title: Microsoft Defender for Endpoint Controlled folder access (CFA) demonstration test tool description: See how malicious apps and threats are evaluated and countered by Microsoft Defender Antivirus. search.appverid: met150 ms.service: defender-endpoint ms.author: lwainstein author: limwainstein ms.localizationpriority: medium manager: bagol ms.reviewer: yongrhee audience: ITPro ms.collection:
- m365-security
- tier2
- demo
ms.topic: article
ms.subservice: asr
ms.date: 03/10/2025
appliesto:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Microsoft Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
-
Windows 10, version 1709 (build 16273) or newer
-
Microsoft Defender Antivirus (active mode)
Set-MpPreference -EnableControlledFolderAccess <State>| State | Mode | Numeric value |
|---|---|---|
| Disabled | = Off | 0 |
| Enabled | = Block mode | 1 |
| Audit | = Audit mode | 2 |
Get-MpPreferenceDownload and run this setup script. Before running the script set execution policy to Unrestricted using this PowerShell command:
Set-ExecutionPolicy UnrestrictedYou can perform these manual steps instead:
- Turn on CFA using PowerShell command:
Set-MpPreference -EnableControlledFolderAccess Enabled- Download the CFA test tool
- Execute the PowerShell commands above
- Launch CFA test tool
- Select the desired folder and create file
- You can find more information here.
Download and run this cleanup script. You can perform these manual steps instead:
Set-MpPreference -EnableControlledFolderAccess Disabled