Edit

Share via


Managing exclusions reference

Each version of Defender for Endpoint provides management of exclusions via the supported management tools. This article summarizes how you can configure exclusions using various management tools.

Manage exclusions for Windows devices

The following table shows which exclusion types are supported by each management tool. In the table, certain abbreviations are used:

  • "Custom AV" refers to custom antivirus exclusions.
  • "ASR only" refers to exclusions for attack surface reduction capabilities only.
  • "ASR per rule" refers to attack surface reduction per-rule exclusions.
  • "CFA" refers to controlled folder access
  • "Automation" refers to folder exclusions for automated investigation & remediation.
  • "Disable automatic" refers to disabling automatic antivirus exclusions on Windows Server 2016 and later.
Management Custom AV ASR only ASR per rule CFA Automation Disable automatic
Defender Portal Yes Yes Yes Yes Yes No
Intune Yes Yes Yes Yes No No
MDM CSP Yes Yes No Yes No No
PowerShell Yes Yes No Yes No Yes
GPO Yes Yes Yes. Yes No Yes
WMI Yes No No No No Yes
Configuration Manager Yes Yes No Yes No No

The Microsoft Defender portal

Many exclusions can be managed in the Microsoft Defender portal.

Exclusion Type Instructions
Custom antivirus exclusions 1. In the Microsoft Defender portal, go to Endpoints > Configuration Management > Endpoint security policies > Windows policies.
2. Select Create New Policy.
3. For Platform, select Windows 10, Windows 11, and Windows Server.
4. Select a template and define your exclusions. Both Microsoft Defender Antivirus exclusions and Microsoft Defender Antivirus support custom antivirus exclusions.
Attack surface reduction only exclusions 1. In the Microsoft Defender portal, go to Endpoints > Configuration Management > Endpoint security policies > Windows policies.
2. Select Create New Policy
3. For Platform, select Windows 10, Windows 11, and Windows Server.
4. Select the Attack Surface Reduction Rules template.
5. Scroll down to Attack Surface Reduction Only Exclusions and define your exclusions.
Attack surface reduction rule per rule exclusion 1. In the Microsoft Defender portal, go to Endpoints > Configuration Management > Endpoint security policies > Windows policies.
2. Select Create New Policy
3. For Platform, select Windows 10, Windows 11, and Windows Server.
4. Select the Attack Surface Reduction Rules template.
5. Scroll down to the rule to create an exclusion.
6. Change it from Not configured to Block,Audit, or Warn.
7. Select Add to specify the path to be excluded.
Controlled folder access exclusion 1. In the Microsoft Defender portal, go to Endpoints > Configuration Management > Endpoint security policies > Windows policies.
2. Select Create New Policy
3. For Platform, select Windows 10, Windows 11, and Windows Server.
4. Select the Attack Surface Reduction Rules template.
5. Scroll down to Controlled Folder Access Allowed Applications and define your exclusions.
Automation folder exclusions 1. In the Microsoft Defender portal, go to Settings > Endpoints > Rules > Automation folder exclusions
2. Select New Folder Exclusion and define your exclusions.
Automatic antivirus exclusions Not supported in the Microsoft Defender portal.

Note

IP Address Exclusions cannot be configured in the Microsoft Defender portal.

Learn More:

Intune

Many exclusions can be managed in the Microsoft Intune admin center.

Exclusion Type Instructions
Custom antivirus exclusion 1. In the Intune admin center, go to Home > Endpoint security > Antivirus.
2. Select Create Policy.
3. For Platform, select Windows.
4. Select a template. Both Microsoft Defender Antivirus exclusions and Microsoft Defender Antivirus support custom antivirus exclusions
Attack surface reduction rule only exclusions 1. In the Intune admin center, go to Home > Endpoint security > Attack surface reduction.
2. Select Create Policy.
3. For Platform, select Windows.
4. For Profile, select Attack surface reduction rules.
5. Under Configuration Settings, scroll down to Attack Surface Reduction Only Exclusions.
Attack surface reduction per-rule exclusions 1. In the Intune admin center, go to Home > Endpoint security > Attack surface reduction.
2. Select Create Policy.
3. For Platform, select Windows.
4. For Profile, select Attack surface reduction rules.
5. Under Configuration Settings, scroll down to the rule to create an exclusion.
6. Change it from Not configured to Block,Audit, or Warn.
7. Select Add to enter the path to be excluded.
Controlled folder access exclusion 1. In the Intune admin center, go to Home > Endpoint security > Attack surface reduction.
2. Select Create Policy.
3. For Platform, select Windows.
4. For Profile, select Attack surface reduction rules.
5. Under Configuration Settings, scroll down to Controlled Folder Access Allowed Applications.
Automation folder exclusions Not supported
Automatic antivirus exclusions Not supported in the Intune admin center.

Learn More:

MDM CSP

Exclusion type OMA-URI
Custom antivirus exclusion:
ExcludedProcesses
./Device/Vendor/MSFT/Policy/Config/Defender/ExcludedProcesses
Custom antivirus exclusion:
ExcludedPaths
./Device/Vendor/MSFT/Policy/Config/Defender/ExcludedPaths
Custom antivirus exclusion:
ExcludedExtensions
./Device/Vendor/MSFT/Policy/Config/Defender/ExcludedExtensions
Attack surface reduction only exclusions:
AttackSurfaceReductionOnlyExclusions
./Device/Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
Controlled folder access exclusion:
ControlledFolderAccessAllowedApplications
./Device/Vendor/MSFT/Policy/Config/Defender/ControlledFolderAccessAllowedApplications

Learn more:

PowerShell

Use Set-MpPreference or Get-MpPreference in the Defender PowerShell Module.

Exclusion type Flag Description
Custom antivirus exclusion ExclusionIpAddress IP addresses to exclude from scheduled and real-time scanning
Custom antivirus exclusion ExclusionPath File paths to exclude from scheduled and real-time scanning
Custom antivirus exclusion ExclusionProcess Files opened by these processes are excluded from scheduled and real-time scanning
Custom antivirus exclusion ExclusionExtension File name extensions, such as obj or lib, to exclude from scheduled, custom, and real-time scanning
Attack surface reduction only exclusion AttackSurfaceReductionOnlyExclusions Specifies the files and paths to exclude
Attack surface reduction per-rule exclusion N/A Not supported
Controlled Folder Access exception ControlledFolderAccessAllowedApplications Specifies applications that can make changes in controlled folders
Automation folder exclusions N/A Not supported
Automatic antivirus exclusions
(Only available on Windows Server 2016 and later)
DisableAutoExclusions Disable automatic antivirus exclusions

Group Policy Object (GPO)

Exclusion Type Setting ___location Reference
Custom antivirus exclusion - Path Windows components > Microsoft Defender Antivirus > Exclusions > Path Exclusions See Use Group Policy to configure folder or file extension exclusions
Custom antivirus exclusions - Process Windows components > Microsoft Defender Antivirus > Exclusions > Process Exclusions See Use Group Policy to exclude files that have been opened by specified processes from scans
Attack Surface Reduction only exclusions Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction > Exclude files and paths from Attack Surface Reduction rules See Group Policy
Attack surface reduction rule per rule exclusion Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack surface reduction > Apply a list of exclusions to specific Attack Surface Reduction (ASR) rules See Group Policy
Automatic antivirus exclusions Windows components > Microsoft Defender Antivirus > Exclusions > Enabled See Use Group Policy to disable the autoexclusions list on Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025Azure Stack HCI OS, version 23H2 and later.
Automation folder exclusions Not supported
Controlled Folder Access exclusions Windows components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access > Configure allowed applications See Use group policy to allow specific apps

Windows Management Instrumentation (WMI)

Exclusion Type Property
Custom antivirus exclusion - Path ExclusionPath
Custom antivirus exclusion - Extension ExclusionExtension
Custom antivirus exclusion - Process ExclusionProcess
Attack Surface Reduction only exclusions Not supported
Attack surface reduction rule per rule exclusion Not supported
Automatic antivirus exclusions DisableAutoExclusions
Controlled Folder Access exclusions Not supported
Automation folder exclusions Not supported

Learn more:

Configuration Manager

Exclusion Type Reference
Custom antivirus exclusion See exclusion settings
Attack Surface Reduction only exclusions See Microsoft Configuration Manager
Attack surface reduction rule per rule exclusion Not supported
Controlled Folder Access exclusions See Microsoft Configuration Manager
Automation folder exclusions Not supported

Manage exclusions for Linux

You can exclude certain files, folders, processes, and process-opened files from Defender for Endpoint on Linux.

See Configure and validate exclusions for Microsoft Defender for Endpoint on Linux.

Manage exclusions for macOS

You can exclude certain files, folders, processes, and process-opened files from Defender for Endpoint on Mac scans.

See Configure and validate exclusions for Microsoft Defender for Endpoint on macOS.

See also