Unauthorised changes blocked

Hello Glen,

Let's determine the cause of the issue. To get started, we'd like to get the following information:

• Is this your first time to encounter this issue? If so, did you make any changes to your computer's configuration prior to this?
• Can you please confirm the current build of your Windows 10?
  (Type winver into the Cortana search box, then hit Enter.)

Meanwhile let's turn off the Windows Defender Controlled Folder Access because it seems the the folder has been enabled. To do so, please follow the steps:

1. Open Windows Defender Security Center then select Virus & threat protection icon.
2. Click the Virus & threat protection settings.
3. Under Controlled folder access, toggle the button On or Off.
4. Click Yes. You might be asked to enter UAC to continue.
5. Close the Windows Defender window.

Note: Turning the access on or off will modify the DWORD value in the registry.

Once done, try doing some changes and see if the same error will occur.

Should you need further assistance, feel free to get back to us.

Controlled Folder Access is an enterprise-class ransomware protection component that was recently added to Windows Defender – and in most cases you should be able to simply allow your friendly apps through these “roadblocks” by just adding them to the authorized application list (whitelist) with the method described in the documentation. Many friendly apps have already been added to the default whitelist, and these will be allowed through without any hesitation – but unrecognized apps will still have to be allowed manually. This is actually pretty simple, and once you’ve successfully whitelisted an app, it will look easy in retrospect:

https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/stopping-ransomware-where-it-counts-protecting-your-data-with-controlled-folder-access/

The Unauthorized changes blocked notification is preserved in the notification list until it’s dismissed – so just click on the notification icon at the far right of the notification area and then jot down the file path for the blocked app. Once you've noted the file path; click on the notification – and that will dismiss it, and then automatically launch the Allow an app through Controlled folder access window. Then all you have to do is click on the Add an allowed app button (+) and select the app’s executable in the Open dialog. Unfortunately, the TechNet and Windows IT Pro Center documentation doesn’t even bother to mention this handy little shortcut, but this humble Windows Support document actually sums it up quite nicely:

If you see an App is blocked message when you try to use a familiar app, you can simply unblock the app. If this message displays:

1. Write down or take note of the path of the blocked app.
2. Select the message, and then select Add an allowed app.
3. Browse for the program you want to allow access.

https://support.microsoft.com/en-us/help/4012987/windows-10-virus-threat-protection-windows-defender-security-center

The file path in the notification does tend to be truncated – but there’s usually enough of it there to locate the app without any trouble (it’s usually in the Program Files or Program Files (x86) directory). If the file path is truncated to the point where you can’t locate the blocked app in the Open dialog; then open Event Viewer; navigate to the Windows Defender Operational log; and locate the blocking event (Event ID 1123):

1. Right-click on the Start button and select Event Viewer.

2. Navigate to Applications and Services > Microsoft > Windows > Windows Defender > Operational

3. Filter for (or just look for): Event ID 1123

Issues with this feature were fully anticipated – and that’s why it includes an Audit Mode, which allows users to monitor folder access activity without having anything blocked.

Right-click on the Start button and select Windows PowerShell (Admin); and then copy, paste, and enter this command:

Set-MpPreference -EnableControlledFolderAccess AuditMode

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access

If you actually have trouble whitelisting your apps, you might want to turn off Controlled Folder Access for the time being and then try turning it back on again later – or better yet; just make sure that everything is properly backed up on a disconnected drive, and then you shouldn't really have to worry about turning it back on:

https://cloudblogs.microsoft.com/microsoftsecure/2017/03/28/world-backup-day-is-as-good-as-any-to-back-up-your-data/?source=mmpc

GreginMich

Hi, 

Great to see the log location for the events - had been looking for it for some time before finding this thread.

(tried application and security logs with no visibility. could you do a seperate thread for event/log locations so that it's easier for google to find please under the "unauthorised changes to file" ? or adapt the training for adding processes to include that the location for processes can be found by... 

"

The file path in the notification does tend to be truncated – but there’s usually enough of it there to locate the app without any trouble (it’s usually in the Program Files or Program Files (x86) directory). If the file path is truncated to the point where you can’t locate the blocked app in the Opendialog; then open Event Viewer; navigate to the Windows Defender Operational log; and locate the blocking event (Event ID 1123):

1. Right-click on the Start button and select Event Viewer.

2. Navigate to Applications and Services > Microsoft > Windows > Windows Defender > Operational

3. Filter for (or just look for): Event ID 1123

"

thanks

Stuart