Evaluating the Pros and Cons of Microsoft’s Controlled Folder Access

In a time when threat actors are targeting data to bring organizations to their knees, Microsoft’s Controlled Folder Access (CFA) feature has emerged as one of Microsoft’s many answers to combating ransomware. While this security feature offers some advantages, it also comes with its fair share of drawbacks. In this blog post, we’ll delve into the pros and cons of Microsoft’s Controlled Folder Access to help you make an informed decision about whether it’s the right choice for your cybersecurity needs.

The Pros of Microsoft’s Controlled Folder Access:

  1. Ransomware Protection: CFA acts as a defense mechanism against ransomware attacks. It monitors and restricts access to your important files and folders, preventing unauthorized changes and encryption attempts by malicious software.
  2. Application Whitelisting: You have the power to whitelist trusted applications, ensuring that only approved programs can access your protected folders. This control minimizes the risk of malware infiltrating your system.
  3. Built-In Windows Security: CFA is integrated into Windows Defender Antivirus, making it readily available to users without the need for third-party security software. This can lead to cost savings for businesses and individuals.


The Cons of Microsoft’s Controlled Folder Access:

  1. Compatibility Issues: One of the primary drawbacks is the potential for compatibility issues with legitimate applications. If a trusted program is mistakenly blocked, it can disrupt workflows and cause frustration.
  2. Administration Complexity: While the initial configuration of CFA aims to be user-friendly, the initial setup and configuration may still be challenging. Advanced organizations with a deep technical bench of information security professionals have experienced a lack of centralized dashboard, combing through Event Trace for Windows (ETW) logs, and limited improvement to the security posture of the organization.
  3. High False Positive Rate: Just as with compatibility issues, CFA can sometimes flag legitimate activities as suspicious, leading to false positives that need to be triaged by an incident responder.
  4. Limited Scope: Controlled Folder Access mainly focuses on protecting files and folders within user profiles. It may not provide comprehensive protection for files stored in non-standard locations or network drives.
  5. Ongoing Maintenance: To maintain CFA effectively, users need to continuously update the whitelist of approved applications and monitor event logs, which can be extremely time-consuming.


In conclusion, it appears Microsoft admits their Endpoint Detection and Response (EDR) technology, Microsoft Defender, is not enough to combat ransomware. With its high administration cost and limited benefits, SecuritySnares has seen a large number of organizations turn CFA off.

Related Blogs