You can exclude certain files, folders or Processes from scanning via Microsoft Defender Anti-virus. Exclusions will get applied to Schduled Scans, On-demand scans and always-on real-time protection and monitoring.
Please note that Microsoft Defender Antivirus includes a lot of in-built automatic exclusions based on known operating system behaviours. In case you are excluding a file or folder path from scanning and real-time monitoring in Microsoft Defender, you have to make sure that you trust that file or folder path and know that the file or folder contents are not malicious.
If you have decided to whitelist / exclude a File or Folder Path from scan in Microsoft Defender then depending upon your enviornment there are different ways to acheive this. For example, you can create a Group Policy Object if all your devices are managed by On-premise Active Directory or Intune Device Configuraiton Profile if your organization devices are managed by Azure AD / Hybrid Azure AD.
If you organization is fully cloud based and all devices are Azure AD joined and managed by Intune then you can create a Device restriction policy in Intune, configure the defender exclusions and apply the policy to all devices or group of devices. There are other methods like using Powershell to configure Microsoft Defender Exclusions or manually logging on each PC as administrator and configure the exclusions.
In this blog post, we will see how to configure File or Folder Exclusions in Microsoft Defender using Intune and also by using manual method on the device.
You can check the current Exclusion list in Defender on your system by using below powershell command. As I have checked on my system, currently there are no exclusions applied. Once we apply the Exclusions, we will re-run this command on the device to check if its been added to the list.
Get-MpPreference | Select-Object -Property ExclusionPath
Steps to create Microsoft defender Antivirus exclusions using Intune
You can create Microsoft defender exclusions using Intune admin center. Please follow below steps to create exclusions from Intune admin center.
- Login on Microsoft Intune admin center
- Click on Devices and then click on Configuration Profiles
- Click on + Create Profile
- Select Platform as Windows 10 and later
- Profile Type as Templates
- Select Device restrictions from the list of Templates and click Create
Provide the Name and Description of the Policy and click on Next.
- Name: Microsoft Defender AV Exclusions Policy
- Description: This policy is for Excluding files or folders from scanning or real time monitoring in Microsoft Defender Antivirus.
Configuration Settings Tab
Scroll down to find Microsoft Defender Antivirus Exclusions settings and then Exclude certain files or folders from scanning and real-time monitoring. As you can see I have few database files in C:\sql-db-data and one File called Terraform.exe which I would like to exclude it from scanning or monitoring.
You can add multiple files or folders into this list as per your requirement. As you would have noticed that you can also exclude Files by extentions and processes from Microsoft defender scan.
You can click on + Add all devices to apply this policy on all devices. However, if you want to apply this policy on a group of devices then you can create an Azure AD security group and add that group here to Included groups assignment.
Review + Create
Click on Create to create this Configuration Profile. When the next Intune Sync cycle will complete this policy will be applied to the device.
Intune Policy Refresh Cycle
The Device will Sync / Check in to start the deployment of device configuration profile. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the process. You can also use Powershell to force initiate Intune refresh cycle.
Also, you can restart the device first which also starts the device check-in process. Manual sync is not mandatory on user’s devices as the device check-in process happens automatically. But if you are testing this setting on a test device then this can speed up your testing and can save some time.
End User Experience
After Intune refreshed policy on my device, I was able to confirm that the file exclusions are in place.
Open Powershell as administrator and run below command to check Microsoft Defender AV Exclusion list:
Get-MpPreference | Select-Object -Property ExclusionPath
How to find Microsoft Defender AntiVirus Exclusions Manually
You can check Microsoft Defender AntiVirus Exclusions from the device itself. Either run the powershell command as shown above or you can also open Settings –> Update & Security –> Windows Security –> Virus & threat protection –> Virus & threat protection settings –> Click on Manage Settings –> Scroll down to find Exclusions –> Click on Add or remove exclusions. You can see that the two exclusions we put in place. One for a sql-db-data folder and another one for Terraform.exe file.
|Shortcut to Open Windows Security|
|You can also go to Start -> Run and then type windowsdefender: to open Windows Security window directly and then click on Virus & threat Protection -> Virus & threat protection settings –> Click on Manage Settings –> Scroll down to find Exclusions –> Click on Add or remove exclusions to manage the Exclusion List.|
How to Add Microsoft Defender AntiVirus Exclusions Manually
You can also click on + Add an exclusion to add an exclusion manually on the PC. You will find the same options as we checked through Intune Device Restriction Configuration Profile which are File, Folder, File Type or Process based exclusion.
Microsoft Defender Antivirus will skip scanning and real-time monitoring for any excluded files, folders or processes. If you exclude a folder by providing path of the folder for example: C:\sql-db-data then all the files in that folder will be skipped from scanning and monitoring by Defender AV. Please make sure you understand the risks associated with not scanning certain files or folders and also make sure that the you are adding a folder location which you trust that does not contain any malware or any unknown files.