Table of Contents
You can exclude certain files, folders, or Processes from scanning via Microsoft Defender Anti-virus. Exclusions will be applied to Scheduled Scans, On-demand scans, and always-on real-time protection and monitoring.
Microsoft Defender Antivirus includes many built-in automatic exclusions based on known operating system behaviors. If you exclude a file or folder path from scanning and real-time monitoring in Microsoft Defender, you must ensure that you trust that file or folder path and know that the file or folder contents are not malicious.
If you have decided to whitelist/exclude a File or Folder Path from the scan in Microsoft Defender, there are different ways to achieve this, depending on your environment.
For example, you can create a Group Policy Object if the On-premise Active Directory manages all your devices. If your organization is fully cloud-based and all devices are Microsoft Entra Joined and managed by Intune, then you can create a Device restriction profile.
Other methods include using Powershell to configure Microsoft Defender Exclusions or manually logging on to each PC as an administrator and configuring the exclusions.
In this blog post, we will see how to configure File or Folder Exclusions in Microsoft Defender using Intune and manual methods on the device.
You can check your system’s current Exclusion list in Defender using the PowerShell command below. I have checked my system, and no exclusions are currently applied. Once we apply the Exclusions, we will re-run this command on the device to check if it has been added to the list.
Get-MpPreference | Select-Object -Property ExclusionPath
Create Microsoft Defender Antivirus Exclusions using Intune
You can set up Microsoft Defender exclusions through the Intune admin center by following these steps:
- Sign in to the Intune admin center.
- Click on Devices and then click on Configuration Profiles.
- Click on + Create Profile.
- Select Platform as Windows 10 and later.
- Profile Type as Templates.
- Select Device restrictions from the list of Templates and click Create.
Basics Tab
Provide the Name and Description of the Policy and click on Next.
- Name: Microsoft Defender AV Exclusions Policy
- Description: Provide a useful description
Configuration Settings
Scroll within the Intune admin center to locate the Microsoft Defender Antivirus Exclusions settings. You can exclude specific files or folders from scanning and real-time monitoring here.
In the provided example, I have excluded C:\sql-db-data and a file named Terraform.exe from scanning and monitoring.
Add multiple files or folders to this list according to your requirements. Additionally, you might have observed that you can exclude files by their extensions and specific processes from being scanned by Microsoft Defender.
Assignments
You can click on + Add all devices to apply this policy to all devices. However, if you want to apply this policy to a group of devices, you can create an Entra security group and add that group to the Included groups assignment.
Review + Create
Review the configuration and click on Create.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
End User Experience
After the profile has been applied to my device. I could find the exclusions in place as configured. To confirm, Open Powershell as administrator and run below command to check Microsoft Defender AV Exclusion list:
Get-MpPreference | Select-Object -Property ExclusionPath
Verify Microsoft Defender AntiVirus Exclusions Manually
You can check Microsoft Defender Antivirus exclusions directly from the device. Either run the PowerShell command as shown above, or you can also open Settings > Update & Security > Windows Security > Virus & Threat Protection > Virus & Threat Protection Settings > Click on Manage Settings > Scroll down to find Exclusions > Click on Add or remove exclusions.
You will see the two exclusions we implemented: one for the SQL-db-data folder and another for the “Terraform.exe” file.
| Shortcut to Open Windows Security |
|---|
You can also go to Start -> Run and then type windowsdefender: to open the Windows Security window directly. Then click on Virus & Threat Protection -> Virus & Threat Protection settings –> Click on Manage Settings –> Scroll down to find Exclusions –> Click on Add or remove exclusions to manage the Exclusion List. |
How to Add Microsoft Defender AntiVirus Exclusions Manually?
You can also manually click + Add an exclusion to add an exclusion on the PC. You will find the same options we configured through the Intune Device Restriction Configuration Profile, including file, folder, file type, or process-based exclusions.
Conclusion
Microsoft Defender Antivirus will skip scanning and real-time monitoring for excluded files, folders, or processes. For instance, if you exclude a folder by specifying its path, like C:\sql-db-data, Defender AV will exempt all its files from scanning and monitoring.
Awareness of the potential risks of not scanning certain files or folders is essential. Ensure you only add folder locations you trust and are confident they don’t contain malware or unknown files.
