Intune – Controlled Folder Access

Configuring Controlled Folder Access (CFA) with Intune to protect users against ransomware. Controlled Folder Access or CFA is build into Windows Defender on Windows 10 and Windows Server 2019 and is part of Windows Defender. It prevents an application or process in making changes to a file in a given folder. It helps you protect valuable date from malicious apps and threats such as ransomware.

How does Controlled Folder Access work?

  • It allows apps to access protected folders if the app is on the trusted apps list.
  • Apps are added to the trusted list based upon their prevalence and reputation. Most of your apps will be allowed by Controlled Folder Access without adding them manually. Apps determined by Microsoft as friendly are always allowed.
  • Apps can be added manually to the list.
  • Default protected folders include common system folders. It is possible to add additional folders.
  • For evaluation there is an audit mode that can be used.


Controlled Folder Access monitors apps for activities that may be malicious. It is possible that it blocks a legitimate app from making changes to your files. This may impact your organization, so consider to test it first in audit mode.

How can we test Controlled Folder Access?

As mentioned before, do some testing first before configuring Controlled Folder Access via Intune. In order to make sure that Controlled Folder Access is turned on, open Windows Defender and navigate to Virus & Threat protection. There you will find Ransomware protection.

Select Manage ransomware protection to turn it on or to configure it. Next is to turn on audit mode. This can be done by selecting audit only in the configuration policy or by using PowerShell on your test machine:

Set-MpPreference -EnableControlledFolderAccess AuditMode

To test this you will need to open a browser and go to Besides from the visuals you get from running the script you must run in the browser you can filter on the following event IDs in the Windows , Defender eventlog: 5007, 1124, 1123.

By testing it you will see a popup from Windows Defender, this will bring you to the protection history if you click on it and it will show you what has been happening.

Configure Controlled Folder Access with Intune

To configure Controlled Folder Access via Intune, we need a configuration policy and the profile type needs to be endpoint protection. There you will find CFA within the Microsoft Defender Exploit Guard under settings.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.