 100,000 helped in forums for 10 years. I don't quit for those who are polite and cooperative.

Windows MVP 2010-20

HI Greg

So should you always use this feature? Why wouldn't you use this feature? Why isn't it turned on by default? 

Thank you 

Hi Lynne,

The controlled folder access in Windows Defender Security Center aims to review the apps that are able to make any changes to the files in protected folders. This feature will notify you if there’s an application that would want to make some changes to the system. Additionally, you may follow the steps provided in this article on how to allow a blocked app in Windows Defender Security Center. Once this feature is turned on, it will keep you safe from any unwanted or unauthorized changes on the system.

If you have other concerns, feel free to post is here in the Community.

 to turn off CFA to allow a program to work.

First, let’s answer the question: A prompt with options to allow or block the unrecognized app, followed by a UAC prompt, would certainly make allowing an app a lot friendlier but at present, we have to note the blocked app’s file path in the Unauthorized changes blocked notification, and then manually select it in an Open (file) dialog in order to allow it.

Next, let’s point out the wrong way to allow an app – since that’s already becoming a most-popular solution in the Windows forum:

https://answers.microsoft.com/en-us/windows/forum/windows_10-files/windows-10-home-unauthorized-changes-blocked/1feba668-4273-4a1b-8cd3-ac6485cb4280

And is apparently being advocated in this totally bizarre Windows Support document:

https://support.microsoft.com/en-us/help/4046851/windows-10-controlled-folder-access-windows-defender-security-center

“Allowing an app” isn’t done by turning off Controlled Folder Access – it’s done with the manual procedure that I’ve described above; and this same procedure is described properly in both the Technet and IT Pro Center documentation on the topic:

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard

But there’s a very handy shortcut that isn’t mentioned in the documentation: When you get the Unauthorized changes blocked notification, you can just jot down the file path that’s provided, and then click on the notification – and that will immediately bring up the Allow an app through Controlled folder access window (and remove the notification). If the file path is truncated to the point where you can’t locate the app’s executable file in the Open (file) dialog; then open Event Viewer; navigate to the Windows Defender Operational log; and locate the blocking event (Event ID 1123):

Right-click on the Start button and select Event Viewer.

Navigate to Applications and Services > Microsoft > Windows > Windows Defender > Operational

Filter for (or just look for): Event ID 1123

[Edit for updated info]

I was just checking for any other issues with the Windows Support documentation for the Windows Defender Security Center app, and I came up with a document that actually does include the shortcut method for allowing an app:

Protect files from unauthorized access

Use Controlled folder access to manage which folders apps can make changes to. You can also add additional apps you trust to make changes in those folders.

When you turn on Controlled folder access, a lot of the folders you use most often will be protected by default. This means that content in any of these folders cannot be accessed or changed by any unknown or untrusted apps. Once you add additional folders, they become automatically protected as well.

To add protected folders:

  1. Select Virus & threat protection settings.
  2. Under Controlled folder access, select Protected folders.
  3. Select Add a protected folder and follow the prompts to add folders.

If you see an App is blocked message when you try to use a familiar app, you can simply unblock the app. If this message displays:

  1. Write down or take note of the path of the blocked app.
  2. Select the message, and then select Add an allowed app.
  3. Browse for the program you want to allow access.

https://support.microsoft.com/en-us/help/4012987/windows-10-virus-threat-protection-windows-defender-security-center

So this article would certainly make an acceptable reference for allowing an app through Controlled Folder Access. It only needs a couple of minor revisions:

1. There are no prompts for adding folders to the Protected Folders list.

2. The message of the notification is “Unauthorized changes blocked.”

[end Edit]

GreginMich

I'm very concerned it is blocking too many safe apps, not for false positive, but mostly because one of the things it does by default is block access to the desktop folder, and thereby stopping installers to install desktop icons.   For example, you get a message when you install Docker that it can't put an icon on the screen and so the installer hangs, drops out, rewinds or causes an error.  This is a most unwanted behavior.  I'm all for security but it has to at least be sane.  It seems like just another way Microsoft is trying to push towards using the Microsoft store apps system.

For me it was turned ON by default after an update, and has been causing me annoying messages and installer interruptions/oddities.  But that being said I have not been attacked afaik in such a way that some malware of any kind puts an unwanted file on the desktop.

Is it security gone mad? ... for my purposes yes so far it has been, much like IFS drivers requiring signing has blocked me from gaining use of my EXT2 and HFS+ partitions... there are legitimate purposes for these things too, blanket "banning" or measures are causing problems not solutions.

Maybe you should just disable Controlled Folder Access whenever you’re installing any new application, and then enable it again once the installation finishes. That’s already being recommended by various and sundry application developers, and will probably become the general protocol.

GreginMich

<snip>

For me it was turned ON by default after an update,

Just out of curiosity: Was CFA disabled prior to updating?

May 4, 2018: I won't participate anymore in MC. Enough is enough.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.