Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Defender for Endpoint and Microsoft Defender Antivirus support several types of exclusions, and the tool you use to configure them depends on your environment. This reference maps each exclusion type to the management tools that support it, and points to step-by-step instructions for each combination.
Use this article when you know which exclusion you need and want to find the right tool to configure it, on Windows, Linux, or macOS. To learn what exclusions are, when to use them, and the risks they introduce, see Overview of exclusions and indicators in Microsoft Defender for Endpoint.
Manage exclusions for Windows devices
The following table shows which exclusion types are supported by each management tool. The table uses the following abbreviations:
- Custom AV: Custom antivirus exclusions.
- ASR global: Exclusions that affect all attack surface reduction rules only.
- ASR per rule: Per-rule attack surface reduction exclusions.
- CFA: Controlled folder access.
- Automation folder: Folder exclusions for automated investigation and remediation.
- Automatic server role: Disable automatic server role exclusions on Windows Server 2016 or later.
| Management tool | Custom AV | ASR global | ASR per rule | CFA | Automation folder |
Automatic server role |
|---|---|---|---|---|---|---|
| Enterprise management | ||||||
| Microsoft Intune admin center | Yes | Yes | Yes | Yes | No | No |
| Microsoft Defender portal | Yes | Yes | Yes | Yes | Yes | No |
| Microsoft Configuration Manager | Yes | Yes | No | Yes | No | No |
| Policy CSP | Yes | Yes | No | Yes | No | No |
| GPO | Yes | Yes | Yes | Yes | No | Yes |
| Local configuration | ||||||
| PowerShell | Yes | Yes | No | Yes | No | Yes |
| WMI | Yes | No | No | No | No | Yes |
| Windows Security app | Yes | No | No | Yes | No | No |
The following sections show how to configure each exclusion type with each management tool.
Custom antivirus exclusions
For more information about custom exclusions in Microsoft Defender Antivirus, see Exclusions in Microsoft Defender Antivirus.
The following list shows how to manage this exclusion type with each management tool:
- Enterprise management:
- Microsoft Intune admin center: For instructions, see Configure Microsoft Defender Antivirus exclusions in Microsoft Intune.
- Microsoft Defender portal: For instructions, see Configure Microsoft Defender Antivirus exclusions in the Microsoft Defender portal.
- Microsoft Configuration Manager: For instructions, see Configure Microsoft Defender Antivirus exclusions in Microsoft Configuration Manager.
- Policy CSP: For instructions, see Configure Microsoft Defender Antivirus exclusions in any MDM solution using the Policy CSP.
- GPO: For instructions, see Configure Microsoft Defender Antivirus exclusions in Group Policy.
- Local configuration:
- PowerShell: For instructions, see Configure Microsoft Defender Antivirus exclusions in PowerShell.
- WMI: For instructions, see Configure Microsoft Defender Antivirus exclusions in WMI.
- Windows Security app: For instructions, see Configure Microsoft Defender Antivirus exclusions in the Windows Security app.
Note
The Windows Security app doesn't support contextual exclusions.
Exclusion changes you make in Group Policy appear in the Windows Security app, but changes you make in the Windows Security app don't appear in Group Policy.
Attack surface reduction rule global exclusions
For more information about global attack surface reduction (ASR) rule exclusions, see File and folder exclusions for ASR rules.
The following list shows how to manage this exclusion type with each management tool:
- Enterprise management:
- Microsoft Intune admin center: For instructions, see Configure ASR rules and exclusions in Intune using endpoint security policies.
- Microsoft Defender portal: For instructions, see Configure ASR rules and exclusions in the Microsoft Defender portal.
- Microsoft Configuration Manager: For instructions, see Configure ASR rules and global ASR rule exclusions in Microsoft Configuration Manager.
- Policy CSP: For instructions, see Configure global ASR rule exclusions in any MDM solution using the Policy CSP.
- GPO: For instructions, see Configure global ASR rule exclusions in group policy.
- Local configuration:
- PowerShell: For instructions, see Configure global ASR rule exclusions in PowerShell.
- WMI: Not supported.
- Windows Security app: Not supported.
Per-ASR rule exclusions
For more information about per-ASR rule exclusions, see File and folder exclusions for ASR rules.
The following list shows how to manage this exclusion type with each management tool:
- Enterprise management:
- Microsoft Intune admin center: For instructions, see Configure ASR rules and exclusions in Intune using endpoint security policies.
- Microsoft Defender portal: For instructions, see Configure ASR rules and exclusions in the Microsoft Defender portal.
- Microsoft Configuration Manager: Not supported.
- Policy CSP: Not supported.
- GPO: For instructions, see Configure per-ASR rule exclusions in group policy.
- Local configuration:
- PowerShell: Not supported.
- WMI: Not supported.
- Windows Security app: Not supported.
Controlled folder access exclusions
For more information about controlled folder access (CFA) exclusions, see Allow apps to modify files in protected folders.
The following list shows how to manage this exclusion type with each management tool:
- Enterprise management:
- Microsoft Intune admin center: For instructions, see Configure CFA in Intune using endpoint security policies.
- Microsoft Defender portal: For instructions, see Configure CFA in the Microsoft Defender portal.
- Microsoft Configuration Manager: For instructions, see Configure CFA in Microsoft Configuration Manager.
- Policy CSP: For instructions, see Allow apps to modify files in protected folders using the Policy CSP.
- GPO: For instructions, see Allow apps to modify files in protected folders in Group Policy.
- Local configuration:
- PowerShell: For instructions, see Allow apps to modify files in protected folders in PowerShell.
- WMI: Not supported.
- Windows Security app: For instructions, see Allow apps to modify files in protected folders in the Windows Security app.
Automation folder exclusions
An automated exclusion entry identifies the folder and (optionally) specific files within that folder to exclude from automated investigation and remediation. For more information, see Automation folder exclusions.
The following list shows how to manage this exclusion type with each management tool:
- Enterprise management:
- Microsoft Intune admin center: Not supported.
- Microsoft Defender portal: For instructions, see Configure automation folder exclusions.
- Microsoft Configuration Manager: Not supported.
- Policy CSP: Not supported.
- GPO: Not supported.
- Local configuration:
- PowerShell: Not supported.
- WMI: Not supported.
- Windows Security app: Not supported.
Automatic server role exclusions
Automatic server role exclusions apply to Microsoft Defender Antivirus on Windows Server 2016 and later. For more information, see Automatic server role exclusions.
The following list shows how to manage this exclusion type with each management tool:
- Enterprise management:
- Microsoft Intune admin center: Not supported.
- Microsoft Defender portal: Not supported.
- Microsoft Configuration Manager: Not supported.
- Policy CSP: Not supported.
- GPO: For instructions, see Disable automatic exclusions in Group Policy.
- Local configuration:
- PowerShell: For instructions, see Disable automatic exclusions in PowerShell.
- WMI: For instructions, see Disable automatic exclusions in WMI.
- Windows Security app: Not supported.
Learn more:
- Use Microsoft Defender for Endpoint Security Settings Management to manage Microsoft Defender Antivirus
- Create Microsoft Defender antivirus exclusion policies in Intune
- Add automatic folder exclusions
- Defender CSP
- Defender Policy CSP
- Use custom settings for Windows client devices in Intune
- Windows Defender WMIv2 APIs
Manage exclusions for Linux
You can exclude files, folders, processes, and process-opened files from Defender for Endpoint on Linux. For more information, see Custom exclusions on Linux.
For configuration instructions, see Configure and validate exclusions for Microsoft Defender for Endpoint on Linux.
Manage exclusions for macOS
You can exclude files, folders, processes, and process-opened files from Defender for Endpoint on macOS. For more information, see Custom exclusions on macOS.
For configuration instructions, see Configure and validate exclusions for Microsoft Defender for Endpoint on macOS.