This Windows security feature protects Documents from ransomware, but it is off by default

For years, I assumed Windows didn't have much of an answer to ransomware beyond "install an antivirus and hope for the best." But Microsoft built a genuine defense right into Windows 11, then left it switched off so most people never stumble across it. Controlled Folder Access quietly guards your most important files, and switching it on takes about a minute.

Windows has a built-in ransomware shield, and it sits switched off until you go looking

Controlled Folder Access is part of Microsoft Defender Antivirus, the security suite that already ships with every copy of Windows 11. Instead of matching files against a list of known malware, it watches what your apps actually do. The moment an untrusted program tries to change or encrypt a file inside a protected folder, Windows blocks the attempt and fires off a notification.

That's exactly the behavior you want against ransomware, which makes its money by locking your files and demanding payment to release them. So why is it off by default? Because the same strictness that stops malware also trips up legitimate software, and Microsoft would rather not field a flood of complaints about apps that suddenly can't save. The trade-off is yours to make.

Personally, I think of it as a safety net rather than a replacement for antivirus. It also comes with one limit worth knowing right away: it stops apps from changing or deleting your files, but it does nothing to prevent malware from copying them. Encryption is the specific threat it was built to fight.

Switching it on takes thirty seconds, unless a third-party antivirus has greyed it out

Switching it on is quick. Open Windows Security, go to Virus & threat protection, then click Manage ransomware protection and flip the Controlled folder access toggle to on. Approve the User Account Control prompt, and that's it.

6

6

Best Deals: Samsung 9100 PRO 1TB SSD

	Today	7 days ago	30 days ago
	$249.99 USD	$249.99 USD	$249.99 USD	Buy
	$249.99 USD	-	$249.99 USD	Buy
	$399.97 CAD	$399.97 CAD	$464.97 CAD	Buy
	$399.99 CAD	$399.99 CAD	$464.99 CAD	Buy
	$249.99 USD	$249.99 USD	$249.99 USD	Buy
	$249.99 USD	$249.99 USD	$249.99 USD	Buy
	$499	$499	$499	Buy
	Check Price	Check Price	Check Price	Buy
	Check Price	Check Price	Check Price	Buy
* Prices last scanned 6/13/2026 at 9:30 am CDT - prices may be inaccurate. As an Amazon Associate, we earn from qualifying purchases. We earn affiliate commission from any Newegg or PCCG sales.

There's one catch that trips people up, though. The feature runs only when Microsoft Defender is your active antivirus and real-time protection is enabled. If you've installed a third-party security suite that took over those jobs, the toggle will be greyed out or gone entirely, and you'd need to step away from that software or lean on its own ransomware tools instead.

If you'd rather use the command line, you can do the same thing by running Set-MpPreference -EnableControlledFolderAccess Enabled in an elevated PowerShell window. Either way, expect apps to start getting blocked almost immediately. That isn't a malfunction; it's the entire point. The next two sections cover how to shape that behavior so it works for you instead of against you.

Documents and Pictures are covered automatically; everything else is your call

As soon as the feature is live, it protects a set of folders you didn't have to pick yourself. By default, that list covers your Documents, Pictures, Videos, Music, Desktop, and Favorites folders. You can't remove any of them, which makes sense, since these are exactly where most of us keep the files we'd hate to lose.

6

The gap, naturally, is everything stored somewhere else. If you keep projects on a second drive, save games in a relocated folder, or working files on an external disk, none of it is covered until you say so. To fix that, click Protected folders, choose Add a protected folder, and point Windows at the location you care about.

6

One small thing to watch here. If you've shared a folder on your network, add its real local path rather than the network share that loops back to the same PC. Beyond that, be picky. There's little point protecting a throwaway downloads folder, but your irreplaceable photo archive absolutely belongs on the list.

Photoshop and your game launcher will get blocked, and Protection History tells you which to allow

Here's where a lot of people get frustrated and end up switching the whole thing back off. Plenty of legitimate apps write straight to your Documents folder, and Controlled Folder Access doesn't always recognize them. Adobe apps like Photoshop and Premiere, video editors, backup tools, and game launchers that save progress to Documents can all get caught in the net.

Microsoft keeps a hidden list of apps it treats as friendly and lets through automatically, but it misses plenty, and even some of Microsoft's own apps have triggered false blocks on recent Windows updates.

When that happens, you don't have to choose between security and a working app. Open Protection History, the log inside Windows Security that records every block and can filter down to Controlled Folder Access events. From there, you can see exactly what was stopped, then use Allow an app through Controlled Folder Access and pick the program straight from the Recently blocked apps list.

6

A word of caution, though. Allowing an app hands it free rein over your protected folders, so only allow software you genuinely trust and recognize. Don't wave something through just to clear a notification.

Treat it as one layer, not the whole wall

Controlled Folder Access keeps your files from being encrypted, but it can't stop them from being copied, and it's no substitute for a proper backup. So pair it with something that keeps versioned copies, whether that's File History or a cloud sync you trust. After that, it's worth poking through the rest of Windows Security, since reputation-based protection and core isolation are sitting right there too. The strongest position is always data you can restore.