Hello there, Audioz folks!

I'm starting to migrate my setup to Windows 11 and I'll be installing a bunch of software over the next few days (tools like Nuendo, Dorico, Reaper, FabFilter, Izotope, Waves, and other plugins and composition apps (for MIDI generation/editing). So, I've run into a question about that Controlled Folder Access thing. I know it's a great tool for protecting important folders, but I wanted to ask you all:

1 - In general, do you recommend keeping this feature on or off for a production machine?

2 - Which folders do you add as exceptions so your DAW and plugins can work without issues?

3 - Have you ever had problems during the installation of audio software and plugins, or when you needed to save presets or samples to specific directories? How did you manage it?

Thanks for the insights!

 

This feature is also on Windows 10 IIRC. I don't like it, but it makes sense for the general public. If you know what you're doing, I would just keep it off. Another example is UAC, it is generally believed to be good for most people, but I always kept it off since Windows 7. I just don't like Windows interfering with my own choices.

That said... Now that the Windows 10 support is almost over, I can't wait until audio work on Linux is finally viable. I'm dreading the upgrade to 11 even though I'm a paying Windows customer.

 

On Win10, CFA is part of the defender A/V junkware. Since there is no need for a/v or firewall on a non-internet connected audio production machine, defender and all its counter parts can be removed (or rendered inert). IF you leave CFA on, you will have to place exception entries for it with every new install of app software - beside the fact that you can't always be certain of every single folder that a new app will need access to. IMO, it is a royal pain and should be eliminated by default on any production box (or any box period). It can be turned off or rendered inert on win11 as well (google)... There is also the default file security settings present on win10/11 that you will need to take-ownership of in order to administer files/folders in windows system areas, program files, ProgramData, etc...

 

Last edited: Aug 11, 2025 at 12:17 AM

At the urging of many companies and users, Microsoft has further strengthened security against unauthorized access, ransomware, viruses, etc. in Windows 11.

I would leave Defender as it is. Before downloading anything from the sister site, you should deactivate it and reactivate it after you're done.
You should then unpack the extracted files with WinRAR and save them on a second hard drive or an external hard drive, etc. If you forget to deactivate Defender and unpack a file, Defender will eat the keygen and you won't be able to activate your software. WinRAR files are protected against Defender virus scans.

Keep in mind that if you delete files, including the keygen, they will be moved to the Recycle Bin on your C drive. Empty the Recycle Bin before reactivating Defender.

If you have installed software, for example from Team R2R or V.R, on your C drive and Defender scans your hard drive, there will be no viruses if you have installed cracked plugins. Therefore, exceptions like the one you asked for are completely unnecessary and make no sense.

If you install plugins, such as KarmaFX, which are not found in the plugin scan, you should create a folder in C:/, for example, with the name VSTPlugins. The folder will then be in "C:\VSTPlugins", and you then share the folder path with your DAW. This way, plugins that cannot handle the new folder permissions will also be found. But this happens very rarely.

You should run this free tool "O&O ShutUp10++: Free antispy tool for Windows 10 and 11" first; without this tool, you will have great difficulty installing anything.
O&O ShutUp10++: Free antispy tool for Windows 10 and 11 --> https://www.oo-software.com/en/shutup10

Become an administrator to have full access to everything:
How to enable the administrator account in Windows --> https://blog.wijman.net/how-to-enable-administrator-account-on-windows/

Once you've finished, you should run " sfc /scannow " in the CMD to fix any errors!
Run System File Checker
In the Command Prompt window, type the following command, and press ENTER:
sfc /scannow
https://support.microsoft.com/en-us...em-files-79aa86cb-ca52-166a-92a3-966e85d4094e

 

Install Win 11 IoT Enterprise LTSC to avoid bloat crap

 

I can never understand why having a dual boot system is never mentioned as an alternative to fretting over online safety for your studio. I have a small partition just for internet use. All downloads go to a separate drive. I used "defender remover" from github to stop keygen problems in the studio which has no internet connection. I use ireboot to change quickly between each OS which is LTSC.

 

I always disable intrusive windows stuff, I dont care how much they tell me is good for me. I kick the balls of: virus protection, UAC, defender and ofc windows updates, I have some kind of custom win11.

But I made this reply to tell people about the importance of disabling onedrive and bitlocker. Specially bitlocker, cause if for some reason your win11 OS gets corrupted and you cannot get in. Using Unix tools or thirdparty programs will be impossible to access any data. Bitlocker gets the drive encrypted
And you just cannot rely on windows of windows for doing such complex tasks on your DATA. Onedrive can make a mess and remove your stuff, imagine disappearing a tiny bunch of chopped sample files, for that reason I wont rely on anything trying to gatekeep my data.

Maybe they are workarounds but why bother.
Better to user winrar for the few stuff you want to secure and avoid bitlocker completely.
and I use robocopy to make backups to a mirror SSD outside the hardware. Its fast, verbose and reliable if you get to know how to use it.

 

There are a number of practical reasons to not setup a dual-boot machine for most users. Some people feel like partitioning and setting up a bootloader is more complicated to them than it is worth; and if you mean 2 windows installations, it takes up quite a bit of space and you end up with no obvious benefit, to them. A properly configured firewall can be almost equally effective as having no internet access. You are right that it needs more babysitting and user interaction, but a lot of people prefer to do that than have a dual boot system.

You need to set it up right for a real security benefit. You need both OS installs unable to mount the other disk, in both directions. They need to be isolated from one another, encrypted, etc. etc. or you do not gain much additional security having the two separate installations. A ransomware/encryptor, or other malware will have access to the physically connected (but unmounted) drives and just mount them and encrypt them, too.

Your "Internet OS" still needs to be secured; but in the dual boot scenario, you just have the luxury of being able to wipe the smaller drive and not be losing important data. Problems with one install can sometimes lead to you having to wipe the entire physical disk. That is just as easily mitigated by following a good backup routine.

Using a cheap second machine instead for just internet has almost none of those concerns. You can easily get a little, decent enough laptop for probably $100 instead of giving up space for a full second Windows install partition on the studio machine. Dual boot can be a more obvious benefit to do if you are going to be installing 2 different OS; such as Linux for internet and Windows for audio work.

 

No need for 11 Win 10 IoT Enterprise LTSC has support until 2032

 

Controlled Folder Access

"...In general, do you recommend keeping this feature on or off for a production machine?"

Yes, I highly recommend this procedure. But, you must be responsible (Understanding your choice) in your irresponsibility (Wilfully disabling security features). Research before disabling anything.

My internet access is always disabled while in production.

After years of Windows use...one day, I get a notification about Controlled Folder Access denying me while trying to download something from Sister Site. I was pissed. A paid-for PC telling me how to run my show will not stand. From then on, I made sure my fresh installs and homemade backup images always had Controlled Folder Access unchecked. It is a great security feature for those with terrible computer hygine and novices.

"Which folders do you add as exceptions so your DAW and plugins can work without issues?"

All folders are accepted bc Controlled Folder Access/Defender/Windows Security/UAC work for me now. I
roll my own security package.

"Have you ever had problems during the installation of audio software and plugins, or when you needed to save presets or samples to specific directories? How did you manage it?"

Currently, no bc previous answer.

But, in the "Before-Times", I would exempt flagged files thru Defender or my personal AV/firewall solution.

And it is a nightmare until you finally figure out what happened.

 

I even uninstalled Defender all together.
There is a script on gitub for that.
All I ever got out of Defender were false positives and deleted keygens.
In short my 11 setup is more like a Win XP security wise.
Yeah, I know, WW3 is going to start because my machine gets owned, but thats a minor annoyance compared to microsofts sht.