How to create Defender Antivirus exclusions using Intune

You can exclude certain files, folders, or Processes from scanning via Microsoft Defender Anti-virus. Exclusions will be applied to Scheduled Scans, On-demand scans, and always-on real-time protection and monitoring.

Please note that Microsoft Defender Antivirus includes a lot of built-in automatic exclusions based on known operating system behaviors. In case you are excluding a file or folder path from scanning and real-time monitoring in Microsoft Defender, you have to make sure that you trust that file or folder path and know that the file or folder contents are not malicious.

If you have decided to whitelist/exclude a File or Folder Path from the scan in Microsoft Defender then depending upon your environment there are different ways to achieve this.

For example, you can create a Group Policy Object if all your devices are managed by On-premise Active Directory. If your organization is fully cloud-based and all devices are Azure AD joined and managed by Intune then you can create a Device restriction profile in Intune.

There are other methods like using Powershell to configure Microsoft Defender Exclusions or manually logging on each PC as administrator and configuring the exclusions.

In this blog post, we will see how to configure File or Folder Exclusions in Microsoft Defender using Intune and also by using manual methods on the device.

You can check the current Exclusion list in Defender on your system by using below PowerShell command. As I have checked on my system, currently there are no exclusions applied. Once we apply the Exclusions, we will re-run this command on the device to check if it has been added to the list.

Get-MpPreference | Select-Object -Property ExclusionPath
Microsoft Defender AV Exclusion List check using Powershell
Microsoft Defender AV Exclusion List check using Powershell (Get-MpPreference)

Create Microsoft Defender Antivirus Exclusions using Intune

You can set up Microsoft Defender exclusions through the Intune admin center by following these steps:

  • Login on Microsoft Intune admin center
  • Click on Devices and then click on Configuration Profiles
  • Click on + Create Profile
  • Select Platform as Windows 10 and later
  • Profile Type as Templates
  • Select Device restrictions from the list of Templates and click Create
Device restrictions template
Device restrictions template

Basics Tab

Provide the Name and Description of the Policy and click on Next.

  • Name: Microsoft Defender AV Exclusions Policy
  • Description: Provide a useful description

Configuration Settings

Scroll down within the Intune admin center to locate the Microsoft Defender Antivirus Exclusions settings. You’ll find an option to exclude specific files or folders from scanning and real-time monitoring.

In the provided example, I have excluded C:\sql-db-data and a file named Terraform.exe from scanning and monitoring.

Feel free to add multiple files or folders to this list according to your requirements. Additionally, you might have observed that you can also exclude files by their extensions and specific processes from being scanned by Microsoft Defender.

Add Files/Folders/Processes which you want to Exclude from Defender Scanning on Intune admin center
Add Files/Folders/Processes that you want to Exclude from Defender Scanning on Intune admin center

Assignments

You can click on + Add all devices to apply this policy on all devices. However, if you want to apply this policy on a group of devices then you can create an Azure AD security group and add that group here to Included groups assignment.

Assign Device configuration profile for creating Defender Exclusions to Windows 10/11 devices
Assign Device configuration profile for creating Defender Exclusions to Windows 10/11 devices

Review + Create

Review the configuration and click on Create.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync either from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.

End User Experience

After the profile has been applied to my device. I could find the exclusions in place as configured. To confirm, Open Powershell as administrator and run below command to check Microsoft Defender AV Exclusion list:

Get-MpPreference | Select-Object -Property ExclusionPath
Confirm Microsoft Defender Exclusion list on the device using Powershell
Confirm Microsoft Defender Exclusion list on the device using Powershell

How to verify Microsoft Defender AntiVirus Exclusions Manually?

You can check Microsoft Defender Antivirus exclusions directly from the device. Either run the PowerShell command as shown above, or you can also open Settings > Update & Security > Windows Security > Virus & Threat Protection > Virus & Threat Protection Settings > Click on Manage Settings > Scroll down to find Exclusions > Click on Add or remove exclusions.

You will see the two exclusions we put in place: one for a “sql-db-data” folder and another for the “Terraform.exe” file.

Shortcut to Open Windows Security
You can also go to Start -> Run and then type windowsdefender: to open Windows Security window directly and then click on Virus & threat Protection -> Virus & threat protection settings –> Click on Manage Settings –> Scroll down to find Exclusions –> Click on Add or remove exclusions to manage the Exclusion List.
Check Microsoft Defender Exclusions manually on Windows 10/11 device
Check Microsoft Defender Exclusions manually on Windows 10/11 device

How to Add Microsoft Defender AntiVirus Exclusions Manually?

You can also click on “+ Add an exclusion” to manually add an exclusion on the PC. You will find the same options as we configured through the Intune Device Restriction Configuration Profile, which include file, folder, file type, or process-based exclusions.

Add Defender Exclusion on Windows 10/11 device manually
Add Microsoft Defender Exclusion on Windows 10/11 device manually

Conclusion

Microsoft Defender Antivirus will skip scanning and real-time monitoring for any excluded files, folders, or processes. For instance, if you exclude a folder by specifying its path, like C:\sql-db-data, all the files within that folder will be exempt from scanning and monitoring by Defender AV.

It’s essential to be aware of the potential risks associated with not scanning certain files or folders. Ensure that you only add folder locations you trust and that you’re confident they don’t contain any malware or unknown files.

Leave a Comment