Device Controlled Folder Access Rule Modification Procedure

This admin procedure will provide background information on modifying an existing controlled folder access folder path.

Controlled Folder Access

Malicious applications have always had an eye for valuable documents. From ransomware to data exfiltration, many of the most detrimental attacks on an organization involve attaining access to data and changing the status of its confidentiality or availability. Using controlled folder access, we can restrict access to folders containing sensitive information to those applications which are either trusted or explicitly allowed, reducing the risk of new/untrusted applications from gaining access to these files.

Procedure Scope: Administrators

Required Group Membership: Admin.DeviceSecurity

Modifying a Device Controlled Folder Access Rule

1. Navigate to Attack Surface Reduction – Intune, select the policy you wish to alter.
   
2. Locate the Properties section of the rule, 4 points of interest will be available to Edit. You can modify the sections as needed.
   1. Basics: Adjusts non-functional items of the rule, such as the Name or Description.
      
   2. Assignments: Sets the devices or users in which the rule will be assigned to.
      
   3. Scope Tags: Specifies which administrators will be able to view and alter this object.
      
   4. Configuration Settings: Sets the actual policy applied to the devices, we will be worried about two specific settings Enabled Controlled Folder Access and Controlled Folder Access Protected Folders. Modifications can vary from disabling either settings or changing the folder path listed under Controlled Folder Access Protected Folders.
      
3. The Sections will all have the same prompt for adjustments, either add, remove, or delete the setting and select Review + Save to finalize the changes.
   
4. Once on the revisions page, if all the necessary adjustments look correct, select Save to finalize the modification process.
   

You're Finished!