Configure Controlled folder access

Information

Enable or disable controlled folder access for untrusted applications. You can choose to block audit or allow attempts by untrusted apps to: - Modify or delete files in protected folders such as the Documents folder - Write to disk sectors You can also choose to only block or audit writes to disk sectors while still allowing the modification or deletion of files in protected folders. Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting. Default system folders are automatically protected but you can add folders in the Configure protected folders GP setting. Block: The following will be blocked: - Attempts by untrusted apps to modify or delete files in protected folders - Attempts by untrusted apps to write to disk sectors The Windows event log will record these blocks under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123. Disabled: The following will not be blocked and will be allowed to run: - Attempts by untrusted apps to modify or delete files in protected folders - Attempts by untrusted apps to write to disk sectors These attempts will not be recorded in the Windows event log. Audit Mode: The following will not be blocked and will be allowed to run: - Attempts by untrusted apps to modify or delete files in protected folders - Attempts by untrusted apps to write to disk sectors The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124. Block disk modification only: The following will be blocked: - Attempts by untrusted apps to write to disk sectors The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123. The following will not be blocked and will be allowed to run: - Attempts by untrusted apps to modify or delete files in protected folders These attempts will not be recorded in the Windows event log. Audit disk modification only: The following will not be blocked and will be allowed to run: - Attempts by untrusted apps to write to disk sectors - Attempts by untrusted apps to modify or delete files in protected folders Only attempts to write to protected disk sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124). Attempts to modify or delete files in protected folders will not be recorded. Not configured: Same as Disabled.

Solution

Policy Path: Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access
Policy Setting Name: Configure Controlled folder access

See Also

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-23h2-security-baseline/ba-p/3967618