Controlled Folder Access configured in Intune not being enforced on W10

Question

Hi All. I am working on enabling CFA on some machines and started with some test VMs at first. I created the ASR rule, enabled Controlled Folder Access and assigned it to a group to which my test VMs are members of.

When checking in PowerShell, CFA is enabled on the machine:

I am then using the test ransomware from the Defender Test Ground that encrypts files in C:\Demo. The issue I'm facing is that the ransomware encrypts the files, even though CFA is enabled. What am I doing wrong? Thanks.

am1357 · Answer

The737&nbsp;&nbsp;I ran into that too. It looks like the CFA test tool is now a trusted application and can therefore write into protected folders.You could remove PowerShell as a protected application and use a PS command to create a file in a protected folder, e.g.&nbsp;Write-Output "CFA Test File - Can be deleted" | Out-File -FilePath "$($env:USERPROFILE)\Documents\CFA-test.txt"&nbsp;CFA should block this.

the737 · Answer

am1357, thank you for the answer. Do I need to remove PS as a protected application at a device level or can I do it from Intune? It shouldn't have any other negative effects on running PS I guess, right?

am1357 · Answer

The737&nbsp;It should be possible to remove that from the device itself using&nbsp;Remove-MpPreference -ControlledFolderAccessAllowedApplications "PS PATH"https://learn.microsoft.com/en-us/powershell/module/defender/remove-mppreference&nbsp;

the737 · Answer

am1357, coming back to the thread after a longer break. I can't remove PowerShell from the allowed applications list. Tried both the PowerShell and the path to the encryptor from the playground. I get the same error. Any help would be appreciated.

am1357 · Answer

The737Ah, I see. Looks like tamper protection might stop you from making changes. How did you add PS as an allowed application in the first place? Intune?

Forum Discussion

Controlled Folder Access configured in Intune not being enforced on W10

Share

Resources