Evaluate controlled folder access

Applies to:

Controlled folder access is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.

It is especially useful in helping to protect your documents and information from ransomware that can attempt to encrypt your files and hold them hostage.

This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization.


You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working and see how it works.

Use audit mode to measure impact

You can enable the controlled folder access feature in audit mode. This lets you see a record of what would have happened if you had enabled the setting.

You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.

To enable audit mode, use the following PowerShell cmdlet:

Set-MpPreference -EnableControlledFolderAccess AuditMode


If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s). You can also use Group Policy, Intune, MDM, or Microsoft Endpoint Configuration Manager to configure and deploy the setting, as described in the main controlled folder access topic.

Review controlled folder access events in Windows Event Viewer

The following controlled folder access events appear in Windows Event Viewer under Microsoft/Windows/Windows Defender/Operational folder.

Event ID Description
5007 Event when settings are changed
1124 Audited controlled folder access event
1123 Blocked controlled folder access event


You can configure a Windows Event Forwarding subscription to collect the logs centrally.

Customize protected folders and apps

During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.

See Protect important folders with controlled folder access for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.