Device Controlled Folder Access App Exclusion

This guide will allow administrators to configure an application that is allowed to make changes to a specified directory path.

Role Requirements

Procedure Scope: Administrators

Required Group Membership: Admin.Security

Handbook Reference

Package: Device Security

Domain: Attack Surface Reduction Management

Modifies: Controlled Folder Application Exclusions

Defender Controlled Folder Access App Exclusion

  1. Navigate to Attack Surface Reduction – Intune, locate the Security Essentials Attack Surface Reduction configuration item.
  2. Scroll down to Configuration Settings and select Edit.
  3. Scroll down the list of policies to the end. Click the toggle for Controlled Folder Access Allowed Applications, if not already enabled. (Note: When set to the Not Configured option, it simply means no applications are explicitly allowed, but the algorithm to allow trusted applications will still apply.)
  4. In the text box, enter the full path to the application requiring access. If an application should be deleted, select the checkbox next to the specified path and click Delete.
  5. Click Review and Save on the next page, followed by Save. Rule changes propagate in less than 24 hours.

Need Assistance?

Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.