This is fine and dandy except for the fact the vast majority of people that get hit with such ransomware malware (i.e., low computer knowledge folks) a) won't enable this feature because they don't understand it and b) malware will simply evolve to socially engineer folks to turn it off.<p>If you can get someone to believe some random, Indian accented fellow calling saying they're from Microsoft and would the person please give them full remote access to the computer then it's child's play to get them to disable any optional, controllable feature in order to allow malware to spread.<p>And since CFA only protect user files the malware can still infect and block access to Windows and most people would then believe ALL their files were locked down rather than just Windows system files.<p>I guess for enterprise folks that can deploy via AD this might offer a bit of security although it's not clear if CFA can protect network files which of course would be just a vulnerable to malware when the attacked user have read/write privs in network directories.