Forum Discussion

The737's avatar
The737
Brass Contributor
Jul 20, 2023

Controlled Folder Access configured in Intune not being enforced on W10

Hi All. I am working on enabling CFA on some machines and started with some test VMs at first.  I created the ASR rule, enabled Controlled Folder Access and assigned it to a group to which my test VMs are members of. 

When checking in PowerShell, CFA is enabled on the machine:

 

I am then using the test ransomware from the Defender https://demo.wd.microsoft.com/?ocid=cx-wddocs-testground that encrypts files in C:\Demo. The issue I'm facing is that the ransomware encrypts the files, even though CFA is enabled. What am I doing wrong?  Thanks. 

 

 

microsoft defender for endpoint

6 Replies

  • am1357's avatar
    am1357
    Brass Contributor
    Jul 24, 2023

    The737 

     

    I ran into that too. It looks like the CFA test tool is now a trusted application and can therefore write into protected folders.
    You could remove PowerShell as a protected application and use a PS command to create a file in a protected folder, e.g.

     

    Write-Output "CFA Test File - Can be deleted" | Out-File -FilePath "$($env:USERPROFILE)\Documents\CFA-test.txt"

     

    CFA should block this.

    • The737's avatar
      The737
      Brass Contributor
      Jul 27, 2023

      am1357, thank you for the answer. Do I need to remove PS as a protected application at a device level or can I do it from Intune? It shouldn't have any other negative effects on running PS I guess, right?

      • am1357's avatar
        am1357
        Brass Contributor
        Jul 27, 2023

        The737 It should be possible to remove that from the device itself using

         

        Remove-MpPreference -ControlledFolderAccessAllowedApplications "PS PATH"

        https://learn.microsoft.com/en-us/powershell/module/defender/remove-mppreference

         

Resources