You are trying to save a file or let an app write to a protected folder, but Windows 11 blocks the action with a notification from Controlled Folder Access. This feature in Microsoft Defender Antivirus monitors specific folders and prevents untrusted applications from modifying files in them. The problem occurs when the app you trust is not recognized by the security system as safe. This article explains why Controlled Folder Access blocks trusted apps and provides the exact steps to unblock them without disabling the entire security feature.
Key Takeaways: Unblock a Trusted App in Controlled Folder Access
- Windows Security > Virus & threat protection > Manage ransomware protection: Open the main panel to find Controlled Folder Access settings.
- Allow an app through Controlled Folder Access: Add the blocked app to the whitelist so it can write to protected folders.
- Event Viewer > Windows Logs > Security: Check Event ID 5379 to identify which app was blocked and the exact folder path.
Why Controlled Folder Access Blocks Your Trusted App
Controlled Folder Access is a ransomware protection feature in Microsoft Defender Antivirus. It monitors a default set of folders, including Documents, Pictures, Videos, Music, and Desktop, as well as any custom folders you add. When an application tries to modify, delete, or create a file in one of these protected folders, Windows checks the app against a list of trusted programs. If the app is not on that list, the action is blocked and a notification is sent to the user.
The root cause is that the feature uses a whitelist model. Only applications that Microsoft has deemed safe or that you have explicitly added are allowed. Many legitimate applications, especially older software, portable apps, or custom-built tools, are not on the default whitelist. Even a trusted app like a PDF editor, backup tool, or developer utility can be blocked if it has not been verified by Microsoft or manually added by you.
The block occurs at the file system level. When the app attempts to write to a protected folder, the Windows kernel intercepts the request and checks the app’s digital signature and reputation. If the app is unsigned, has a low reputation score, or is simply unknown, the request is denied. The user sees a toast notification from Windows Security and the app may display an error such as “Access Denied” or “Cannot save file.”
Steps to Allow a Trusted App Through Controlled Folder Access
Follow these steps to add the blocked app to the whitelist. You do not need to disable Controlled Folder Access entirely, which would leave your folders unprotected.
Step 1: Identify the Blocked App
- Check the Windows Security notification
When an app is blocked, a notification appears in the action center. It shows the app name and the folder that was protected. Click the notification to open Windows Security. - Use Event Viewer to find the exact details
Press Windows key + X and select Event Viewer. Navigate to Windows Logs > Security. Look for Event ID 5379. This event logs the process name, the file path, and the user account involved. Double-click the event to read the description.
Step 2: Open Controlled Folder Access Settings
- Open Windows Security
Click the Start button, type Windows Security, and press Enter. - Navigate to ransomware protection
In the left sidebar, click Virus & threat protection. Under the Ransomware protection section, click Manage ransomware protection. - Access Controlled Folder Access settings
Under Controlled folder access, click Allow an app through Controlled folder access. This link opens the whitelist management page.
Step 3: Add the Trusted App to the Whitelist
- Click Add an allowed app
On the Allow an app through Controlled folder access page, click the Add an allowed app button. A menu appears with two options: Recently blocked apps and Browse all apps. - Select from recently blocked apps
If the app was blocked recently, it appears in the Recently blocked apps list. Click that option, then select the app from the list. The app is added immediately. - Browse for the app executable
If the app is not in the recently blocked list, click Browse all apps. Navigate to the app’s executable file, usually ending in .exe. Select the file and click Open. The app is now added to the whitelist. - Confirm the app is listed
After adding, the app appears under the Allowed apps list. You can remove it later by clicking the app name and selecting Remove.
Step 4: Test the App
- Restart the app
Close the blocked app completely and open it again. Try the same action that was blocked, such as saving a file to the Documents folder. - Verify no new blocks
Check the Windows Security notifications again. If no new block appears, the fix is complete. If the app is still blocked, ensure you added the correct executable file path.
If the App Is Still Blocked After Adding It
“App added but still blocked”
This can happen if the app uses a helper process or a service to write files. For example, a backup tool may use a background service that is different from the main executable. In this case, add the helper process to the whitelist as well. Use Event Viewer to find the exact process name that was blocked (Event ID 5379). Then add that process using the same steps above.
“Controlled Folder Access blocks a script or batch file”
Scripts like .bat, .cmd, .ps1, or .vbs are not executable files. You cannot add them directly. Instead, add the interpreter that runs the script. For a PowerShell script, add powershell.exe or pwsh.exe. For a batch script, add cmd.exe. For a VBScript, add wscript.exe or cscript.exe. After adding the interpreter, the script will be allowed.
“I want to unblock a folder, not an app”
Controlled Folder Access does not allow you to unblock individual folders. You can either add the app to the whitelist or remove the folder from the protected list. To remove a folder, go to Windows Security > Virus & threat protection > Manage ransomware protection > Controlled folder access > Protected folders. Click a folder and select Remove. This reduces protection for that folder, so consider adding the app instead.
Adding a Single App vs Disabling the Entire Feature
| Item | Add a Single App | Disable Controlled Folder Access |
|---|---|---|
| Protection level | All other apps remain blocked | No apps are blocked |
| Security risk | Low, only one app is trusted | High, ransomware can modify any folder |
| Time to implement | 2-3 minutes | 10 seconds |
| Impact on other apps | None | All apps can write to protected folders |
| Recommended for | One or two trusted apps | Only if the feature causes constant problems with many apps |
Adding a single app is the safer and more precise approach. Disabling Controlled Folder Access exposes your documents to potential ransomware attacks. Only disable the feature temporarily if you need to run multiple blocked applications and plan to re-enable it afterward.
You can now allow any trusted application to write to protected folders while keeping Controlled Folder Access active for all other programs. If you encounter a block on a new app, repeat the same steps to add it to the whitelist. For advanced protection, review the list of allowed apps periodically and remove any that you no longer use. This keeps your security settings lean and effective.