Windows 10's Controlled Folder Access - Impact and

Resolution

Problem:
With Windows 10, update 1709, also called as Fall Creators Update, Security manager fails to
start with error “ Failed to access CSP. This could be due to insufficient permissions on
%ProgramData%\Microsoft\Crypto\RSA\MachineKeys folder”.

Analysis:
Microsoft has introduced “Controlled Folder Access feature”. As the name hints, the
Controlled Folder Access feature allows users to control who can access certain folders. The
feature works on a "block everything by default" philosophy, which means that on a theoretical
level, it would be able to prevent ransomware when it tries to access and encrypt files stored in
those folders. As a result, when the feature is ON, applications that are not “trusted” by Windows
Defender System will not be able to access protected folders on the system. SecurityManager
application falls in this category. As a result, it can’t access protected folder
%ProgramData%\Microsoft\Crypto\RSA\MachineKeys which is used in the encryption process.
Hence the error message.

Resolution
Allow the Security manager application through controlled folder access by adding an exception
using Windows Defender Security Center. Microsoft calls this “whitelisting” and is useful for
situations where applications are flagged incorrectly by Windows Defender (false positives).
Read more here.

This fix needs to be done on customers end. See below the steps (1) to (5) for individuals
followed by group policy management for corporations.

Step 1

Press the Start button and type "Windows Defender Security Center." Select the option when
visible. The following window should appear.
There's a high chance you might select the wrong option and end up in the Windows Defender
Settings section. In this case, just press the obvious "Open Windows Defender Security
Center" button that appears at the top of the window.

Step 2

In the "Windows Defender Security Center" select the second option in the side menu named
"Virus & threat protection" and then select the "Virus & threat protection settings" option
from the main window.
Step 3

Scroll down on this page and locate the "Controlled folder access" section. To enable the
feature, just click the On/Off toggle.

Step 4

First thing first, select the "Protected folders" sub-option and add all the folders you want to
restrict access to.
Step 5

Now it's time to select the second option named "Allow an app through Controlled folder
access." This option will whitelist the apps that are allowed to access, edit, create or remove files
from protected folders.
Group Policy Management for Controlled Folder Access
System administrators in large organizations can use the Group Policy Management Console to
enable the feature for users across a local network.

Step 1: On your Group Policy management machine, open the Group Policy Management
Console, right-click the Group Policy Object you want to configure and click Edit.
Step 2: In the Group Policy Management Editor go to Computer configuration.
Step 3: Click Policies then Administrative templates.
Step 4: Expand the tree to Windows components ⋙ Windows Defender Antivirus ⋙
Windows Defender Exploit Guard ⋙ Controlled folder access.

Step 5: Double-click the Configure Controlled folder access setting and set the option to
Enabled.

You can also use Group Policy to configure allowed applications and protected folders. This
allows a system administrator to easily push out lists of whitelisted programs and protected
folders to every computer on a domain.
References:
https://blogs.technet.microsoft.com/askpfeplat/2017/12/11/security-updates-from-the-win10-fall-
creators-update/

https://www.bleepingcomputer.com/news/microsoft/windows-10s-controlled-folder-access-anti-
ransomware-feature-is-now-live/

https://www.ghacks.net/2017/10/24/configure-controlled-folder-access-in-windows-10/