View Other Checks

Contents

View Other Checks

How to Ensure Windows' Ransomware Protection is Enabled

Controlled Folder Access is the easiest way to stop ransomware, but isn't enabled by default.

Windows devices are often a major target for ransomware (malicious software that holds files hostage by encrypting them and then demanding a ransom to decrypt them). Ransomware on Windows has become so prolific and devastating that starting in late 2017, Microsoft began shipping a new feature called Controlled Folder Access to offer expanded protection against this type of attack.

Controlled Folder Access is available on Windows 10 (version 1709 or later) and all versions of Windows 11, but it is not enabled by default.

What Is Controlled Folder Access?

Controlled Folder Access is a feature of Microsoft’s Windows Defender Antivirus that is designed to protect unknown or unvetted software programs from altering important documents, photos, and other files.

Like other optional security features, Controlled Folder Access enables end users to trade a bit of convenience for stronger assurances against their files being altered by malicious software. This trade-off is also why it is disabled by default.

Once enabled, Controlled Folder Access protects the integrity of the following folders:

  • C:\Users\<username>\Documents
  • C:\Users\Public\Documents
  • C:\Users\<username>\Pictures
  • C:\Users\Public\Pictures
  • C:\Users\Public\Videos
  • C:\Users\<username>\Videos
  • C:\Users\<username>\Music
  • C:\Users\Public\Music
  • C:\Users\<username>\Favorites

end users and administrators are welcome to add additional paths to this list.

If an unauthorized program attempts to write to any files (including creating new files) the action will now be blocked and the user will receive a toast notification like the one in the following screenshot:

Once Controlled Folder Access is enabled, Windows will notify you when an unauthorized program tries to alter the contents of a protected folder

You can review these notifications in more detail from within the Protection History section of the Windows Security control panel.

From here, you can choose to add the offending program to the allow list.

How To Turn Controlled Folder Access

As mentioned earlier, Controlled Folder Access is not enabled by default so it’s important that you turn it on right away. To do so:

  1. Open the Windows Start Menu Search Bar and type Controlled Folder Access

  2. Flip the toggle switch to the “On” position

You can also turn Controlled Folder Access via the following Powershell command

Set-MpPreference -EnableControlledFolderAccess Enabled

How To Programmatically Detect If Controlled Folder Access is Enabled

The best way to programmatically determine if Controlled Folder access is enabled is via the Get-MpPreference PowerShell cmdlet.

$Preferences = Get-MpPreference
$Preferences.EnableControlledFolderAccess

Here is how you interpret the output:

  • 0 - Controlled Folder Access is Disabled.
  • 1 - Controlled Folder Access is in Audit-Only mode.
  • 2 - Controlled Folder Access is Enabled.

Alternatively, you can also access this same data via WMI:

 Get-WmiObject -Namespace "root/microsoft/windows/defender" -Query "SELECT EnableControlledFolderAccess FROM MSFT_MpPreference"

How Does Kolide Remediate This Problem?

Automatically remediating this issue isn't necessarily the best way to go. Instead, consider following the Honest Security approach by reaching out to end-users who have devices that fail this check, and then giving them precise instructions on how to resolve the issue.

Kolide's Slack app does exactly that. After enrolling devices, Kolide will automatically determine the primary user, introduce itself, and then reach out via Slack when a user's device experiences this problem. From there, it provides step-by-step instructions on how to fix it and gives them tools to verify they did it correctly.

Kolide
Home
Messages
About
9:41
Quin's PC • Surface Pro 6
Failing Check: Require Ransomware Protection
Reason: Ransomware Protection: Controlled Folder Access is Disabled

Why is this a Problem?

Ransomware is malware that is designed to encrypt or destroy data until an end-user provides ransom payment to an attacker. This type of attack can be protected against using built-in operating system features such as Windows Ransomware Protection. A user can specify folders that cannot be changed (or 3rd party encrypted) without explicit consent from the user. They can also configure a cloud-based data recovery backup to additionally protect files in case such a ransomware event did occur.

Required Action:

Estimated time to fix: 3-5 minutes

Enabling Controlled Folder Access can be done by following the steps below:

  1. Open the Windows Start Menu Search Bar
  2. Type 'Controlled folder access' and hit Enter
  3. Under the section 'Controlled folder access', click the toggle to switch this feature to the 'ON' position.

By default ONLY Windows System folders and certain User folders (eg. Documents, Desktop, etc.) are protected. If you have folders in other locations or wish to review the existing Protected Folders follow the steps below:

  1. Click 'Protected folders' to view existing Protected Folders
  2. Click the + Add Folder button to specify additional Protected Folders
  3. Add all folders that you wish to protect from Ransomware
I've fixed it. Check again
Contact Admin for help
Want to start delivering this notification automatically to your end-users?
Sign Up With Slack

Share this story:

Related Device Checks:

Find Unencrypted SSH Keys and Encrypt Them

ssh, developers, unencrypted-credentials, no-mdm-resolution

Ensure Ubuntu’s Unattended Upgrades Are Turned On

os-updates, patching, debian, ubuntu, no-mdm-resolution

Find Macs With SIP Disabled and Enable It

startup-security, os-integrity, no-mdm-resolution
View More of Kolide's Checks
Try Kolide Free
Try Kolide Free