Device Controlled Folder Access Rule Creation Procedure

This admin procedure will provide background information on creating a controlled folder access allowance that will only allow trusted apps to access the specified folder.

This article is intended for employees of organizations that use Sittadel's security. Additionally, there are some actions that can only be accomplished by those with administrative privileges.

Controlled Folder Access

Malicious applications have always had an eye for valuable documents. From ransomware to data exfiltration, many of the most detrimental attacks on an organization involve attaining access to data and changing the status of its confidentiality or availability. Using controlled folder access, we can restrict access to folders containing sensitive information to those applications which are either trusted or explicitly allowed, reducing the risk of new/untrusted applications from gaining access to these files.


Procedure Scope: Administrators

Required Group Membership: Admin.DeviceSecurity


Creating a Device Controlled Folder Access Rule

  1. Navigate to Attack Surface Reduction – Intune, select Create Policy. Specify the Platform type to Windows 10, Windows 11, and Windows Server and Profile type to Attack Surface Reduction Rules. Select Create to proceed.
  2. You will supply basic policy information such as name and description. Click Select to proceed.
  3. All the configuration items related to the profile type will be listed. Select the Enabled Controlled Folder Access drop down and set it to Enabled, then Select Controlled Folder Access Protected Folders to Configured, you will need to specify the folder path in the space below. Select Next to continue.
  4. Scope tag selection can be made, it is mainly leveraged with RBAC. Select Next to continue.
  5. You will be able to configure group assignment or exclusion for the policy to effect. Select Next to proceed to revisions.
  6. The review page will allow you to see all configured settings for the profile type creation process, if you detect a discrepancy at this stage make note of the section and select Previous to go back to make alterations before finalization. If everything checks out, select Create to publish the application.
  7. Upon successful creation the rule will show up in the list of all attack surface reduction policies managed through Intune.

You're Finished!

You should have successfully created a new controlled folder access allowance for the specified folder path; this will prevent non-trusted apps from being able to make changes to any contents within the folder. For any other problems or questions, reach out to us!