Exclude Files or Folders from Microsoft defender Antivirus Scan using Intune

You can exclude certain files, folders or Processes from scanning via Microsoft Defender Anti-virus. Exclusions will get applied to Schduled Scans, On-demand scans and always-on real-time protection and monitoring.

Please note that Microsoft Defender Antivirus includes a lot of in-built automatic exclusions based on known operating system behaviours. In case you are excluding a file or folder path from scanning and real-time monitoring in Microsoft Defender, you have to make sure that you trust that file or folder path and know that the file or folder contents are not malicious.

If you have decided to whitelist / exclude a File or Folder Path from scan in Microsoft Defender then depending upon your enviornment there are different ways to acheive this. For example, you can create a Group Policy Object if all your devices are managed by On-premise Active Directory or Intune Device Configuraiton Profile if your organization devices are managed by Azure AD / Hybrid Azure AD.

If you organization is fully cloud based and all devices are Azure AD joined and managed by Intune then you can create a Device restriction policy in Intune, configure the defender exclusions and apply the policy to all devices or group of devices. There are other methods like using Powershell to configure Microsoft Defender Exclusions or manually logging on each PC as administrator and configure the exclusions.

In this blog post, we will see how to configure File or Folder Exclusions in Microsoft Defender using Intune and also by using manual method on the device.

You can check the current Exclusion list in Defender on your system by using below powershell command. As I have checked on my system, currently there are no exclusions applied. Once we apply the Exclusions, we will re-run this command on the device to check if its been added to the list.

Get-MpPreference | Select-Object -Property ExclusionPath
Microsoft Defender AV Exclusion List check using Powershell

Create a Device Restriction Policy

To create a Device Restriction Policy in Intune, Use below steps:

  • Login on Microsoft Endpoint Manager admin center.
  • Click on Devices and then click on Configuration Profiles.
  • Click on + Create Profile.
  • Select Platform as Windows 10 and later.
  • Profile Type as Templates.
  • Select Device restrictions from the list of Templates and click Create.
Microsoft Defender AV Folder and File Path Exclusion using Microsoft Intune

Basics Tab

Provide the Name and Description of the Policy and click on Next.

Name: Microsoft Defender AV Exclusions Policy

Description: This policy is for Excluding files or folders from scanning or real time monitoring in Microsoft Defender Anti-Virus.

Configuration Settings Tab

Scroll down to find Microsoft Defender Antivirus Exclusions settings and then Exclude certain files or folders from scanning and real-time monitoring. As you can see I have few database files in C:\sql-db-data and one File called Terraform.exe which I would like to exclude it from scanning or monitoring.

You can add multiple files or folders into this list as per your requirement. As you would have noticed that you can also exclude Files by extentions and processes from Microsoft defender scan.

Microsoft Defender AV Folder and File Path Exclusion using Microsoft Intune

Assignments Tab

You can click on + Add all devices to apply this policy on all devices. However, if you want to apply this policy on a group of devices then you can create an Azure AD security group which contain those devices and add that group here.

Microsoft Defender AV Folder and File Path Exclusion using Microsoft Intune

Review + Create

Click on Create to create this Configuration Profile. When the next Intune Sync cycle will complete this policy will be applied to the device.

End User Device Testing

After Intune refreshed policy on my device, I was able to confirm that the file exclusions are enabled on my device.

Open Powershell as administrator and run below command to check Microsoft Defender AV Exclusion list:

Get-MpPreference | Select-Object -Property ExclusionPath
Microsoft Defender AV Exclusion List check using Powershell

Check Microsoft Defender Anti-Virus Exclusions Manually

You can check Microsoft Defender Anti-Virus Exclusions from the device itself. Either run the powershell command as shown above or you can also open Settings –> Update & Security –> Windows Security –> Virus & threat protection –> Virus & threat protection settings –> Click on Manage Settings –> Scroll down to find Exclusions –> Click on Add or remove exclusions. You can see that the two exclusions we put in place. One for a sql-db-data folder and another one for Terraform.exe file.

Shortcut to Open Windows Security
You can also go to Start -> Run and then type windowsdefender: to open Windows Security window directly and then click on Virus & threat Protection -> Virus & threat protection settings –> Click on Manage Settings –> Scroll down to find Exclusions –> Click on Add or remove exclusions to manage the Exclusion List.
Add Microsoft Defender Antivirus Scan and Real-Time Monitoring Exclusions

You can also click on + Add an exclusion to add an exclusion manually on the PC. You will find the same options as we checked through Intune Device Restriction Configuration Profile which are File, Folder, File Type or Process based exclusion.

Add Microsoft Defender Antivirus Scan and Real-Time Monitoring Exclusions

Conclusion

Microsoft Defender Anti-virus will skip scanning and real-time monitoring for any excluded files, folders or processes. If you exclude a folder by providing path of the folder for example: C:\sql-db-data then all the files in that folder will be skipped from scanning and monitoring by Defender AV. Please make sure you understand the risks associated with not scanning certain files or folders and also make sure that the you are adding a folder location which you trust that does not contain any malware or any unknown files.