Edit

Configure custom exclusions for Microsoft Defender Antivirus

In general, you shouldn't need to define exclusions for Microsoft Defender Antivirus. However, you can exclude files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. File, folder, process, and process-opened-file exclusions are known as custom exclusions. This article describes how to use Microsoft Intune to define custom exclusions for Microsoft Defender Antivirus in Microsoft Windows.

Custom exclusions apply to scheduled scans, on-demand scans, and always-on real-time protection and monitoring. Exclusions for process-opened files apply only to real-time protection.

Tip

Prerequisites

Supported operating systems

Custom exclusions as described in this article are supported on the following operating systems:

  • Windows

Important points about exclusions

Keep the following points in mind before you define exclusions.

-

Caution

Use exclusions sparingly. Exclusions are technically a protection gap that lowers Microsoft Defender Antivirus protection. Consider all options when you define exclusions. For more information, see Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus.

  • Exclusions can directly affect whether Microsoft Defender Antivirus can block, remediate, or inspect events related to excluded files, folders, or processes.

  • Periodically review and audit exclusions. Recheck and re-enforce mitigations as part of your review process. To avoid confusion, your security team should preserve context around why a certain exclusion was required.

  • Use exclusions only for specific issues (for example, performance or app compatibility). Don't exclude something just because you think it might be a problem in the future.

Create Microsoft Defender antivirus exclusion policies in Intune

To create a new AV policy in Microsoft Intune using the Microsoft Defender Antivirus Exclusions profile, see Create an endpoint security policy (opens in a new tab in the Intune documentation). When creating the policy, use these settings:

  • Policy type: Antivirus

  • Platform: Windows

  • Profile: Microsoft Defender Antivirus exclusions

  • Configuration settings: Configure the ExcludedExtensions, ExcludedPaths, and ExcludedProcesses. To add an exclusion, select Add and enter the value in the box that appears. Repeat these steps to add more exclusions as necessary.

    Tip

    • The Microsoft Defender Antivirus service runs in the system context using the LocalSystem account. Therefore, environment variables like %USERPROFILE% are expanded using the LocalSystem profile rather than the signed-in user's profile, which means they resolve to different paths than you might expect. For more information, see System environment variables.

    • Don't use user environment variables as wildcards in folder and process exclusions in Microsoft Defender Antivirus. Only use the following types of environment variables as wildcards:

    • System environment variables.

    • Environment variables that apply to processes running as the NT AUTHORITY\SYSTEM account.

    For more information, see Use wildcards in the file name and folder path or extension exclusion lists.

For more information about Microsoft Defender Antivirus profiles in Microsoft Intune, see Antivirus policy for endpoint security.

Modify exclusions in Microsoft Defender antivirus exclusion policies in Intune

To modify an existing AV policy in Microsoft Intune that uses the Microsoft Defender Antivirus Exclusions profile, see Modify existing policies (opens in a new tab in the Intune documentation). When modifying the policy, use these settings:

  • Manage: Antivirus

  • Configuration settings: Add or remove exclusions.

    • To add an exclusion, select Add, and then enter the value in the box that appears. Repeat this step as many times as necessary.
    • To remove an exclusion or an empty box, select the check box next to the entry, and then select Remove.
    • To import a .csv file of new exclusions, select Import.
    • To export the existing exclusions to a .csv file of, select Export.

For more information about Microsoft Defender Antivirus profiles in Microsoft Intune, see Antivirus policy for endpoint security.

Antivirus exclusions on Exchange servers

Microsoft Exchange Server 2016 or later supports integration with the anti-malware Scan Interface (AMSI). For more information, see Exchange Server AMSI integration.

Many organizations exclude Exchange Server folders from antivirus scans for performance reasons. Microsoft recommends auditing Microsoft Defender Antivirus exclusions on Exchange servers and assessing whether you can remove exclusions without affecting performance. You can manage exclusions using Group Policy, PowerShell, or systems management tools like Microsoft Intune.

To audit Microsoft Defender Antivirus exclusions on an Exchange Server, run the Get-MpPreference cmdlet from an elevated PowerShell prompt.

If you can't remove exclusions for the Exchange processes and folders, remember that a quick scan in Microsoft Defender Antivirus scans the Exchange directories and files, regardless of exclusions.