How to enable ransomware protection in Windows 11

Informatec Digital » Resources » How to enable ransomware protection in Windows 11

El ransomware has become one of the most serious headaches For any Windows user: it encrypts your files, locks your computer, and, to top it all off, demands payment to regain access—a payment that almost never guarantees anything. Windows 11 (and also Windows 10) has a specific feature to address this problem, but it's disabled by default, and you need to know where to click to make it work in your favor.

In this article you will see What exactly is Windows ransomware protection, and how does "Controlled Folder Access" work?How to activate it step by step in Windows 11 and Windows 10, which folders are protected by default, how to add your own, how to allow specific apps, and what other measures should be applied (backups, updates, common sense, etc.) so that a data breach doesn't ruin your day.

What is ransomware and why is it so dangerous?

ransomware is a type of Malware designed to block your access to your computer or files until you pay a "ransom". It usually encrypts documents, photos, videos, and sometimes even the system itself, so you can't open anything normally.

This type of threat can arrive through fake or unreliable websites, pirated downloads, suspicious email attachmentsmalicious websites and emails can be discovered through links on social media or chat messages, and even via infected USB drives. Often, malicious websites or emails are identified by details such as spelling mistakes, poorly copied logos, or slightly altered company names (for example, “PayePal” instead of “PayPal”).

Once inside, the ransomware can spread through the network to other computers or shared drives, so it doesn't just affect your home PC: it can also impact company computers, servers, or even public sector infrastructure, taking advantage of Windows security flaws.

The problem is aggravated because Many ransomware variants steal confidential information Before encrypting it, they then blackmail you by threatening to leak it if you don't pay. This makes this type of attack one of the biggest cybersecurity threats today, for both individuals and organizations.

What is Windows ransomware protection?

Windows 10 and Windows 11 include as standard Microsoft Defender Antivirus and an integrated firewallwhich analyze files, processes, and network traffic in the background. On that basis, Microsoft added an extra layer called protection against ransomware, whose core is the "Controlled access to folders" function.

The goal of this feature is to protect certain system and user profile folders so that only trusted applications can modify them. This way, if ransomware or other malware tries to encrypt or delete files, Windows blocks the change and displays a notification.

In practice, this protection prevents unknown or suspicious applications They will make unauthorized changes to files located in those folders. This way, even if a threat does manage to execute, it will be much harder for it to leave you without important documents, photos, or projects.

Furthermore, this feature integrates particularly well with Microsoft Defender for Endpoint and enterprise management tools (Intune, Configuration Manager, etc.), which allow for large-scale configuration deployment and auditing, and centralized review of blocking events.

How Controlled Folder Access Works

“Controlled folder access” is based on a simple idea: Only trusted applications can modify files in certain protected locations.Everything else is either blocked or logged in audit mode, depending on your configuration.

Windows keeps a list of trusted applications based on its prevalence and reputation. If a program is widely used, has been running for a long time without malicious behavior, and Microsoft has not detected any problems with it, it is considered reliable and is allowed to work normally in protected folders.

When an app is not on that list, Your attempts to write, delete, or modify files in protected folders are blocked. (or they are audited, if you use log-only mode). You can also manually add exceptions for specific applications that you know are safe.

This feature is especially useful against ransomware because The attacks usually focus on encrypting documents, photos, videos, or projectsBecause these folders have stricter access, the malware encounters a barrier that prevents or greatly hinders its objective.

For corporate environments, Controlled Folder Access can be configured from Microsoft IntuneConfiguration Manager or Microsoft Defender for Endpoint. In these cases, administrators can centrally review the generated events and adjust the policy according to the organization's actual needs.

Folders protected by default in Windows

When you enable Controlled Folder Access, Windows automatically protects a number of user profile and system folderswhich are where you normally store documents and personal content.

The routes that are protected by default include, for example:

• c:\Users\ Documents
• c:\Users\Public\Documents
• c:\Users\ Pictures
• c:\Users\Public\Pictures
• c:\Users\ Videos
• c:\Users\Public\Videos
• c:\Users\ Music
• c:\Users\Public\Music
• c:\Users\ Favorites

These are the locations you normally see under “This PC” in File Explorerand are usually the first target of attackers, so it makes sense that Windows protects them by default.

Furthermore, certain system profiles , the LocalService, NetworkService o systemprofile They also have their respective protected folders (for example, C:\Windows\System32\config\systemprofile\Documents(if it exists). This helps to protect internal processes and services of the operating system itself.

The system folders that come protected They cannot be removed from the listThis is precisely to ensure that this basic security layer isn't accidentally disabled. What you can do is add your own paths to extend protection to other directories or drives.

How to enable ransomware protection in Windows 11

In Windows 11, the settings are fairly easy to access, but It is not always obvious at first glanceBy following these steps, you'll have it active in no time.

1. Open Windows Security
The quickest way is to press the Windows key, type “Windows Security” and open the application. You can also go to Home > Settings > Privacy and security > Windows security and enter from there.

2. Go to “Antivirus and threat protection”
Within the app, you'll see several sections. The one you're interested in is... “Antivirus and threat protection”Click and a new window will open with the status of Microsoft Defender and different options.

3. Locate “Ransomware Protection”
Scroll to the bottom of that screen until you find the block “Protection against ransomware”Below you will see a link that says something like “Managing ransomware protection”. Click there.

4. Activate “Controlled access to folders”
On the new screen you will see the switch for “Control access to the folder” (or “Controlled Folder Access” depending on the version/language). It is usually disabled by default. Enable it: a User Account Control window will appear asking for confirmation; accept for the changes to take effect.

Since then, your files, folders, and certain memory areas They will be protected against unauthorized modifications by unknown or malicious applications.

Configure protected folders and allowed applications

Once Controlled Folder Access is enabled, it is advisable Take a look at the list of folders and allowed apps. to adapt it to your actual way of working.

In the same ransomware protection section you will find:

• Blocking history: to see which applications have tried to modify files and have been blocked.
• Protected foldersHere you can review the folders that are already protected and add new ones.
• Allow an application to access one of the controlled folders: to grant permission to a specific program that is being blocked but that you consider safe.

If you usually save projects in a custom folder (for example, D:\Projects or an external unit) is highly recommended Add it as a protected folderNote that any subfolders within it will also be covered.

Regarding applications, if you find that a legitimate program (for example, your video editor or an alternative office suite) cannot save changes to protected folders, You can manually add it to the allowed list from the appropriate option. However, make sure it's trusted software, always downloaded from official sources.

How to enable ransomware protection in Windows 10

In Windows 10 the idea is the same, although the path within the settings varies slightly. Even so, the process is just as simple and it doesn't take more than a few minutes.

1. Access Windows Security
Press on Home> Settings, go into "Update and security" and, in the left panel, select “Windows Security”You can also type “Windows Security” directly into the Start menu.

2. Go to “Virus and threat protection”
Once in Windows Security, click on “Protection against viruses and threats” to open the window with the built-in antivirus options.

3. Manage ransomware protection
Within that section, look for the link “Managing ransomware protection”It usually appears at the bottom of the screen. Click to access the specific options.

4. Enable Controlled Folder Access
Just like in Windows 11, you'll see the option to enable folder access controlMove the switch to "On" and confirm in the security pop-up window. From that moment on, the feature will begin protecting your critical folders.

From there, You can add additional protected folders, review the lock history and allow specific applications just like in Windows 11, from the options that appear on the same screen.

Use OneDrive and backups as an extra defense

Windows ransomware protection is a great help, but It does not replace backupsIdeally, this function should be combined with a good backup system, both in the cloud and offline.

If you sign in with your Microsoft account and configure OneDriveWindows can Automatically sync your documents, pictures, desktop, etc. folders. and offer integrated ransomware detection and recovery, including the file history in Windows to restore previous copies of the files.

In addition to the cloud, it is highly recommended Create regular backups on offline media (such as external hard drives disconnected when not in use). This way, even if an attack manages to breach your defenses, you'll always have the option to restore your data from a location the ransomware couldn't reach.

What to do if you suspect your computer is infected

If you notice strange behavior (your computer suddenly becomes extremely slow, strange windows open, documents don't open properly, etc.) or have heard about a new malware campaignThe most prudent course of action is to launch a full analysis.

From Windows Security, go to “Protection against viruses and threats” and executes a quick analysis with Microsoft Defender. You can also opt for an offline scan, which restarts your system and scans before potential threats load.

If ransomware has already done its damage, it's normal that a screen or window appears as a ransom noteasking you for money to unlock the device or the files. At that point:

• Don't pay the ransomThere is no guarantee that you will recover the data, and you would be funding the criminals.
• Try cleaning your computer with Windows Security. or with a trusted anti-malware solution.
• Use your backups (OneDrive, external drives, etc.) to restore the affected files once the system is free of malware.

If you've already paid by mistake, the most sensible thing to do is Contact your bank and the authorities immediately. from your country (police, cybersecurity agencies, etc.) to try to block the operation and report the fraud.

Review Controlled Folder Access events

When Controlled Folder Access blocks or audits an action, Windows logs specific events which can be viewed both locally and from the Microsoft Defender portal in enterprise environments.

In organizations that use Microsoft Defender for Endpoint, it is possible launch advanced queries to view blocked or audited violations, for example by using filters on action types ControlledFolderAccessViolationBlocked o ControlledFolderAccessViolationAudited.

At the local level, you can use the Windows Event Viewer to import custom views (for example, the file cfa-events.xmland see events such as:

Event ID	Description
5007	Configuration change Microsoft Defender
1124	Audited controlled folder access
1123	Access to controlled folder blocked
1127	Write attempt to blocked protected sector
1128	Attempted writing in audited protected sector

This level of detail helps, especially in companies, to refine policies and detect legitimate applications that need permission without compromising the overall security of the system.

Exclusions and wildcards in Microsoft Defender

In addition to specific protection against ransomware, Microsoft Defender allows define exclusions so that certain files, folders, file types, or processes are not analyzed in real time.

From Windows Security, in the antivirus protection section, you can access “Add or remove exclusions” and choose between:

• Archive: exclude a specific file.
• Folder: exclude an entire route and all its contents.
• Type of file: exclude by extension, such as .docx, .pdf, etc.
• Process: exclude an executable so that the files it opens are not analyzed in real time.

They can also be used wildcards (*) and environment variables in certain exclusions, for example to exclude all files whose extension ends in “st” (with *st) or all processes located in a specific folder (for example, C:\MyProcess\*).

Although it is a useful feature for avoiding performance conflicts with certain programs, It must be used with extreme care.because any excluded element is no longer protected by real-time analysis and could become an entry point for malware.

Additional tips to avoid ransomware

Windows ransomware protection is a very important component, but It's not the only one you need.To minimize risk, it is advisable to follow a series of basic good practices.

Keep Windows and your apps up to date
Cybercriminals constantly take advantage of vulnerabilities in the operating system and in everyday programsTo close them as soon as possible, go to Start > Settings > Windows Update and make sure that automatic updates are enabled and installed regularly.

Use a good antivirus program and don't disable it.
Microsoft Defender is a Built-in and quite competent antivirusHowever, if you prefer, you can opt for third-party solutions (paid or free) as long as they are trustworthy. The important thing is that you have an active and up-to-date real-time protection engine.

External and cloud backups
As we have already mentioned, it is vital to have backups in locations outside your main computerMixing cloud storage (OneDrive, Google Drive, Dropbox…) with offline external drives is a very solid strategy against any disaster, whether it's ransomware or a hardware failure.

Be careful with emails, links, and downloads
Most infections begin with a careless clicking on a link or attachmentBe wary of unexpected emails, unknown senders, alarmist messages asking for urgent information or payments, and of course, software downloaded from pirate or dubious websites.

Restart your computer from time to time
It seems silly, but Restart at least once a week It helps to ensure that system and application updates are applied correctly, as well as improving overall performance and stability.

With all this properly configured and with the function of Controlled folder access enabledYour Windows 11 (or Windows 10) will be much better prepared to face ransomware and other similar threats, minimizing the chances of your important files ending up hijacked or encrypted beyond repair.