Windows 10 Controlled Folder Access Step by Step Guide

Windows 10 Build 16232 and newer builds include a new security feature that can help prevent ransomware, malware, or malicious processes from making changes to files inside folders that you can choose to protect. It is called Windows Defender Controlled Folder Access, and I have been using it for two weeks now, and this article will describe how to set it up, and configure it so that it protects your important files and folders. I strongly recommend anyone using Windows 10 to enable this very helpful feature once they install the Fall Creators Update in a couple of months.

First of all, you are going to have to open up the Windows Defender Security Center, which you can find by going to the tray down at the bottom right of the taskbar and right clicking on the Windows Defender logo and choosing open. You can also click the search icon or the cortana circle and search for defender which will allow you to choose the Windows Defender Security Center. Once you open up the Security Center, you are going to want to find the Virus and Threat protection settings, by clicking the hamburger button on the top left to open up the settings choices and choosing the second item down, which is a shield, (right below the home symbol). This will open up the Antivirus settings, where you will then go to the right down a little and once again click on the Virus and Threat Protection Settings. You need to scroll down until you see Controlled Folder Access.

We are focusing on the Controlled Folder access settings which you can find as you scroll down right after the Automatic Sample Submission On/Off Switch. The first thing you are going to want to do is to change Controlled Folder Access to ON. Next you are going to want to click where it says Protected Folders. This will open Windows Explorer and allow you to choose the folders that you want to be protected. Microsoft has stated that the Windows directory and the libraries are automatically protected, however, just to be sure, I chose Documents, Downloads, my Applications folder, Music, Pictures, and Videos, as well as any external hard drives that are connected to the Windows 10 computer. At first I chose desktop, however I noticed that every time I install an application, the new application is not able to piut shortcuts on the desktop because of the controlled folder access designation, so I eventually removed Desktop from the Protected Folders. The nice thing about this feature is that if an application tries and fails to access a file in a protected folder, you will receive a notification that tells you the location of the executable and where it tries to access. These notifications then stay in the action center, so that if you miss the notification, you will see it later when the Action Center shows up on the right side of the desktop.

For example, I use a program called Internet Download Manager, and it was blocked from accessing the downloads directory. I received a notification that says:
DATA Protection
Unauthorized Changes Blocked C:\Users\james\Downloads\wordpress-com-2-6-0-setup.exe from making changes to the folder C:\Users\james\Desktop

Next step, if the application is safe and you want to allow the application to be able to changed files in the controlled folders, you go down to the next option which says Allow an App through Controlled Folder Access, which brings up Windows Explorer file picker again, where you will find the executable that was blocked and choose it, then accept the UAC prompt. You can go through this as many times as you want, adding any programs that need access to these protected folders.

In summary, Microsoft has finally added a security feature to Windows 10 Fall Creators Update (and any insider preview builds since 16232) that can help prevent ransomware from encryption the files that are inside these controlled folders. The great thing about this feature is that it is brand new, but it works great already, and is configurable enough so that you can whitelist the applications that you need to use to access these folders safely, while any application that Microsoft does not recognize as being safe will be blocked from encrypting any files in these folders. You are not going to want to add every folder, because this will likely cause too many false positives, but you should go through your computer’s hard drives, and move all of your important files into folders that you choose to be Protected Folders. This is a very exciting feature for Security professionals and enterprise I.T., but I am pretty sure that you will need to be running Windows 10 enterprise or Education in order to use this new feature for now.

It is rather simple, and if you are using Windows 10 education or enterprise version I recommend that you immediately turn this on, and set up your controlled folders. I am sure that this feature will be coming to windows server 2016 in the coming insider preview updates, and it is good to see that Microsoft is taking security seriously in Windows 10.

After installing the newest Windows Insider Preview Build 16241, I noticed that when I tried to add new controlled folders or allowed programs with the Windows Defender Security Center, the UI would crash, so I immediately went to PowerShell to check if there were new cmdlets to configure Controlled Folder Access, and there were.

You are now able to use PowerShell to add Controlled Folders, and Applications that are allowed to access and edit files in those folders.

Implementing Credential Guard using Device Guard Readiness Tool

Credential Guard is a security feature that has been available in Windows 10 since Build 1511.  Enabling it on a Windows 10 laptop requires that the system disk is formatted with GPT.  You must also have secure boot turned on, and you are supposed to have a Trusted Platform Module (TPM 2.0).  I have read in Microsoft’s docs that you can use Credential Guard without a TPM, but then the keys are not secured in the TPM.  Not sure if this is still the case now in the latest Windows Builds, because they do say that a TPM is required.  First you should download the Device Guard and Credential Guard Readiness Kit from Microsoft’s download center.  Next, I will show you the commands you need to run in powershell to use the Readiness Kit.

The Device Guard and Credential Guard Readiness Kit includes a PowerShell script that can be used to check if the device is capable of running credential guard, check if Credential Guard is already running or enabled, and it also does the same for Device Guard and Hyper-V Code Integrity policies.

Make sure you download the new version3.0 of the toolkit. If you may have downloaded the older (version 2.1) script, make sure you go to the link above and re-download the tool.

Okay so you downloaded the tool, next step is to unblock the zip file and unpack the zip file into a directory. Personally, I like to use D:\DistributionShare\DeviceGuardReadinessToolv3.0 . The next thing to do is right click on PowerShell or the PowerShell_ISE and run PowerShell ISE as Administrator. Once you get the ISE opened up you should changed to the directory where you unzipped the Device Guard/Credential Guard Readiness Tool to. Set-Location D:\DistributionShare\DeviceGuardReadinessToolv3
Next we want to run the following script to run the Device Guard Readiness Tool and check if the device is capable of running Credential Guard, Device Guard, or HyperVisor Code Integrity: .\DG_Readiness_Tool_v3.0.ps1 -Capable -DG -CG -HVCI
Now you are going to have to reboot the machine.

After the reboot Open up the PowerShell ISE as Administrator again, and run the script again, or run the script with the switches
-Enable -CG -DG -HVCI, or whichever of the three you want to enable. You can also use the switch -Ready if you have want to see if any of the three security features are already enabled and running.
You should see some immediate feedback in the console, but you are going to want to find the folder C:\DGLOGS and in there will be a log file that will tell you if your computer is capable of enabling Credential Guard, Device Guard, and Hypervisor Code Integrity.


Windows 10 Creators Update 1703 includes a new tool to convert MBR disks to GPT disks

So I am working on converting a Windows 10 1703 installation that is installed on a MBR disk, and have been looking for the best way to convert it to a GPT disk, so that secure boot, credential guard, and device guard can be enabled. As you may or may not already know, if Windows 10 is installed on an MBR (Master Boot Record) disk, you can not take advantage of all the latest advances in security. Thankfully, Microsoft has included a tool called MBR2GPT.exe in the Windows\system32 directory. Although this tool is really supposed to be used from a PreInstallation Environment like WinPE, it can be used from inside a Windows 10 1703 Build 15063 installation if you use the command line switch /AllowFullOS.

However, it is not as easy to convert as one may think, especially if your first hard disk already has multiple partitions. This is a problem that I am working on fixing. I learned that running the command
MBR2GPT /validate /disk:0 /allowfullos
errors out for me and when I find the setuperr.log in the Windows directory, it says that the disk has too many partitions to convert to GPT. The log said this:
2017-04-02 17:29:34, Error ValidateLayout: Too many MBR partitions found, no room to create EFI system partition.
2017-04-02 17:29:34, Error Disk layout validation failed for disk 0
ValidateLayout: Too many MBR partitions found, no room to create EFI system partition.
Error Disk layout validation failed for disk 0

Therefore, I am going to have to blow away some partitions before converting this disk. This disk is an SSD with four partitions, but I have tried this from WinPE environment with a Disk that has only 2 partitions and it works. The problem with my SSD drive is that it has an MSR partition in the front, then the Windows C volume, then a Recovery partition, and then an HP Tools partition that I installed from an HP update for the BIOS.

Update: I went back and forth with the reader that commented below, via email and wanted to document how he fixed his problem so it could help someone else in the future. His first comment was :

I am getting an error when trying to do the validation:
ValidateLayout: Wrong boot partition count, expected 1 but found 0.

He then emailed me back and said that his OS Drive was on the first Physical Disk, but his boot partition aka system partition was on the second disk.

My next message to him was:

“Do you have any room to make another partition on the first drive?
I would try to shrink the OS Drive by like 500 mb, then create a new partition on the first drive, using FAT32 of 500mb, there is a way to label it MSR with diskpart, then try to copy the system files directly to that drive, but leave the system from the second disk in tact, so it will still boot, not sure if you can copy the boot files, but you can always try an in-place upgrade so you don’t lose any files. You want the MBR2GPT tool to think that the boot drive is on the first partition. You want the first drive to have two or three partitions, the FAT32 one where you copy the system and boot files over, the OS, and the Recovery drive if you need it. I don’t think I ever had the boot drive on another physical disk, but I have had to recreate the boot drive on my OS disk, and I used the macrium reflect rescue CD to rebuild the boot (System Drive for me). It makes it very easy, so I think it is possible. Let me know if you have any more questions.
Good luck

So he then tried this and came back and said :
That did the trick!
I created a new 500 mb partition using NTFS, copied the files from the old system partition. Ran mbr2gpt and everything works 🙂

Thank you so much !

Now I am not sure if secure boot will work now, because secure boot can be a little tricky to get going, but he was able to convert the first drive to GPT by shrinking the OS making a new partition on the OS Drive and copying the boot system partition from drive 2 to drive one. If anyone else has this problem in the future, try this… As far as getting secure boot enabled, that may just work, or it may require some more configuration. Hit me up if you need help with this.

How to troubleshoot failed Windows Insider Preview Build Installs

There is a folder called Panther, that holds the logs called setupact.log, and setuperr.log. The setupact.log should contain a run through log of the installation progress of the latest build install. If it fails, it will normally roll back to the last build and the user will not know why it failed. This Panther folder may hold the only answers to why the install failed. The Setuperr.log should just display the last error in the install process, which may help diagnose exactly why the installation of the latest build failed. However, most likely you want to read the setupact.log.