Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Each version of Defender for Endpoint provides management of exclusions via the supported management tools. This article summarizes how you can configure exclusions using various management tools.
Manage exclusions for Windows devices
The following table shows which exclusion types are supported by each management tool. The table uses the following abbreviations:
- Custom AV: Custom antivirus exclusions.
- ASR only: Exclusions that affect all attack surface reduction rules only.
- ASR per rule: Per-rule attack surface reduction exclusions.
- CFA: Controlled folder access.
- Automation: Folder exclusions for automated investigation and remediation.
- Disable automatic: Disable automatic antivirus exclusions on Windows Server 2016 or later.
| Management | Custom AV | ASR only | ASR per rule | CFA | Automation | Disable automatic |
|---|---|---|---|---|---|---|
| Microsoft Defender portal | 
|
|
|
|
|
|
| Microsoft Intune admin center |
|
|
|
|
|
|
| MDM CSP |
|
|
|
|
|
|
| PowerShell |
|
|
|
|
|
|
| GPO |
|
|
|
|
|
|
| WMI |
|
|
|
|
|
|
| Configuration Manager |
|
|
|
|
|
|
The following sections expand on this information.
The Microsoft Defender portal
The following table describes where you configure supported exclusions in the Microsoft Defender portal at https://security.microsoft.com.
| Exclusion Type | Instructions |
|---|---|
| Custom antivirus exclusions | 1. In the Microsoft Defender portal, go to Endpoints > Configuration Management > Endpoint security policies > Windows policies. 2. Select Create New Policy. 3. For Platform, select Windows 10, Windows 11, and Windows Server. 4. Select a template and define your exclusions. Both Microsoft Defender Antivirus exclusions and Microsoft Defender Antivirus support custom antivirus exclusions. |
| Global exclusions for all attack surface reduction (ASR) rules only | 1. In the Microsoft Defender portal, go to Endpoints > Configuration Management > Endpoint security policies > Windows policies. 2. Select Create New Policy 3. For Platform, select Windows 10, Windows 11, and Windows Server. 4. Select the Attack Surface Reduction Rules template. 5. Scroll down to Attack Surface Reduction Only Exclusions and define your exclusions. |
| Per-ASR rule exclusions | 1. In the Microsoft Defender portal, go to Endpoints > Configuration Management > Endpoint security policies > Windows policies. 2. Select Create New Policy 3. For Platform, select Windows 10, Windows 11, and Windows Server. 4. Select the Attack Surface Reduction Rules template. 5. Scroll down to the rule to create an exclusion. 6. Change it from Not configured to Block,Audit, or Warn. 7. Select Add to specify the path to be excluded. |
| Controlled folder access exclusion | 1. In the Microsoft Defender portal, go to Endpoints > Configuration Management > Endpoint security policies > Windows policies. 2. Select Create New Policy 3. For Platform, select Windows 10, Windows 11, and Windows Server. 4. Select the Attack Surface Reduction Rules template. 5. Scroll down to Controlled Folder Access Allowed Applications and define your exclusions. |
| Automation folder exclusions | 1. In the Microsoft Defender portal, go to Settings > Endpoints > Rules > Automation folder exclusions 2. Select New Folder Exclusion and define your exclusions. |
| Automatic antivirus exclusions | Not supported in the Microsoft Defender portal. |
Note
You can't configure IP Address Exclusions in the Microsoft Defender portal.
Learn More:
- Use Microsoft Defender for Endpoint Security Settings Management to manage Microsoft Defender Antivirus
- Add automatic folder exclusions
Intune
Many exclusions can be managed in the Microsoft Intune admin center.
| Exclusion Type | Instructions |
|---|---|
| Custom antivirus exclusions | 1. In the Intune admin center, go to Home > Endpoint security > Antivirus. 2. Select Create Policy. 3. For Platform, select Windows. 4. Select a template. Both Microsoft Defender Antivirus exclusions and Microsoft Defender Antivirus support custom antivirus exclusions |
| Global exclusions for all attack surface reduction (ASR) rules only | For complete instructions, see Configure ASR rules and exclusions in Intune using endpoint security policies. |
| Per-ASR rule exclusions | For complete instructions, see Configure ASR rules and exclusions in Intune using endpoint security policies. |
| Controlled folder access exclusion | You configure controlled folder access exclusions (Controlled Folder Access Allowed Applications) in the same policies where you configure ASR rules (Attack surface reduction endpoint security policies). For complete instructions, see Configure ASR rules and exclusions in Intune using endpoint security policies. |
| Automation folder exclusions | Not supported |
| Automatic antivirus exclusions | Not supported in the Intune admin center. |
Learn More:
MDM CSP
| Exclusion type | OMA-URI |
|---|---|
| Custom antivirus exclusion: ExcludedProcesses |
./Device/Vendor/MSFT/Policy/Config/Defender/ExcludedProcesses |
| Custom antivirus exclusion: ExcludedPaths |
./Device/Vendor/MSFT/Policy/Config/Defender/ExcludedPaths |
| Custom antivirus exclusion: ExcludedExtensions |
./Device/Vendor/MSFT/Policy/Config/Defender/ExcludedExtensions |
| Attack surface reduction only exclusions: AttackSurfaceReductionOnlyExclusions |
./Device/Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions |
| Controlled folder access exclusion: ControlledFolderAccessAllowedApplications |
./Device/Vendor/MSFT/Policy/Config/Defender/ControlledFolderAccessAllowedApplications |
Learn more:
PowerShell
Use Set-MpPreference or Get-MpPreference in the Defender PowerShell Module.
| Exclusion type | Flag | Description |
|---|---|---|
| Custom antivirus exclusion | ExclusionIpAddress |
IP addresses to exclude from scheduled and real-time scanning |
| Custom antivirus exclusion | ExclusionPath |
File paths to exclude from scheduled and real-time scanning |
| Custom antivirus exclusion | ExclusionProcess |
Files opened by these processes are excluded from scheduled and real-time scanning |
| Custom antivirus exclusion | ExclusionExtension |
File name extensions, such as obj or lib, to exclude from scheduled, custom, and real-time scanning |
| Attack surface reduction only exclusion | AttackSurfaceReductionOnlyExclusions |
Specifies the files and paths to exclude |
| Attack surface reduction per-rule exclusion | N/A | Not supported |
| Controlled Folder Access exception | ControlledFolderAccessAllowedApplications |
Specifies applications that can make changes in controlled folders |
| Automation folder exclusions | N/A | Not supported |
| Automatic antivirus exclusions (Only available on Windows Server 2016 and later) |
DisableAutoExclusions |
Disable automatic antivirus exclusions |
Group Policy Object (GPO)
| Exclusion Type | Setting location | Reference |
|---|---|---|
| Custom antivirus exclusion - Path | Windows components > Microsoft Defender Antivirus > Exclusions > Path Exclusions | See Use Group Policy to configure folder or file extension exclusions |
| Custom antivirus exclusions - Process | Windows components > Microsoft Defender Antivirus > Exclusions > Process Exclusions | See Use Group Policy to exclude files that have been opened by specified processes from scans |
| Attack Surface Reduction only exclusions | Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction > Exclude files and paths from Attack Surface Reduction rules | See Group Policy |
| Attack surface reduction rule per rule exclusion | Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack surface reduction > Apply a list of exclusions to specific Attack Surface Reduction (ASR) rules | See Group Policy |
| Automatic antivirus exclusions | Windows components > Microsoft Defender Antivirus > Exclusions > Enabled | See Use Group Policy to disable the auto-exclusions list on Windows Server 2016, Windows Server 2019, and later |
| Automation folder exclusions | Not supported | |
| Controlled Folder Access exclusions | Windows components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access > Configure allowed applications | See Use group policy to allow specific apps |
Windows Management Instrumentation (WMI)
| Exclusion Type | Property |
|---|---|
| Custom antivirus exclusion - Path | ExclusionPath |
| Custom antivirus exclusion - Extension | ExclusionExtension |
| Custom antivirus exclusion - Process | ExclusionProcess |
| Attack Surface Reduction only exclusions | Not supported |
| Attack surface reduction rule per rule exclusion | Not supported |
| Automatic antivirus exclusions | DisableAutoExclusions |
| Controlled Folder Access exclusions | Not supported |
| Automation folder exclusions | Not supported |
Learn more:
Configuration Manager
| Exclusion Type | Reference |
|---|---|
| Custom antivirus exclusion | For more information, see exclusion settings |
| Global exclusions for attack surface reduction (ASR) rules only | For more information, see Configure ASR rules and global ASR rule exclusions in Microsoft Configuration Manager |
| Per-ASR rule exclusion | Not supported |
| Controlled Folder Access exclusions | For more information, see Microsoft Configuration Manager |
| Automation folder exclusions | Not supported |
Manage exclusions for Linux
You can exclude certain files, folders, processes, and process-opened files from Defender for Endpoint on Linux.
See Configure and validate exclusions for Microsoft Defender for Endpoint on Linux.
Manage exclusions for macOS
You can exclude certain files, folders, processes, and process-opened files from Defender for Endpoint on Mac scans.
See Configure and validate exclusions for Microsoft Defender for Endpoint on macOS.