Protect your files from ransomware with Controlled Folder Access and Windows Defender

Ransomware is one of the most dangerous forms of malware. It takes control of your files and folders and forces you to pay large amounts of money to get them back. And even then, you cannot be sure that you will get your data back. Microsoft started to see just how dangerous these attacks are for their users, and decided to take some measures. In Windows 10 Fall Creators Update, a new security feature is making its debut: "Controlled folder access." It is designed specifically to protect Windows 10 users against ransomware attacks. If you want to know more about what it does and how to use it to protect your folders from ransomware, read this article:

NOTE: "Controlled folder access" is a feature that is present only in Windows 10 Fall Creators Update or newer. If you have an older version of Windows, you cannot use it with Windows Defender. The Fall Creators Update is coming to all Windows 10 users starting October 17th, 2017.

What is Controlled folder access in Windows 10?

In Windows 10 Fall Creators Update, Windows Defender gets this new feature called "Controlled folder access." It is designed to protect your important data from unauthorized changes. That means that no program or application, including any form of malware, will be able to alter your protected files and folders.

"Controlled folder access" can take care of the safety of every file found inside the user's folders, but it can also be configured to protect other folders that you specify. If you want to give access to a program or app to make changes in those folders, you must whitelist that program or app.

If a certain program or app, including ransomware, tries to change the files found inside a protected folder, Windows Defender notifies you immediately and asks you to confirm that you allow that. If not, you can deny permission and your files are saved from unwanted changes.

How to turn on Controlled folder access in Windows 10

You can enable the "Controlled folder access" in the Windows Defender Security Center app. Start by opening it: a fast way to do it to click or tap on its shortcut from the Start Menu. However, if you prefer having alternatives, you can find more ways to open it in the first section of this guide: 5 things you can do with the new Windows Defender Security Center.

In Windows Defender Security Center, open "Virus & threat protection."

Next, click or tap to open "Virus & threat protection settings."

Inside the "Virus & threat protection settings" section, scroll down and you will find the feature we are looking for: "Controlled folder access." Windows Defender Security Center also tells you what this feature is all about: you can use it to "Protect your files and folders from unauthorized changes by unfriendly applications." To enable it, turn its switch On.

When you turn on "Controlled folder access", you might be asked to confirm the action by a UAC (User Account Control) prompt. Once you confirm, the feature is enabled and all the default user folders from Windows 10 are protected against unauthorized changes, like those performed by ransomware.

How to see which folders are protected by Windows Defender

When you enable the "Controlled folder access" feature, Windows Defender Security Center displays two links beneath the switch. The first one is called "Protected folders, " and if you click/tap on it you can see and control which folders are taken care of by Windows Defender.

In the "Protected folders" window, Windows Defender Security Center starts by telling you that "Windows system folders are protected by default." and that "You can also add additional protected folders.".

Then, you have a button called "+ Add a protected folders" followed by a fairly long list of folders that are protected. By default, this list contains all the users' folders from Windows 10: Documents, Pictures, Videos, Music, Desktop, and Favorites.

The default protected folders cannot be removed from the list, but you can add new folders to the list so that Windows Defender protects them against unauthorized changes.

How to add new folders to the list of protected folders

To add a new folder to the protected list, click or tap on the "+ Add a protected folder" button.

Choose the new folder that you want to protect and then click or tap on the "Select Folder" button.

After a UAC (User Account Control) confirmation prompt, the folder is immediately added to the list of protected folders.

How to remove a folder from the list of protected folders

The default users folders cannot be removed from this list. However, those that you added on your own can be removed. To do that, click or tap on one of your folders from the list of "Protected folders" and then click or tap on the Remove button.

When you choose to remove a folder from the protected list, you have to confirm your action. Windows Defender Security Center also explicitly tells you that "By removing this folder, Controlled folder access will no longer be protecting it from unauthorized changes." If you still want to do that, click or tap OK. Otherwise, click/tap Cancel.

Before actually removing the folder from the protection list, you have to confirm another UAC (User Account Control) prompt.

How to allow an app to make changes in your protected folders

Going back to the "Controlled folder access" section from the Windows Defender Security Center, let's take a look at the second link beneath the switch. It is called "Allow an app through Controlled folder access," and if you click/tap on it you can whitelist an app that you trust, for it to be able to make changes in your protected folders.

In the "Allow an app through Controlled folder access" window, we learn that "Most of your apps will be allowed by Controlled folder access without adding them here. Apps determined by Microsoft as friendly are always allowed."

That is fine, but we wished to know what apps Microsoft thinks are friendly. Unfortunately, we could not find any list either on the internet or in Windows 10.

However, if it happens that one of your apps is blocked by the "Controlled folder access" feature, you can manually add it here to whitelist it and allow it access to your protected folders.

To do that, click or tap in the "+ Add an allowed app" button.

Browse through your computer and select the app that you want to allow access for. Then, click or tap on the Open button.

After the app is allowed access to your protected folders, it will be shown in a list on the "Allow an app through Controlled folder access" window.

How to remove an app from the protected folders whitelist

If you no longer want to allow access for an app to your protected folders, click or tap on it and then press the Remove button.

Confirm your choice, and that app is then going to be removed from the list of apps that are allowed to make changes inside your protected folders.

Once again, you will have to say Yes in the UAC (User Account Control) prompt.


This is how to enable and configure the "Controlled folder access" feature from Windows Defender. As you have seen, it is not difficult, and the security you get from using it is important. After all, ransomware is one of the greatest plagues of the decade. If you have something to add to our article, do not hesitate to do so, in the comments below.