Microsoft has built a native defense against ransomware directly into Windows 11 called Controlled Folder Access. This feature functions as a security layer that monitors the activities of applications running on your system. Rather than comparing files against known malware lists, it observes what legitimate apps attempt to do with your data.
The moment an untrusted program attempts to change or encrypt files within a protected folder, Windows automatically blocks the action and issues a notification. This is specifically designed to counteract ransomware, which typically makes money by locking access to crucial files and demanding payment for their release. While this functionality offers significant defense, it is not active by default.
The feature requires users to manually enable Controlled Folder Access within Windows Security, under Virus & threat protection, by managing ransomware protection settings. Additionally, the feature operates only when Microsoft Defender Antivirus is the active antivirus solution and real-time protection remains enabled. If a user utilizes a third-party security suite, the toggle switch for this setting may be greyed out or completely absent.
The default protection scope covers several key system locations automatically, including Documents, Pictures, Videos, Music, Desktop, and Favorites folders. However, users must manually add any other critical data storage location, such as second drives, external disks, or relocated project folders, by selecting ‘Add a protected folder.’ When protecting network-shared folders, it is recommended to use the real local path rather than the network share.
Due to its strict nature—as it aims to stop malicious changes—the feature can occasionally block legitimate software. Applications like Adobe Photoshop, Premiere, video editors, and backup tools may attempt to write data straight into protected areas and subsequently trigger a block. To address these blocks, users must utilize the Protection History log found within Windows Security. This history details every block event, allowing the user to identify the problematic program and manually approve it using the ‘Allow an app through Controlled Folder Access’ function.
Security experts caution that when authorizing an application, users should only permit software they genuinely trust, as this grants the application free rein over protected files. Furthermore, while Controlled Folder Access prevents file encryption or deletion attempts, it does not prevent malware from simply copying the data. Therefore, it is recommended to pair this protection with a robust backup system, such as File History or a trusted cloud synchronization service.
