{
	"id": "4367efad-c51a-4e8e-8a8b-20fd2c5e263d",
	"created_at": "2026-04-06T00:10:53.343612Z",
	"updated_at": "2026-04-10T03:20:43.074793Z",
	"deleted_at": null,
	"sha1_hash": "c1f10ddea6ac1304294d5cc45aa9ce70b453f3f8",
	"title": "My learnings on Microsoft Defender for Endpoint and Exclusions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 896510,
	"plain_text": "My learnings on Microsoft Defender for Endpoint and Exclusions\r\nBy Christopher Brumm\r\nPublished: 2021-08-07 · Archived: 2026-04-05 15:52:22 UTC\r\nPress enter or click to view image in full size\r\nPhoto by Ashkan Forouzani on Unsplash\r\nWhenever I’ve had to deal with AV solutions in recent years, the topic of exclusions has always come up at some\r\npoint. Usually, it was always quickly agreed that the best way to deal with exclusions is not to use them 😉.\r\nNevertheless, I have only come across a few companies that did not have exclusions and it is always assumed to\r\nbe a project risk not to migrate them when it comes to switching to a new solution.\r\nTo be clear, my recommendation is to use every opportunity to get rid of (old) exceptions and not\r\nmigrate anything that has not been proven to cause problems with the new solution.\r\nHowever, it is always good to know your enemy and have a plan in case you are forced to use exclusions. So in\r\nthis blog I will try to show what kinds of exclusions there are, what risks they entail and how to implement them\r\nin a practical way.\r\nWhat is an Exclusion and why should I care?\r\nhttps://medium.com/codex/my-learnings-on-microsoft-defender-for-endpoint-and-exclusions-ddacf2fdd047\r\nPage 1 of 11\n\nVirus scanners such as Microsoft Defender AV (MDAV) have the job of detecting malware and neutralizing it.\r\nDue to the spread of Windows, this has been an ongoing issue since the 90s. While in the beginning there was a\r\nstrong focus on signatures / patterns of known malware, this topic has recently become less and less important,\r\nbecause the viruses have been mutating for some time (like real viruses) and do so much faster than the vendors\r\ncan update their signatures. Modern solutions such as Microsoft Defender for Endpoint (of which Defender AV is\r\na part) have a wide range of detection methods in addition to signature detection and rely on machine learning and\r\nbehavior monitoring methods for detection, among other things.\r\nMalware detection by MDAV can be performed through various mechanisms. In addition to the various scheduled\r\nor on-demand scans (Quick, Full, Custom), real-time protection is also active. Real-Time Protection reviews files\r\nwhen they are opened and closed, and whenever a user navigates to a folder.\r\nLike any other AV solution, there is of course the possibility to create (classic) exclusions in MDAV for files,\r\nfolders, processes, and process-opened files. These are stored in the registry on the endpoint and the exclusions\r\nfrom a GPO can be easily displayed via Powershell.\r\nAn exclusion prevents the corresponding files or processes from being detected as malware by Defender during\r\nthe scan and by Real-Time Protection, and countermeasures (such as a quarantine) from being initiated.\r\nSince this behavior is rather bad in the first place, the question arises: Why do exclusions exist at\r\nall?\r\nUnfortunately, many manufacturers have a list of exclusions that are “necessary” or “recommended” for the\r\nsoftware to work. Since every admin can remember a situation where the AV agent was a bit overambitious, this is\r\na very difficult discussion. Here are a few examples of required exclusions: SCCM, VEEAM, Exchange, Kaseya,\r\nMS SQL — Microsoft has even a list of the exclusion lists 😂\r\nOkay there seems to be reasons — What specifically is the problem with Exclusions?\r\nEvery exclusion weakens our defense and every weakness that an attacker knows, can guess or read offers him a\r\ngood opportunity. For example, if I know that the software distribution paths are excluded on all systems, this is a\r\ngood place to put the tools for the next steps of my attack and run them from there.\r\nOur task is to challenge the necessity of any exclusion on any system and thus reduce it.\r\nWhich types of exclusions are available in Microsoft Defender for Endpoint?\r\nBefore we start looking at the different types of exclusions, it is important to understand that MDAV is part of\r\nMicrosoft Defender for Endpoint (MDE) but can also be used on its own. In terms of exclusions, this means that\r\nthere are methods that are limited to MDAV and methods that cover the entire suite.\r\nI strongly recommend using MDE, as this massively increases the protection and enables various of the\r\nfeatures described here. A virus scanner alone — even if it is very good — is unfortunately no longer\r\nsufficient today.\r\nExclusions in Defender Antivirus\r\nhttps://medium.com/codex/my-learnings-on-microsoft-defender-for-endpoint-and-exclusions-ddacf2fdd047\r\nPage 2 of 11\n\nIn MDAV there are the following types of exclusions:\r\nexclusions based on file name, extension and folder location\r\nexclusions for files opened by processes\r\nThese exclusions can be managed in several ways. Besides the tools described later, such as Intune, there are the\r\nfollowing local options:\r\nCreation of a local policy\r\nUsing the Windows Security GUI\r\nPowershell with the CMDlet Add-MpPreference\r\nThe easiest way to display all exclusions is the CMDlet Get-MpPreference (but for reading the exclusions you\r\nneed to be local admin).\r\nPress enter or click to view image in full size\r\nSince these exclusions are also stored in the registry on the endpoint they also can be displayed by reading the\r\ncorresponding keys via Powershell:\r\nInterestingly, the key in the local hive can no longer be read on a Windows 11 system. I assume this is a\r\nhardening measure by Microsoft.\r\nIf you’re using process exclusions these points are remarkable in my opinion:\r\nWhen you add a process to the process exclusion list, Microsoft Defender Antivirus won’t scan files\r\nopened by that process, no matter where the files are located. The process itself, however, will be scanned\r\nunless it has also been added to the file exclusion list.\r\nThe exclusions only apply to always-on real-time protection and monitoring. They don’t apply to\r\nscheduled or on-demand scans.\r\nAuto Exclusions in Defender Antivirus\r\nhttps://medium.com/codex/my-learnings-on-microsoft-defender-for-endpoint-and-exclusions-ddacf2fdd047\r\nPage 3 of 11\n\nIn addition to the exceptions configured by the admin, Auto Exclusions still come into play for (2016/2019)\r\nservers depending on the role of the server if not disabled. For a domain controller, for example, exceptions are\r\nactive for the NTDS database, the transaction log files, the NTDS working folder and support files.\r\nSome notes on this (useful feature):\r\nThese exclusions are not displayed in the above lists\r\nThey apply only to Real-Time Protection — not to scheduled or on-demand scans\r\nThe auto exclusion feature works only for the default installation location of the server roles\r\nmore info here:\r\nConfigure Microsoft Defender Antivirus exclusions on Windows Server | Microsoft Docs\r\nExclusions in other parts of MDE\r\nBesides AV there are several other components that can prevent the execution of files and functions in files. They\r\nall have in common that whitelisting by a custom indicator is possible.\r\nendpoint detection and response (EDR)\r\nattack surface reduction (ASR) rules — see this great blog about ASR.\r\ncontrolled folder access\r\nCustom indicators\r\nMicrosoft Defender for Endpoint provides centralized management of Indicators of Compromise (IoCs) in the\r\nCustom Indicators section. IoCs are actually intended to detect known malicious patterns and have them blocked,\r\nfor example, by security products such as MDE.\r\nIn addition to the Alert and Alert+Block actions, the Custom Indicators section also includes the Allow action,\r\nwhich can be used for whitelisting. The whitelisting of files is not done by a path or filename but by hashes.\r\nBesides files it is also possible to create entries for IPs \u0026 URLs and certificates.\r\nThe file hashes can be created in MD5, SHA-1 or SHA-256. Although each of these algorithms is significantly\r\nmore secure than a file or folder name, the SHA-256 hash should be used because a collision is significantly less\r\nlikely due to the length of the hash (32 bits). If you use the GUI, you will also get a warning when entering MD5\r\nhashes:\r\nhttps://medium.com/codex/my-learnings-on-microsoft-defender-for-endpoint-and-exclusions-ddacf2fdd047\r\nPage 4 of 11\n\nSo far, I have not been able to read out the custom indicators that are effective on a system — this then reduces the\r\nprobability of an intentional collision to almost 0.\r\nThe creation of a Custom Indicator can be done with the Active Remediation Actions permission via the GUI or\r\nvia API. By using the API, this process can also be embedded well into a process with e.g. tickets, documentation\r\nand releases.\r\nWhat are the best tools to manage exclusions?\r\nThe selection of the right tool(s) is strongly dependent on the circumstances and has a strategic component.\r\nMeans: If I have today a tool for the administration of the configurations of my clients I will try on the one hand to\r\nadminister also the Exclusions with it. On the other hand, I cannot manage all exclusions with all tools (equally\r\nwell) and this can be the reason for a (perhaps already overdue) change of strategy.\r\nIn the MDE portal, only custom indicators, i.e. hashes, can be excluded — and only there. Since the\r\nCustom Indicators are the (almost always) preferred whitelisting variant, this portal is set in any case.\r\nIntune can set all exclusions except hashes / custom indicators. Unfortunately, Intune does not seem to be\r\nable to combine lists of exclusions, which can be a challenge in large heterogeneous environments.\r\nGPOs can also be used to configure all exclusions except hashes / custom indicators — GPOs can even\r\ncombine multiple lists here. For clients, however, it should be kept in mind that the distribution of\r\ncomputer policies via VPN is not ideal — but most of those who do this today probably already know that\r\n;-)\r\nWith SCCM, the AV exclusions can be managed well. With ASR Exclusions, however, there is currently\r\nstill the restriction that no wildcards are supported — which severely limits usability.\r\nLast but not least, all tools and scripts that are able to manipulate registry values can also be used to\r\npotentially manage everything except custom indicators.\r\nWhat is the best way to deal with exclusions?\r\nAs you can see, there are several ways to whitelist and block files and this creates some challenges, especially in\r\nlarger environments. One strategy for dealing with file exclusions might look like this:\r\nhttps://medium.com/codex/my-learnings-on-microsoft-defender-for-endpoint-and-exclusions-ddacf2fdd047\r\nPage 5 of 11\n\n#1: Avoid exclusions\r\nThat means we don’t want exclusions. We do not want to migrate new exclusions and we do not want to migrate\r\nexisting ones. Every exclusion must be well justified.\r\n#2: Use Custom Indicators (hashes) whenever possible!\r\nAs described above, CIs have several advantages:\r\nThey are much safer, as collisions are very unlikely.\r\nThe creation can be easily integrated into processes via runbooks.\r\nThe administration is done in the Security Center, not in Config Management.\r\n#3: Use the right (classic) exclusion type and avoid common mistakes\r\nIf hashes are not possible, proceed in the following order for Classic Exclusions:\r\nProcesses\r\n(complete) Pathes\r\nExtensions\r\nUsing this exclusions is something you want to avoid because they can be abused. It is not that hard to\r\nguess wich folders are excluded and it is eays to check.\r\nBefore you create an exclusion you should look at these two sources:\r\nRecommendations for defining exclusions\r\nCommon mistakes to avoid when defining exclusions\r\nIn addition to lists of locations that must not be excluded, other typical errors such as the use of filenames without\r\nfolders in the exclusions or the correct use of environment variables are also covered there.\r\n#4: Make yourself familiar with the scoping of exclusions\r\nI think Custom Indicators don’t need to be scoped, as the risk is very manageable and the effort is\r\ndisproportionate. (The way to do this would be Device Groups in MDE).\r\nGet Christopher Brumm’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nWith Classic Exclusions it is advisable to differentiate a little and find a good compromise. This looks for servers\r\nusually clearly different than for clients, since clients are clearly more homogeneous. While servers often have a\r\nhandling per server type in the GPO anyway, clients will usually try to have a very uniform policy.\r\nhttps://medium.com/codex/my-learnings-on-microsoft-defender-for-endpoint-and-exclusions-ddacf2fdd047\r\nPage 6 of 11\n\nDepending on the structure, however, it can still make sense to maintain multiple lists and combine them as\r\nneeded to reduce administration efforts. The practical example would be if only a certain user group uses a certain\r\nsoftware and you then use a combination of two lists for these clients (GPOs and SCCM can do this). It is worth to\r\nplan a little bit to find a good compromise.\r\n#5: Monitor and Review your Exlusions\r\nIn any environment exclusions accumulate over time and it very important to deal with these two issues:\r\n1. How can I prevent and check if there have been (illegitimate) changes to the Exclusions?\r\n2. How and when do I check my inventory and how can I reduce it?\r\nFor question number 1 have a look in the Monitoring section below. For Question 2 you will need a process.\r\nHow do the different mechanisms interact?\r\nWhat happens if I use more than one configuration method?\r\nBy default, local changes will be merged with the lists by Group Policy, Configuration Manager, or Intune. The\r\nGroup Policy lists take precedence when there are conflicts. You can configure how locally and globally defined\r\nexclusions lists are merged to allow local changes to override managed deployment settings. (Source)\r\nI think disabling merging in general is a very useful thing. The corresponding setting can be enabled via GPO or\r\nvia the Defender CSP with a custom policy in Intune. The RegKey that is set in this way now ensures that locally\r\nadded exclusions are overwritten.\r\nWhat happens at a conflict?\r\nThe MS documentation answers this question so:\r\nCert and File IoC policy handling conflict will follow the below order:\r\nIf the file is not allowed by Windows Defender Application Control and AppLocker enforce mode policy/policies,\r\nthen Block\r\nElse if the file is allowed by the Microsoft Defender Antivirus exclusion, then Allow\r\nElse if the file is blocked or warned by a block or warn file IoC, then Block/Warn\r\nElse if the file is allowed by an allow file IoC policy, then Allow\r\nElse if the file is blocked by ASR rules, CFA, AV, SmartScreen, then Block\r\nElse Allow (passes Windows Defender Application Control \u0026 AppLocker policy, no IoC rules apply to it)\r\nTo simplify this, my friend Fabian has created this wonderful meme! 😍\r\nhttps://medium.com/codex/my-learnings-on-microsoft-defender-for-endpoint-and-exclusions-ddacf2fdd047\r\nPage 7 of 11\n\nHow can I prevent and check if there have been (illegitimate) changes to the\r\nExclusions?\r\nGeneral Manipulation Prevention\r\nBefore we look at the AV exclusion use case, I recommend everyone check out this blog to learn what can be\r\nmanipulated in general in Defender AV and how to best deal with it. It is reasonable to try to prevent manipulation\r\nof the configuration and although Tamper Protection has no influence on AV Exclusions, its use is very useful as it\r\ncan prevent many basic manipulations of the Defender.\r\nFinally, Configure Local overrides for Microsoft Defender AV settings can be used to prevent local exclusions\r\nfrom being generated by simply disabling the merging of the lists. This means that only the exclusions from the\r\nGPOs apply.\r\nDetect and prevent local exclusions\r\nhttps://medium.com/codex/my-learnings-on-microsoft-defender-for-endpoint-and-exclusions-ddacf2fdd047\r\nPage 8 of 11\n\nThe behavior described above for combining exclusion lists is very useful for scoping. However, this behavior can\r\nalso be used by an attacker. By default it is possible to create own local exclusions with local administration rights\r\nand in my experience there are also some accounts in many companies that have e.g. the rights to edit a GPO that\r\naffects the clients. Reason enough to have a look how we can be informed about changes.\r\nThe first approach is to look at the MDE client via a custom detection. Alex Verboon has already published\r\nsomething good about this.\r\nThus, according to my tests, the following scenarios can be identified:\r\nCreation of a local policy\r\nUsing the Windows Security GUI\r\nPowershell with the CMDlet Add-MpPreference\r\nHowever, besides the methods provided for this purpose, I can also try to put my exclusions directly into the\r\nregistry as keys:\r\nTheoretically this can be done in several ways with different permissions (Administrator or SYSTEM) in the hives\r\nHKLM\\Software\\Microsoft\\Windows Defender\\… and HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\…\r\nIn my tests I was not able to change keys in the non-policy path either as admin or as SYSTEM although\r\nSYSTEM is owner of the hive. The reason for this I suspect is that Defender AV prevents changes to this part of\r\nthe registry by a kernel-mode driver.\r\nIn the hive under Policies it is possible to create further exclusions as a local admin which (after some time or a\r\ngpupdate) will be applied. Unfortunately, no logs are generated for any changes made this way or by GPO.\r\nThis works (after a reboot) even on a non domain-joined Windows 10 device if you create the hive\r\nunder policy and add the keys. This is a really serious problem from my point of view and should be\r\nfixed by MS. If you are interested in how exactly this vulnerability can be used check out this\r\n(awesome) blog by Fabian Bader!\r\nDetect and prevent exclusions from configuration systems\r\nSince there are many ways to configure as described above, this is not a complete list but I limit myself to the\r\ntools that are accessible to me.\r\nAdd Custom Indicators in MDE\r\nAs described above you need the Active Remediation Actions permission to manipulate the CIs. Each CI is directly\r\nrecognizable when and by whom it was created.\r\nUnfortunately, there are no events for the creation of CIs in the audit log yet, but since there are already filters for\r\nthem, I am optimistic that it will soon be possible to specifically search for or alert on them.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/codex/my-learnings-on-microsoft-defender-for-endpoint-and-exclusions-ddacf2fdd047\r\nPage 9 of 11\n\nAdd Exclusions in Intune\r\nOf course, it is also possible to add further Exclusions with Intune. These can be created by (at least) the following\r\nroles:\r\nIn Intune: Endpoint Security Manager and Custom Roles\r\nIn AAD: Global Admin, Intune Admin, Security Admin\r\nThese changes are included in the Intune Audit Log and can be queried alerted accordingly if needed.\r\nAdd Exclusions via GPO\r\nFinally, there is the possibility to add exclusions via GPO. By the above described behavior for merging the lists it\r\nis possible to add additional exclusions with each existing or new GPO that acts on the system.\r\nUnfortunately, neither the modification of the GPOs nor the configured systems have an event that indicates that\r\nan exclusion has been added. You will only see that a GPO has been modified or applied. To determine this\r\nchange, only a regular export and comparison would help at the moment.\r\nTo go into a little more detail, a look at Advanced Hunting:\r\nThere are some entries in the DeviceRegistry events table from the HKLM\\Software\\Policies\\Microsoft\\ policy\r\nhive that even contain changes to the Windows Defender keys, but nothing from the exclusions hive.\r\nConclusion\r\nIn this blog I have tried to summarize my learnings around the topic of Exclusions in Defender for Endpoint. We\r\nfirst looked at what types of exclusions there are and how they can be managed, including a strategy of which\r\nones to use. Then we dived a bit deeper into the mechanics of exclusions and what happens when conflicts occur\r\nand what scoping options are available. The last part then dealt with the risks, hardening and monitoring.\r\nhttps://medium.com/codex/my-learnings-on-microsoft-defender-for-endpoint-and-exclusions-ddacf2fdd047\r\nPage 10 of 11\n\nI am afraid that this topic will continue to be relevant and hope that I have overlooked something, especially in the\r\nareas of hardening and monitoring. It is quite obvious that an attacker with admin rights can only be stopped with\r\ndifficulty, but the fact that he can create exclusions unseen and thus create a space in which he can reload all the\r\nnecessary tools makes the situation even more difficult.\r\nFor me, the critical part was formulating a realistic strategy for dealing with exclusions:\r\n#1: Avoid exclusions\r\n#2: Use Custom Indicators (hashes) whenever possible!\r\n#3: Use the right (classic) exclusion type and avoid common mistakes\r\n#4: Make yourself familiar with the scoping of exclusions\r\n#5: Monitor and Review your Exlusions\r\nWhat’s your strategy for dealing with exlusions? Contact me: https://twitter.com/cbrhh\r\nAcknowledgements\r\nThanks to Fabian Bader and Nadine Kern for reviewing and checking all that stuff. 💖 And don’t forget to read\r\nFabians Blog !\r\nMore Sources:\r\nSource: https://medium.com/codex/my-learnings-on-microsoft-defender-for-endpoint-and-exclusions-ddacf2fdd047\r\nhttps://medium.com/codex/my-learnings-on-microsoft-defender-for-endpoint-and-exclusions-ddacf2fdd047\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://medium.com/codex/my-learnings-on-microsoft-defender-for-endpoint-and-exclusions-ddacf2fdd047"
	],
	"report_names": [
		"my-learnings-on-microsoft-defender-for-endpoint-and-exclusions-ddacf2fdd047"
	],
	"threat_actors": [],
	"ts_created_at": 1775434253,
	"ts_updated_at": 1775791243,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c1f10ddea6ac1304294d5cc45aa9ce70b453f3f8.pdf",
		"text": "https://archive.orkl.eu/c1f10ddea6ac1304294d5cc45aa9ce70b453f3f8.txt",
		"img": "https://archive.orkl.eu/c1f10ddea6ac1304294d5cc45aa9ce70b453f3f8.jpg"
	}
}