Policy
Configure protected folders
Microsoft Windows
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, WindowsServer2016
Specify additional folders that should be guarded by the Controlled folder access feature. Files in these folders cannot be modified or deleted by untrusted applications. Default system folders are automatically protected. You can configure this setting to add additional folders. The list of default system folders that are protected is shown in Windows Security. Enabled: Specify additional folders that should be protected in the Options section. Disabled: No additional folders will be protected. Not configured: Same as Disabled. You can enable controlled folder access in the Configure controlled folder access GP setting. Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting.
Registry values
How enabled and disabled states update the registry.
No explicit registry values are set for enabled or disabled states.
Policy elements
Inputs and configuration options exposed by this policy.
| Scope | Element | Type | Registry mapping | Constraints & behavior | Copy |
|---|---|---|---|---|---|
| Computer | Enter the folders that should be guarded: ID ExploitGuard_ControlledFolderAccess_ProtectedFolders | list | Path Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders Value name ExploitGuard_ControlledFolderAccess_ProtectedFolders Type REG_MULTI_SZ | List: additive, explicit value |