受控文件夹访问是(Controlled folder access)Microsoft Defender Exploit Guard提供的一种入侵防护功能,它是Microsoft Defender 防病毒软件(Microsoft Defender Antivirus)的一部分。它的设计主要是为了防止勒索软件加密您的数据/文件,但它还可以保护文件免受其他恶意应用程序的不必要更改。在这篇文章中,我们将向您展示如何在 Windows 11/10 中使用组策略和 PowerShell 配置受控文件夹访问。(configure Controlled Folder Access using Group Policy & PowerShell)
此功能在Windows 10(Windows 10)上是可选的,但启用后,该功能能够跟踪试图更改受保护文件夹中文件的可执行文件、脚本和DLL 。(DLLs)如果应用程序或文件是恶意的或无法识别,该功能将实时阻止尝试,并且您将收到可疑活动的通知。
使用组策略(Group Policy)配置受控文件夹访问(Folder Access)
要使用组策略(Group Policy)配置受控文件夹访问(Controlled Folder Access),您首先需要启用此功能。完成后,您可以继续配置以下内容:
通过本地组策略编辑器添加新的保护位置(Local Group Policy Editor)
如果启用受控文件夹访问,则默认添加基本文件夹。如果您必须保护位于不同位置的数据,则可以使用配置受保护的文件夹(Configure protected folders)策略来添加新文件夹。
就是这样:
- 按Windows key + R调用“运行”对话框
- 在 Run 对话框中键入
gpedit.msc
并按 Enter打开 Group Policy Editor(open Group Policy Editor)。 - 在本地组策略编辑器(Local Group Policy Editor)中,使用左窗格导航到以下路径:
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access
- 双击 右侧窗格中的配置受保护文件夹策略以编辑其属性。(Configure protected folders)
- 选择 启用(Enabled)单选按钮。
- 在选项(Options)部分下,单击显示(Show) 按钮。
- 通过在值名称(Value name)
F:MyData
字段中输入文件夹的路径(例如; )并在值字段(Value)中添加0来指定要保护的位置。重复此步骤以添加更多位置。 - 单击 确定(OK) 按钮。
- 单击 应用(Apply) 按钮。
- 单击 确定(OK) 按钮。
新文件夹现在将添加到受控(Controlled)文件夹访问的保护列表中。要恢复更改,请按照上述说明进行操作,但选择 未配置(Not Configured)或禁用(Disabled)选项。
使用本地组策略编辑器将(Local Group Policy Editor)受控(Controlled)文件夹访问中的应用列入白名单
- 打开本地组策略编辑器。
- 在本地组策略编辑器(Local Group Policy Editor)中,使用左窗格导航到以下路径:
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access
- 双击右窗格上的配置允许的应用程序(Configure allowed applications) 策略以编辑其属性。
- 选择 启用(Enabled)单选按钮。
- 在选项(Options)部分下,单击显示(Show) 按钮。
- 在值名称(Value name)字段中指定要允许的应用程序的.exe文件的位置(例如; ),并在值(Value)字段中添加0。重复此步骤以添加更多位置。
C:Program Files (x86)GoogleChromeApplicationchrome.exe
- 单击 确定(OK) 按钮。
- 单击 应用(Apply) 按钮。
- 单击 确定(OK) 按钮。
现在,当打开受控文件夹访问时,指定的应用程序将不会被阻止,并且它将能够对受保护的文件和文件夹进行更改。要恢复更改,请按照上述说明进行操作,但选择 未配置(Not Configured)或禁用(Disabled)选项。
对于Windows 11/10 家庭(Home)用户,您可以添加本地组策略编辑器(add Local Group Policy Editor)功能,然后按照上面提供的说明进行操作,或者您可以执行下面的PowerShell方法。
使用PowerShell配置受控文件夹访问(Folder Access)
要使用组策略(Group Policy)配置受控文件夹访问(Controlled Folder Access),您首先需要启用该功能。完成后,您可以继续配置以下内容:
(Add)使用PowerShell(PowerShell)添加新的保护位置
- 按 Windows 键 + X打开高级用户菜单(open Power User Menu)。
- 点击键盘上的A以在管理员/提升模式下启动 PowerShell 。
- 在PowerShell控制台中,键入以下命令并按Enter 键(Enter)。
Add-MpPreference -ControlledFolderAccessProtectedFolders "F:\folder\path\to\add"
在命令中,将F:olderpath oadd
占位符替换为您要允许的应用程序的位置和可执行文件的实际路径。例如,您的命令应如下所示:
Add-MpPreference -ControlledFolderAccessProtectedFolders "F:\MyData"
Disable-MpPreference -ControlledFolderAccessProtectedFolders "F:\folder\path\to\remove"
使用PowerShell将(PowerShell)受控(Controlled)文件夹访问中的应用列入白名单
- 在管理员/提升模式下启动PowerShell 。
- 在PowerShell控制台中,键入以下命令并按Enter 键(Enter)。
Add-MpPreference -ControlledFolderAccessAllowedApplications "F:\path\to\app\app.exe"
在命令中,将F:path oappapp.exe
占位符替换为您要允许的应用程序的位置和可执行文件的实际路径。例如,您的命令应如下所示:
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
上述命令会将Chrome添加到允许的应用程序列表中,并且当启用(Chrome)受控(Controlled)文件夹访问时,将允许该应用程序运行并更改您的文件。
Remove-MpPreference -ControlledFolderAccessAllowedApplications "F:\path\to\app\app.exe"
这就是如何在Windows 11/10中使用组策略(Group Policy)和PowerShell配置(PowerShell)受控文件夹访问(Controlled Folder Access)!
Configure Controlled Folder Access using Group Policy & PowerShell
Controlled folder access is an intrusion-prevention feature available with Microsoft Defender Exploit Guard, which is part of the Microsoft Defender Antivirus. It’s been designed primarily to prevent ransomware from encrypting your data/files, but it also protects files from unwanted changes from other malicious applications. In this post, we will show you how to configure Controlled Folder Access using Group Policy & PowerShell in Windows 11/10.
This feature is optional on Windows 10 but when enabled, the feature is able to track executable files, scripts, and DLLs, that attempt to make changes to files in the protected folders. If the app or file is malicious or not recognized, the feature will block the attempt in real-time, and you’ll receive a notification of the suspicious activity.
Configure Controlled Folder Access using Group Policy
To configure Controlled Folder Access using Group Policy, you first need to enable this feature. Once done, you can proceed to configure the following:
Add a new location for protection via Local Group Policy Editor
If Controlled folder access is enabled, the basic folders are added by default. If you must protect data located in a different location, then you can use the Configure protected folders policy to add the new folder.
Here’s how:
- Press Windows key + R to invoke the Run dialog
- In the Run dialog box type
gpedit.msc
and hit Enter to open Group Policy Editor. - Inside the Local Group Policy Editor, use the left pane to navigate to the path below:
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access
- Double-click the Configure protected folders policy on the right pane to edit its properties.
- Select the Enabled radio button.
- Under the Options section, click the Show button.
- Specify the locations you want to protect by entering the path of the folder (eg;
F:\MyData
) in the Value name field and adding 0 in the Value field. Repeat this step to add more locations. - Click the OK button.
- Click the Apply button.
- Click the OK button.
The new folder(s) will now be added to the protection list of Controlled folder access. To revert the changes, follow the instructions above, but select the Not Configured or Disabled option.
Whitelist apps in Controlled folder access using Local Group Policy Editor
- Open Local Group Policy Editor.
- Inside the Local Group Policy Editor, use the left pane to navigate to the path below:
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access
- Double-click the Configure allowed applications policy on the right pane to edit its properties.
- Select the Enabled radio button.
- Under the Options section, click the Show button.
- Specify the location of the .exe file for the app (eg;
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
) you want to allow in the Value name field and add 0 in the Value field. Repeat this step to add more locations. - Click the OK button.
- Click the Apply button.
- Click the OK button.
Now, the specified app(s) won’t be blocked when Controlled folder access is turned on, and it’ll be able to make changes to protected files and folders. To revert the changes, follow the instructions above, but select the Not Configured or Disabled option.
For Windows 11/10 Home users, you can add Local Group Policy Editor feature and then carry out the instructions as provided above or you can do the PowerShell method below.
Configure Controlled Folder Access using PowerShell
To configure Controlled Folder Access using Group Policy, you first need to enable the feature. Once done, you can proceed to configure the following:
Add new location for protection using PowerShell
- Press Windows key + X to open Power User Menu.
- Tap A on the keyboard to launch PowerShell in admin/elevated mode.
- In the PowerShell console, type in the command below and hit Enter.
Add-MpPreference -ControlledFolderAccessProtectedFolders "F:\folder\path\to\add"
In the command, substitute the F:\folder\path\to\add
placeholder with the actual path for the location and executable of the app you want to allow. So for example, your command should look like the following:
Add-MpPreference -ControlledFolderAccessProtectedFolders "F:\MyData"
- To remove a folder, type the command below and hit Enter:
Disable-MpPreference -ControlledFolderAccessProtectedFolders "F:\folder\path\to\remove"
Whitelist apps in Controlled folder access using PowerShell
- Launch PowerShell in admin/elevated mode.
- In the PowerShell console, type in the command below and hit Enter.
Add-MpPreference -ControlledFolderAccessAllowedApplications "F:\path\to\app\app.exe"
In the command, substitute the F:\path\to\app\app.exe
placeholder with the actual path for the location and executable of the app you want to allow. So for example, your command should look like the following:
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
The above command will add Chrome to the list of allowed apps and the app will be allowed to run and make changes to your files when Controlled folder access is enabled.
- To remove an app, type the command below and hit Enter:
Remove-MpPreference -ControlledFolderAccessAllowedApplications "F:\path\to\app\app.exe"
That’s it on how to configure Controlled Folder Access using Group Policy & PowerShell in Windows 11/10!