How to protect critical data from ransomware in Windows 10

Go to Start and search for Windows Defender Security Center. This will open the app window. In case you are taken to the Windows Defender option in the Settings app, just click on the Open Windows Defender Security Center button and the app will open. 

On the left side menu, select the Virus & threat protection page and in the right pane, click on Virus & threat protection settings.

Scroll down till you find the toggle option for Controlled folder access and enable the toggle. You will see an User Account Control (UAC) prompt for permission to proceed. Click Yes to turn on the toggle. Note: This feature requires admin privileges. If you are not logged in as a system default Administrator or a user account with admin privileges, you will be asked to provide an Administrator username and password in the UAC prompt in order to enable Controlled Folder Access. 

As soon as you enable Controlled Folder Access, you will find two options listed below the toggle — Protect Folders and Allow an App through Controlled folder access. We will explore them in the next steps. 

Click on Protected folders to open a list of folders that are protected by Controlled Folder Access (CFA). Windows system folders are protected by default. You can add the folders you want to protect from malicious programs by clicking the + sign beside Add a protected folder.

While programs identified as malicious will be unable to make changes to Protected folders, those that are listed as friendly by Microsoft are always allowed via CFA and will be able to access and modify Protected folders as needed. You can also add your own trusted programs so that they are allowed by CFA to modify Protected folders. To do so, go back to the Virus & threat protection settings page, scroll down to Controlled folder access option and click on the Allow an app through Controlled folder access option.

In the page that opens, click on the + sign beside Add an allowed app and browse to the program's executable on disk. 

Using the Group Policy Editor, network admins can easily control which users need CFA enabled and can roll out app and folder permissions across the domain very easily (Note: Group Policy Editor is not available in Windows 10 Home). To configure CFA using Group Policies, open the Group Policy Editor by going to Start > Run and typing gpedit.msc or simply type Group Policy in the Cortana search box. In the left hand pane of the Group Policy Editor, go to Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access. You will see three policies. Double-click on Configure Controlled folder access to access the policy settings. Set the policy to Enabled and in the Configure the guard my folders feature dropdown menu, select Block. (Note: In some versions of Windows, you might see Enable instead of Block). You can use the other two policies to add apps and folders similar to how we added them earlier via the Windows Defender Security Center app. Now, all computers in the domain, which inherit this policy will have CFA enabled along with permissions for individual apps and folders.

You can test out the feature by trying to save or rename a file in a protected folder from a third-party program. If the program has been whitelisted either by you or Microsoft, you should be able to perform the required actions in the protected folder. However, if a non-trusted program tries to make any changes, Windows Defender immediately prevents it and shows a notification informing you of the action.