Intune
      Back to home
      1. Sittadel Knowledge Base
      2. Management Guides
      3. Intune

      Controlled Folder Access Policy Creation

      This guide will provide background information on creating a controlled folder access allowance that will only allow trusted apps to access the specified folder.

      Controlled Folder Access

      Malicious applications have always had an eye for valuable documents. From ransomware to data exfiltration, many of the most detrimental attacks on an organization involve attaining access to data and changing the status of its confidentiality or availability. Using controlled folder access, we can restrict access to folders containing sensitive information to those applications which are either trusted or explicitly allowed, reducing the risk of new/untrusted applications from gaining access to these files.

      Role Requirements

      Procedure Scope: Administrators

      Required Group Membership: Admin.Security

      Handbook Reference

      Package: TBD

      Domain: TBD

      Modifies: TBD

      Creating a Device Controlled Folder Access Rule

      1. Navigate to the Attack Surface Reduction – Intune portal, locate and select Create Policy. A pop-out will be generated where you will specify the Operating System Platform scope as Windows and the Profile Type as Attack Surface Reduction Rules. Select Create to proceed.
      2. You will supply basic identification information such as the Name and Description for the policy. Select Next to proceed.
      3. All the configuration items related to the Attack Surface Reduction Rules profile type will be listed. Select the Enabled Controlled Folder Access drop down and set it to Enabled, then select the Add button below the Controlled Folder Access Protected Folders. A text box will be generated where you can specify the necessary folder path. Select Next to continue.
      4. Scope tag selection can be utilized if desired, it is mainly leveraged with RBAC. Select Next to continue.
      5. You will be able to configure Group Assignments or Exclusion for the policy, this section will outline the selected groups that will be in scope to have the profile deployed. Select Next to proceed to revisions.
      6. The review page will allow you to see all configured settings for the policy, if you detect a discrepancy at this stage make note of the section and select Back to go to the previous sections to make the necessary alterations before finalization. If everything checks out, select Save to publish the device control rule.
      7. Upon successful creation the rule will show up in the list of all attack surface reduction policies managed through Intune.

      Need Assistance?

      Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.