Edit

Exclusions reference for Microsoft Defender for Endpoint

Microsoft Defender for Endpoint and Microsoft Defender Antivirus support several types of exclusions, and the tool you use to configure them depends on your environment. This reference maps each exclusion type to the management tools that support it, and points to step-by-step instructions for each combination.

Use this article when you know which exclusion you need and want to find the right tool to configure it, on Windows, Linux, or macOS. To learn what exclusions are, when to use them, and the risks they introduce, see Overview of exclusions and indicators in Microsoft Defender for Endpoint.

Manage exclusions for Windows devices

The following table shows which exclusion types are supported by each management tool. The table uses the following abbreviations:

  • Custom AV: Custom antivirus exclusions.
  • ASR global: Exclusions that affect all attack surface reduction rules only.
  • ASR per rule: Per-rule attack surface reduction exclusions.
  • CFA: Controlled folder access.
  • Automation folder: Folder exclusions for automated investigation and remediation.
  • Automatic server role: Disable automatic server role exclusions on Windows Server 2016 or later.
Management tool Custom AV ASR global ASR per rule CFA Automation
folder
Automatic
server role
Enterprise management
Microsoft Intune admin center Yes Yes Yes Yes No No
Microsoft Defender portal Yes Yes Yes Yes Yes No
Microsoft Configuration Manager Yes Yes No Yes No No
Policy CSP Yes Yes No Yes No No
GPO Yes Yes Yes Yes No Yes
Local configuration
PowerShell Yes Yes No Yes No Yes
WMI Yes No No No No Yes
Windows Security app Yes No No Yes No No

The following sections show how to configure each exclusion type with each management tool.

Custom antivirus exclusions

For more information about custom exclusions in Microsoft Defender Antivirus, see Exclusions in Microsoft Defender Antivirus.

The following list shows how to manage this exclusion type with each management tool:

Note

The Windows Security app doesn't support contextual exclusions.

Exclusion changes you make in Group Policy appear in the Windows Security app, but changes you make in the Windows Security app don't appear in Group Policy.

Attack surface reduction rule global exclusions

For more information about global attack surface reduction (ASR) rule exclusions, see File and folder exclusions for ASR rules.

The following list shows how to manage this exclusion type with each management tool:

Per-ASR rule exclusions

For more information about per-ASR rule exclusions, see File and folder exclusions for ASR rules.

The following list shows how to manage this exclusion type with each management tool:

Controlled folder access exclusions

For more information about controlled folder access (CFA) exclusions, see Allow apps to modify files in protected folders.

The following list shows how to manage this exclusion type with each management tool:

Automation folder exclusions

An automated exclusion entry identifies the folder and (optionally) specific files within that folder to exclude from automated investigation and remediation. For more information, see Automation folder exclusions.

The following list shows how to manage this exclusion type with each management tool:

  • Enterprise management:
    • Microsoft Intune admin center: Not supported.
    • Microsoft Defender portal: For instructions, see Configure automation folder exclusions.
    • Microsoft Configuration Manager: Not supported.
    • Policy CSP: Not supported.
    • GPO: Not supported.
  • Local configuration:
    • PowerShell: Not supported.
    • WMI: Not supported.
    • Windows Security app: Not supported.

Automatic server role exclusions

Automatic server role exclusions apply to Microsoft Defender Antivirus on Windows Server 2016 and later. For more information, see Automatic server role exclusions.

The following list shows how to manage this exclusion type with each management tool:

Learn more:

Manage exclusions for Linux

You can exclude files, folders, processes, and process-opened files from Defender for Endpoint on Linux. For more information, see Custom exclusions on Linux.

For configuration instructions, see Configure and validate exclusions for Microsoft Defender for Endpoint on Linux.

Manage exclusions for macOS

You can exclude files, folders, processes, and process-opened files from Defender for Endpoint on macOS. For more information, see Custom exclusions on macOS.

For configuration instructions, see Configure and validate exclusions for Microsoft Defender for Endpoint on macOS.

See also