How to have an app be trusted by Windows to bypass the "Ransomeware protection"?

Question

I have a Windows desktop software that needs to write new folder/files into the %USERPROFILE%\Documents\ folder. There is a Windows option, under "Ransomware protection", that protects "Controlled folders". Usually, this is disabled, but there are customers who have this turned on, which causes my app to crash when starting up (because it cannot write into the folder).

This 'authorization' cannot be bypassed by administrator rights, i.e. if you run the app as admin the app is still blocked by Windows. The app is digitally code signed by a time-stamped certificate from a trusted certificate authority. Still, this "Controlled folders access" blocks my app.

Typically, the users of my software don't have this option enabled, but some of them do. I would prefer to avoid that we have to instruct our customers to "add our software to the exception of Ransomware protection"... It seems unprofessional and sketchy. But at the moment, that's the only way I can make it work.

Is there anything I can do, on my side, when I deploy my app, that can be accepted by Windows to write into the Documents folder?

EDIT: For example, if I could add an exception via command line, that I could try to put such command to be run by the installer (which requires admin rights). But I'm not sure if this is possible.

Answer 1

The Microsoft article Protect important folders with controlled folder access unfortunately says this:

Scripting engines are not trusted and you cannot allow them access to controlled protected folders. For example, PowerShell is not trusted by controlled folder access, even if you allow with certificate and file indicators.

Your only option is to set your application as trusted.

The article Customize controlled folder access has this advice for using PowerShell that is Run as Administrator:

Enter the following cmdlet:

Add-MpPreference -ControlledFolderAccessAllowedApplications "<the app that should be allowed, including the path>"

For example, to add the executable test.exe located in the folder C:\apps, the cmdlet would be as follows:

Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe"