Windows 10 Ransomware Protection: What You Should Know


What Is Windows 10 Ransomware Protection?

Malware protection is a major concern for all computing systems. In light of this, Microsoft included Ransomware Protection features as part of Windows 10. Windows 10 Ransomware Protection comprises two main components:

  • Controlled Folder Access—lets you specify particular folders that require monitoring and prevent changes to the files retained within them. This will prevent all programs, except those you permit, from making any changes to the files within the monitored folders. This protects them from becoming encrypted by ransomware.
  • Ransomware Data Recovery—automatically syncs your regular data folders in your Microsoft OneDrive account to backup the files. Ransomware targets who have this feature enabled may utilize OneDrive to recover any files that are encrypted by ransomware.

As of Windows 10 version 1903, Windows Defender’s Ransomware Protection has been disabled by default. This article explains how to enable it to protect a Windows system from ransomware attacks.

Note that if you have installed a third-party antivirus software, the Controlled Folder Access feature and the Ransomware Protection features screen may not be accessible.

What Is Controlled Folder Access?

Controlled folder access helps safeguard your valuable information from malicious applications and threats, including ransomware. Controlled folder access safeguards your data by examining applications by going through a checklist of trusted and known applications.

Supported on Windows 10 clients and Windows Server 2019, controlled folder access may be initiated via Windows Security Application, Intune (for managed devices) or Microsoft Endpoint Configuration Manager.

Controlled folder access is most effective with Microsoft Defender for Endpoint, which provides you with detailed reporting information regarding controlled folder access events while blocking as a component of the regular alert investigation scenarios.

How does Controlled Folder Access work?

Controlled folder access functions by only providing trusted applications with access to protected folders. Protected folders are assigned once controlled folder access has been configured. Generally, commonly used folders, including those used for pictures, documents, downloads and the like, feature on the checklist of controlled folders.

Controlled folder access works alongside a checklist of trusted applications. Applications that feature on the checklist of trusted software work as anticipated. Applications that do not feature on the list are blocked from making any modifications to files within protected folders.

Applications are placed on the list according to their reputation and prevalence. Applications that are prevalent throughout an organization and that have never shown any behavior thought to be malicious are deemed trustworthy. Those applications are automatically added to the list.

Applications may also be manually placed on the trusted checklist through the use of Intune or Configuration Manager. You can also perform other actions, including adding a file indication for an application, via the Security Center Console.

Related content: Read our guide about how to prevent ransomware.

How To Turn on Windows 10 Ransomware Protection

The following steps can be used to enable Ransomware Protection on Windows 10:

1. Open Windows Security
In Windows 10, type “security” into the search bar and select the Windows Security application to get started. After Windows Security has initiated, go to the left-side menu and choose “Virus and Threat Protection” (it has a shield icon).

2. Manage Ransomware Protection
In the Virus and Threat Protection page, scroll down until you see the section named Ransomware Protection. Look for the link Manage Ransomware Protection, and click it to continue.

3. Enable controlled folder access
Look for the Controlled folder access section and ensure that the toggle is switched to “on”. This will automatically start ransomware protection.


4. Allow required access to certain apps
Once you’ve enabled Controlled Folder Access, look under it for the section Allow an App Through Controlled Folder Access. This is where you can manage application access.

By default, Controlled Folder Access mode will stop file access from all applications it doesn’t know ( probably the majority of the third-party applications you are utilizing). This can be an issue if an application genuinely does require access to a file. Select this option to let a specific application use your files.

5. Set up OneDrive File Recovery
If you don’t have Microsoft’s cloud solution OneDrive, the Ransomware Protection window will suggest that you organize OneDrive. This lets you store key files within the OneDrive cloud and on the local hard drive, so you may access them even when Ransomware prevents you from accessing your local files.

OneDrive’s basic service does not cost money and includes individual file recovery. If you have previously set up OneDrive, select “View Files” to confirm that your essential files are already in OneDrive.

Potential Drawbacks of Windows Ransomware Protection

Now that you are aware of this feature, you may be wondering why it is not turned on by default. Here are some of the drawbacks of using Windows Ransomware Protection in certain cases:

  • Only prevents data encryption—attackers are still able to exfiltrate files and extort the organization, threatening to publish the sensitive data.
  • Malware running as admin—this solution is not able to protect against malware that elevates privileges and runs as admin, because it can then disable Ransomware protection.
    False positives—this feature tends to detect false positives, which might lead to another series of issues. For instance, if a program you trust is deemed to be dubious, the warning could appear at an unsuitable time. It could crash the program or give you no option to retain your work.
  • Reduced functionality—It is not possible to determine in advance which programs Microsoft will deem to be suspicious. Thus, it is difficult to know in advance if your common applications or games will function properly when the ransomware protection is on. A possible solution to prevent trusted programs from being labeled as suspicious is putting them on the controlled folder access whitelist, but this can be complicated for people who may not be technical, as it involves locating the executable file used to run the program.
  • Complex management—any files on an external hard drive or in a shared network have to be manually placed on the checklist of protected folders. This is not always simple or quick to do.

So, while there are advantages to using the Widows ransomware protection, you should consider all aspects. Consider your preparedness to make various manual adjustments when things don’t function normally. For some, it could just be simpler to toggle the Controlled Access folder back to “off” and invest in a powerful antivirus for Windows, which stops threats such as ransomware in real time.

Windows 10 Ransomware Protection with Hysolate

Hysolate creates an isolated workspace on Windows endpoints, to isolate ransomware and other endpoint threats, or to ensure secure enterprise access. Hysolate sits on user endpoints, but is managed via the cloud, with granular policies to control transfer into and out of the Workspace. The Hysolate Workspace isolates threats including malware and ransomware, adding an extra layer of security to the endpoint, without hindering user productivity. Hysolate enhances endpoint security for Windows 10, and now with Windows 11 endpoint devices.

Untrusted links, applications and even documents can be transferred into Hysolate, reducing risk, and users are able to access all websites and applications as needed. Rather than just isolating browser based malware risks, Hysolate provides full OS isolation against all ransomware and other endpoint threats.

Try Hysolate Free now.