Ransomware protection (Controlled folder access) setup with Intune

Ransomware protection (Controlled folder access) setup with Intune

This article will describe how ransomware protection is setup with Intune


  • Azure AD Joined MEM managed devices
  • Devices are enrolled in Microsoft Defender Advanced Threat Protection
  • Microsoft Cloud App Security is enabled


  • We wanna enable the ‘Ransomware protection’ part of Microsoft Defender

Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.

It can be turned on via the Windows Security App, or from the Microsoft Endpoint Configuration Manager and Intune, for managed devices.

Controlled folder access works best with Microsoft Defender Advanced Threat Protection, which gives you detailed reporting into controlled folder access events and blocks as part of the usual alert investigation scenarios.

Controlled folder access works by only allowing apps to access protected folders if the app is included on a list of trusted software. If an app isn’t on the list, Controlled folder access will block it from making changes to files inside protected folders. Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organisation, and that have never displayed any malicious behaviour, are deemed trustworthy and automatically added to the list.

Apps can also be manually added to the trusted list via Configuration Manager and Intune. Additional actions, such as adding a file indicator for the app, can be performed from the Security Center Console.

Controlled folder access is especially useful in helping to protect your documents and information from ransomware that can attempt to encrypt your files and hold them hostage. With Controlled folder access in place, a notification will appear on the computer where the app attempted to make changes to a protected folder. You can customise the notification with your company details and contact information.

You can also enable the rules individually to customise what techniques the feature monitors. The protected folders include common system folders, and you can add additional folders. You can also allow or white-list apps to give them access to the protected folders.

You can use audit mode to evaluate how controlled folder access would impact your organisation if it were enabled.

Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019.  


1. Configure a configuration profile in Microsoft Endpoint Manager

Navigate to the MEM Intune dashboard. Click on ‘Devices’, then on ‘Configuration profiles’ and at last click on ‘Create profile’. Give your profile a name, choose ‘Windows 10 and later as platform’, choose ‘Endpoint protection’ as profile type. Click on ‘Microsoft Defender Exploit Guard’, then on ‘Controlled folder access’ and put ‘Folder protection’ on ‘Enable’. Ignore the added apps at this moment.


2. Trigger a sync and test on the device

Now let’s trigger a sync on the device from Microsoft Endpoint Manager. Navigate to ‘Devices’, ‘All devices’, click on a test device and click on ‘Sync’.

You can also trigger this from on your device by going to services (Run: services.msc), and restarting the Microsoft Intune Management Extension.

Now wait a few minutes, and afterwards go to ‘Windows Security’.

Click on ‘Virus and threat protection’ and then on ‘Manage ransomware protection’.

You’ll see that the ‘Controlled folder access’ setting is turned on. It also says ‘This setting is managed by your administrator’ which means that the settings are managed in Microsoft Endpoint Manager in this case.


3. Fix first notification for ‘omadmclient.exe’

We’ll also get a notification (rather fast) that says ‘Protected memory access blocked’.


And if we look in detail on the notification it regards the process ‘omadmclient.exe’. Note: OMA-DM is a device management protocol used by Intune client agent. So this is the client that communicates when we trigger a sync, or when new profiles, applications, certificates, … are being pushed to the device. So we don’t want that this gets blocked.

Open your newly made configuration profile for Controlled folder access. Now under ‘Apps’ enter this: ‘C:\Windows\System32\omadmclient.exe’ and click on ‘Add’.


4. Trigger a sync and test again

Let’s trigger another sync (Step 2 in this blog). And let’s go to ‘Virus and threat protection’ and then to ‘Manage ransomware protection’ again. Then click on ‘Allow an app through controlled folder access’.

Now we’ll see that the policy again came through from Microsoft Endpoint Manager.


5. Conclusion

If you implement this in your organisation, do it with a controlled roll out. Start with a small pilot, monitor, and add all applications linked to your organisation that give triggers.  


Happy testing!


More articles on Intune: