Managing exclusions reference
Each version of Defender for Endpoint provides management of exclusions via the supported management tools. This article summarizes how you can configure exclusions using various management tools.
Manage exclusions for Windows devices
The following table shows which exclusion types are supported by each management tool. In the table, certain abbreviations are used:
- "Custom AV" refers to custom antivirus exclusions.
- "ASR only" refers to exclusions for attack surface reduction capabilities only.
- "ASR per rule" refers to attack surface reduction per-rule exclusions.
- "CFA" refers to controlled folder access
- "Automation" refers to folder exclusions for automated investigation & remediation.
- "Disable automatic" refers to disabling automatic antivirus exclusions on Windows Server 2016 and later.
| Management | Custom AV | ASR only | ASR per rule | CFA | Automation | Disable automatic |
|---|---|---|---|---|---|---|
| Defender Portal |
|
|
|
|
|
|
| Intune |
|
|
|
|
|
|
| MDM CSP |
|
|
|
|
|
|
| PowerShell |
|
|
|
|
|
|
| GPO |
|
|
|
|
|
|
| WMI |
|
|
|
|
|
|
| Configuration Manager |
|
|
|
|
|
|
The Microsoft Defender portal
Many exclusions can be managed in the Microsoft Defender portal.
| Exclusion Type | Instructions |
|---|---|
| Custom antivirus exclusions | 1. In the Microsoft Defender portal, go to Endpoints > Configuration Management > Endpoint security policies > Windows policies. 2. Select Create New Policy. 3. For Platform, select Windows 10, Windows 11, and Windows Server. 4. Select a template and define your exclusions. Both Microsoft Defender Antivirus exclusions and Microsoft Defender Antivirus support custom antivirus exclusions. |
| Attack surface reduction only exclusions | 1. In the Microsoft Defender portal, go to Endpoints > Configuration Management > Endpoint security policies > Windows policies. 2. Select Create New Policy 3. For Platform, select Windows 10, Windows 11, and Windows Server. 4. Select the Attack Surface Reduction Rules template. 5. Scroll down to Attack Surface Reduction Only Exclusions and define your exclusions. |
| Attack surface reduction rule per rule exclusion | 1. In the Microsoft Defender portal, go to Endpoints > Configuration Management > Endpoint security policies > Windows policies. 2. Select Create New Policy 3. For Platform, select Windows 10, Windows 11, and Windows Server. 4. Select the Attack Surface Reduction Rules template. 5. Scroll down to the rule to create an exclusion. 6. Change it from Not configured to Block,Audit, or Warn. 7. Select Add to specify the path to be excluded. |
| Controlled folder access exclusion | 1. In the Microsoft Defender portal, go to Endpoints > Configuration Management > Endpoint security policies > Windows policies. 2. Select Create New Policy 3. For Platform, select Windows 10, Windows 11, and Windows Server. 4. Select the Attack Surface Reduction Rules template. 5. Scroll down to Controlled Folder Access Allowed Applications and define your exlusions. |
| Automation folder exclusions | 1. In the Microsoft Defender portal, go to Settings > Endpoints > Rules > Automation folder exclusions 2. Select New Folder Exclusion and define your exclusions. |
| Automatic antivirus exclusions | Not supported in the Microsoft Defender portal. |
Note
IP Address Exclusions cannot be configured in the Microsoft Defender portal.
Learn More:
- Use Microsoft Defender for Endpoint Security Settings Management to manage Microsoft Defender Antivirus
- Add automatic folder exclusions
Intune
Many exclusions can be managed in the Microsoft Intune admin center.
| Exclusion Type | Instructions |
|---|---|
| Custom antivirus exclusion | 1. In the Intune admin center, go to Home > Endpoint security > Antivirus. 2. Select Create Policy. 3. For Platform, select Windows. 4. Select a template. Both Microsoft Defender Antivirus exclusions and Microsoft Defender Antivirus support custom antivirus exclusions |
| Attack surface reduction rule only exclusions | 1. In the Intune admin center, go to Home > Endpoint security > Attack surface reduction. 2. Select Create Policy. 3. For Platform, select Windows. 4. For Profile, select Attack surface reduction rules. 5. Under Configuration Settings, scroll down to Attack Surface Reduction Only Exclusions. |
| Attack surface reduction per-rule exclusions | 1. In the Intune admin center, go to Home > Endpoint security > Attack surface reduction. 2. Select Create Policy. 3. For Platform, select Windows. 4. For Profile, select Attack surface reduction rules. 5. Under Configuration Settings, scroll down to the rule to create an exclusion. 6. Change it from Not configured to Block,Audit, or Warn. 7. Select Add to enter the path to be excluded. |
| Controlled folder access exclusion | 1. In the Intune admin center, go to Home > Endpoint security > Attack surface reduction. 2. Select Create Policy. 3. For Platform, select Windows. 4. For Profile, select Attack surface reduction rules. 5. Under Configuration Settings, scroll down to Controlled Folder Access Allowed Applications. |
| Automation folder exclusions | Not supported |
| Automatic antivirus exclusions | Not supported in the Intune admin center. |
Learn More:
- Create a new antivirus policy with exclusions in Intune
- Manage antivirus exclusions in Intune (for existing policies)
- Configure attack surface reduction per-rule exclusions
MDM CSP
| Exclusion type | OMA-URI |
|---|---|
| Custom antivirus exclusion: ExcludedProcesses |
./Device/Vendor/MSFT/Policy/Config/Defender/ExcludedProcesses |
| Custom antivirus exclusion: ExcludedPaths |
./Device/Vendor/MSFT/Policy/Config/Defender/ExcludedPaths |
| Custom antivirus exclusion: ExcludedExtensions |
./Device/Vendor/MSFT/Policy/Config/Defender/ExcludedExtensions |
| Attack surface reduction only exclusions: AttackSurfaceReductionOnlyExclusions |
./Device/Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions |
| Controlled folder access exclusion: ControlledFolderAccessAllowedApplications |
./Device/Vendor/MSFT/Policy/Config/Defender/ControlledFolderAccessAllowedApplications |
Learn more:
PowerShell
Use Set-MpPreference or Get-MpPreference in the Defender PowerShell Module.
| Exclusion type | Flag | Description |
|---|---|---|
| Custom antivirus exclusion | ExclusionIpAddress |
IP addresses to exclude from scheduled and real-time scanning |
| Custom antivirus exclusion | ExclusionPath |
File paths to exclude from scheduled and real-time scanning |
| Custom antivirus exclusion | ExclusionProcess |
Files opened by these processes are excluded from scheduled and real-time scanning |
| Custom antivirus exclusion | ExclusionExtension |
File name extensions, such as obj or lib, to exclude from scheduled, custom, and real-time scanning |
| Attack surface reduction only exclusion | AttackSurfaceReductionOnlyExclusions |
Specifies the files and paths to exclude |
| Attack surface reduction per-rule exclusion | N/A | Not supported |
| Controlled Folder Access exception | ControlledFolderAccessAllowedApplications |
Specifies applications that can make changes in controlled folders |
| Automation folder exclusions | N/A | Not supported |
| Automatic antivirus exclusions (Only available on Windows Server 2016 and later) |
DisableAutoExclusions |
Disable automatic antivirus exclusions |
Group Policy Object (GPO)
| Exclusion Type | Setting location | Reference |
|---|---|---|
| Custom antivirus exclusion - Path | Windows components > Microsoft Defender Antivirus > Exclusions > Path Exclusions | See Use Group Policy to configure folder or file extension exclusions |
| Custom antivirus exclusions - Process | Windows components > Microsoft Defender Antivirus > Exclusions > Process Exclusions | See Use Group Policy to exclude files that have been opened by specified processes from scans |
| Attack Surface Reduction only exclusions | Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack surface reduction > Exclude files and paths from Attack surface reduction rules | See Group Policy |
| Attack surface reduction rule per rule exclusion | Not supported | |
| Automatic antivirus exclusions | Windows components > Microsoft Defender Antivirus > Exclusions > Enabled | See Use Group Policy to disable the autoexclusions list on Windows Server 2016, Windows Server 2019, and Windows Server 2022 |
| Automation folder exclusions | Not supported | |
| Controlled Folder Access exclusions | Windows components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access > Configure allowed applications | See Use group policy to allow specific apps |
Windows Management Instrumentation (WMI)
| Exclusion Type | Property |
|---|---|
| Custom antivirus exclusion - Path | ExclusionPath |
| Custom antivirus exclusion - Extension | ExclusionExtension |
| Custom antivirus exclusion - Process | ExclusionProcess |
| Attack Surface Reduction only exclusions | Not supported |
| Attack surface reduction rule per rule exclusion | Not supported |
| Automatic antivirus exclusions | DisableAutoExclusions |
| Controlled Folder Access exclusions | Not supported |
| Automation folder exclusions | Not supported |
Learn more:
Configuration Manager
| Exclusion Type | Reference |
|---|---|
| Custom antivirus exclusion | See exclusion settings |
| Attack Surface Reduction only exclusions | See Microsoft Configuration Manager |
| Attack surface reduction rule per rule exclusion | Not supported |
| Controlled Folder Access exclusions | See Microsoft Configuration Manager |
| Automation folder exclusions | Not supported |
Manage exclusions for Linux
You can exclude certain files, folders, processes, and process-opened files from Defender for Endpoint on Linux.
See Configure and validate exclusions for Microsoft Defender for Endpoint on Linux.
Manage exclusions for macOS
You can exclude certain files, folders, processes, and process-opened files from Defender for Endpoint on Mac scans.
See Configure and validate exclusions for Microsoft Defender for Endpoint on macOS.