Let’s learn How to Exclude Files or Folders from Microsoft Defender Scan using Intune Antimalware Policy. The present discourse aims to elucidate the process of setting up the Microsoft Defender exclusion and deploying the Antivirus Policy to the Security group.
Microsoft Defender Antivirus is a robust security solution that helps protect Windows devices from malware and other security threats. On the other hand, Intune is a cloud-based service provided by Microsoft that enables organizations to manage and secure their devices and applications.
Establishing customized exclusions for Microsoft Defender Antivirus may not generally be essential. However, it is possible to exclude files, folders, processes, and process-opened files from undergoing scans if necessary. This article explains creating custom exclusions for Microsoft Defender Antivirus using Microsoft Intune.
These custom exclusions may be configured to fine-tune the antivirus program’s scan settings according to specific requirements. The exclusion criteria should be chosen with utmost care, as they could potentially lead to the omission of a security threat.
Important Points about Exclusions in Microsoft Defender
Here are some important points to remember about exclusions in Microsoft Defender. Exclusions can be a useful tool for managing security in Microsoft Defender, but they should be used cautiously and carefully, considering the potential risks and benefits.
It is also important to note that exclusions may have unintended consequences, such as allowing malware to bypass detection. As such, it is recommended that you regularly review and update your exclusions to ensure that they are still necessary and appropriate.
Exclusions added to the exclusion list can prevent Microsoft Defender Antivirus from blocking, inspecting, or remediating related events, files, folders, or processes. Implementing a process exclusion on any platform can impede network protection capabilities and Advanced Threat Protection (ATP) features from inspecting the traffic of the excluded process, hence rendering the enforcement of security policies and rules ineffective for that particular process.
- End of Defender Application Guard for Office
- Free Microsoft Defender for Endpoint MDE Training Videos
- Turn on Real-time Monitoring Antivirus policy for Microsoft Defender in Intune
It’s best not to define exclusions in advance as a proactive measure. Instead, use exclusions only for specific issues related to performance or application compatibility that exclusions can help alleviate. Avoid excluding anything because of potential problems in the future. Your security team must document why an exclusion was added to prevent confusion and provide specific answers to questions.
Create an Antivirus Policy with Exclusions in Intune
Let’s learn how to Create a new Antivirus Policy with Exclusions in Microsoft Intune for Windows devices and deploy the Antivirus Policy to the Security group.
- Sign in to the Microsoft Intune Admin Portal.
- Select Endpoint security > Antivirus > Create Policy
When you click Create Policy, a new window will open. In Platform, select Windows 10, Windows 11, and Windows Server.
| Platform | Profile Type |
|---|---|
| Windows 10, Windows 11, and Windows Server | Microsoft Defender Antivirus exclusions |
Select Profile Type as Microsoft Defender Antivirus exclusions, and Click on Create.
NOTE! This template allows you to manage settings for Microsoft Defender Antivirus that define Antivirus exclusions for paths, extensions and processes. Antivirus exclusion are also managed by Microsoft Defender Antivirus policy, which includes identical settings for exclusions. Settings from both templates (Antivirus and Antivirus exclusions) are subject to policy merge, and create a super set of exclusions for applicable devices and users.Navigate to the Basics tab and input the profile’s Name and Description. Click Next to proceed.
On the Configuration settings page, expand Defender settings, and configure the settings you want to manage with this profile. When you navigate to the Configuration settings page, you will find three different options to choose from. In this example, I will configure Excluded Paths. This allows an administrator to specify a list of directory paths to ignore during a scan.
| Configuration settings | Description |
|---|---|
| Excluded Extensions | Exclusions that you define by file type extension |
| Excluded Paths | Exclusions that you define by their location (path) |
| Excluded Processes | Exclusions for files that are opened by certain processes |
Each path in the list must be separated by a |, for example, C: Example | C: Example1. I am excluding two test folders in my example. Don’t forget to replace the folder name that needs to be excluded from Microsoft Defender Scan. When you are done Configuring settings, review the settings and Click Next to go further.
On the Scope tags page, Add the Scope tags if you wish and click Next to assign the policy to computers. I will deploy it to the HTMD – Test Computers Group. When you check in with Intune service, your devices will receive your policy settings.
On the Review + Create page, carefully review all your defined settings. Once you’ve confirmed everything is correct, select Save to implement the changes.
Once the policy is created, you will receive a confirmation in the top right corner. The new profile is now visible in the policy type list, where you can select it.
Monitor Antivirus Policy Deployment from the Intune
The Antivirus Policy is deployed to Azure AD groups. Let’s see how we can monitor the deployment and status of installation from the Intune portal. To monitor the Intune policy assignment, follow these steps:
- Navigate to the list of Antivirus Policies and select the policy you targeted.
- Check the device and user check-in status from here.
- If you click “View Report,” you can see additional details.
End User Experience after Exclude Files or Folders
Let’s learn the End User Experience After Deploying the Exclusion Policy and how to Monitor Antivirus Policy Deployment from the Windows Client Side. Using different methods, we can Monitor Antivirus Policy Deployment from the Windows Client Side.
- Antivirus Agent Status Intune Report | Endpoint Manager
- Monitor Intune App Protection Policy Status
- Monitor Device Enrollment Profile Deployment Report in Intune
You can use the below PowerShell command to check the Exclusion Policy.
Get-MpPreference | Select-Object -expand ExclusionPath
You can see the Microsoft Defender Excluded paths in the registry path below.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager
- Protect Security Settings with Tamper Protection in Windows
- Manage Microsoft Defender Antivirus Updates using Intune
In Windows 10 or 11 devices, In the search box, type Windows Security and then select Windows Security in the results list. Scroll down to the Virus & Threat Protection settings and select Manage settings to view the Exclusions.
Thank you for your patience in reading this post. I look forward to seeing you in the next post. Keep supporting the HTMD Community.
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here – HTMD WhatsApp.
Author
About Author – Sujin Nelladath has over 10 years of experience in SCCM device management and Automation solutions. He writes and shares his experiences with Microsoft device management technologies, Azure, and PowerShell automation.