receive notifications - Unauthorised changes blocked Controlled Folder Access blocked.
How can problem be rectified? (Windows Defender Security Centre - Virus & Threat Protection)
May 10, 2024
Click here to learn more 💡
May 10, 2024
Ramesh Srinivasan - neilpzz - Volume Z - franco d'esaro - _AW_ ✅
receive notifications - Unauthorised changes blocked Controlled Folder Access blocked.
How can problem be rectified? (Windows Defender Security Centre - Virus & Threat Protection)
Reported content has been submitted
Hello Glen,
Let's determine the cause of the issue. To get started, we'd like to get the following information:
Meanwhile let's turn off the Windows Defender Controlled Folder Access because it seems the the folder has been enabled. To do so, please follow the steps:
Note: Turning the access on or off will modify the DWORD value in the registry.
Once done, try doing some changes and see if the same error will occur.
Should you need further assistance, feel free to get back to us.
Reported content has been submitted
2 people found this reply helpful
·Was this reply helpful?
Sorry this didn't help.
Great! Thanks for your feedback.
How satisfied are you with this reply?
Thanks for your feedback, it helps us improve the site.
How satisfied are you with this reply?
Thanks for your feedback.
Controlled Folder Access is an enterprise-class ransomware protection component that was recently added to Windows Defender – and in most cases you should be able to simply allow your friendly apps through these “roadblocks” by just adding them to the authorized application list (whitelist) with the method described in the documentation. Many friendly apps have already been added to the default whitelist, and these will be allowed through without any hesitation – but unrecognized apps will still have to be allowed manually. This is actually pretty simple, and once you’ve successfully whitelisted an app, it will look easy in retrospect:
The Unauthorized changes blocked notification is preserved in the notification list until it’s dismissed – so just click on the notification icon at the far right of the notification area and then jot down the file path for the blocked app. Once you've noted the file path; click on the notification – and that will dismiss it, and then automatically launch the Allow an app through Controlled folder access window. Then all you have to do is click on the Add an allowed app button (+) and select the app’s executable in the Open dialog. Unfortunately, the TechNet and Windows IT Pro Center documentation doesn’t even bother to mention this handy little shortcut, but this humble Windows Support document actually sums it up quite nicely:
If you see an App is blocked message when you try to use a familiar app, you can simply unblock the app. If this message displays:
The file path in the notification does tend to be truncated – but there’s usually enough of it there to locate the app without any trouble (it’s usually in the Program Files or Program Files (x86) directory). If the file path is truncated to the point where you can’t locate the blocked app in the Open dialog; then open Event Viewer; navigate to the Windows Defender Operational log; and locate the blocking event (Event ID 1123):
1. Right-click on the Start button and select Event Viewer.
2. Navigate to Applications and Services > Microsoft > Windows > Windows Defender > Operational
3. Filter for (or just look for): Event ID 1123
Issues with this feature were fully anticipated – and that’s why it includes an Audit Mode, which allows users to monitor folder access activity without having anything blocked.
Right-click on the Start button and select Windows PowerShell (Admin); and then copy, paste, and enter this command:
Set-MpPreference -EnableControlledFolderAccess AuditMode
If you actually have trouble whitelisting your apps, you might want to turn off Controlled Folder Access for the time being and then try turning it back on again later – or better yet; just make sure that everything is properly backed up on a disconnected drive, and then you shouldn't really have to worry about turning it back on:
GreginMich
Reported content has been submitted
Was this reply helpful?
Sorry this didn't help.
Great! Thanks for your feedback.
How satisfied are you with this reply?
Thanks for your feedback, it helps us improve the site.
How satisfied are you with this reply?
Thanks for your feedback.
Hi,
Great to see the log location for the events - had been looking for it for some time before finding this thread.
(tried application and security logs with no visibility. could you do a seperate thread for event/log locations so that it's easier for google to find please under the "unauthorised changes to file" ? or adapt the training for adding processes to include that the location for processes can be found by...
"
The file path in the notification does tend to be truncated – but there’s usually enough of it there to locate the app without any trouble (it’s usually in the Program Files or Program Files (x86) directory). If the file path is truncated to the point where you can’t locate the blocked app in the Opendialog; then open Event Viewer; navigate to the Windows Defender Operational log; and locate the blocking event (Event ID 1123):
1. Right-click on the Start button and select Event Viewer.
2. Navigate to Applications and Services > Microsoft > Windows > Windows Defender > Operational
3. Filter for (or just look for): Event ID 1123
"
thanks
Stuart
Reported content has been submitted
Was this reply helpful?
Sorry this didn't help.
Great! Thanks for your feedback.
How satisfied are you with this reply?
Thanks for your feedback, it helps us improve the site.
How satisfied are you with this reply?
Thanks for your feedback.