Some thoughts about new Defender feature controlled folder access.
Windows 10 Fall Creators Update includes a new feature for Defender called "controlled folder access", which means folders can be protected from unauthorized changes. By default it is not enabled, but enabled it will protect standard user folders like Documents, Pictures, Desktop etc and user can add other folders including network shares to add protection for their documents. When enabled applications can not write to these locations unless they are explicitly whitelisted (elevated admin prompt). Some applications are allowed implicitly, like MS Office and MS Notepad. Also, standard folders can't be excluded from this protection.
From what I read in articles a notification about block should appear and give user option to add the application to whitelist, that is not what happens on my machine, the notification appears but no option to whitelist it there. Also in Defender settings there is no blocklist with option to whitelist. There is a dialog where I can browse manually to an .exe to add it to whitelist (or paste a path), this can only get better.
The block notification truncates the path, I've found hidden deep in event lists a Defender event list that shows the block event, and also includes the full path. What about Clickonce installed applications? As you know their path is convoluted, and also changes if updated. No way users will be able to whitelist them manually.
So if you thought your application could safely write to user Documents and such folders think again, prepare for FileNotFoundException of all things.
If you have VS projects in Documents folder they are affected by this as well when debugging.
Windows 10 Fall Creators Update includes a new feature for Defender called "controlled folder access", which means folders can be protected from unauthorized changes. By default it is not enabled, but enabled it will protect standard user folders like Documents, Pictures, Desktop etc and user can add other folders including network shares to add protection for their documents. When enabled applications can not write to these locations unless they are explicitly whitelisted (elevated admin prompt). Some applications are allowed implicitly, like MS Office and MS Notepad. Also, standard folders can't be excluded from this protection.
From what I read in articles a notification about block should appear and give user option to add the application to whitelist, that is not what happens on my machine, the notification appears but no option to whitelist it there. Also in Defender settings there is no blocklist with option to whitelist. There is a dialog where I can browse manually to an .exe to add it to whitelist (or paste a path), this can only get better.
The block notification truncates the path, I've found hidden deep in event lists a Defender event list that shows the block event, and also includes the full path. What about Clickonce installed applications? As you know their path is convoluted, and also changes if updated. No way users will be able to whitelist them manually.
So if you thought your application could safely write to user Documents and such folders think again, prepare for FileNotFoundException of all things.
If you have VS projects in Documents folder they are affected by this as well when debugging.
