Share via

Verify the Windows Defender exclusions that are set using "Auto Exclusions".

Patrick Gfeller 11 Reputation points
2021-01-30T11:42:07.987+00:00

Good day, I am concerned about Windows Defender on Windows Server 2016 and 2019. I am looking at how to best manage exclusions on servers in an Active Directory domain. The 2016 and 2019 servers have the feature to dynamically set various exclusions to various roles on their own. Based on the settings which come by using the " Security Intelligence Update". These are also noted on this page here: https://learn.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus#list-of-automatic-exclusions. However, as far as I have found out, there is no way to verify that these are actually applied to the end device. Neither in the registry, via the Powershell nor via the GUI itself. ![62202-29-01-2021-12-16-19.png][1] ![62203-29-01-2021-12-17-21.png][2] ![62146-29-01-2021-11-16-49.png][3] ![62147-29-01-2021-12-18-19.png][4] Can anyone help me with this? Kind regards [1]: /api/attachments/62202-29-01-2021-12-16-19.png?platform=QnA [2]: /api/attachments/62203-29-01-2021-12-17-21.png?platform=QnA [3]: /api/attachments/62146-29-01-2021-11-16-49.png?platform=QnA [4]: /api/attachments/62147-29-01-2021-12-18-19.png?platform=QnA

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Joy Qiao 5,792 Reputation points Microsoft Employee Moderator
    2021-02-01T07:52:03.07+00:00

    Hi,

    How did you configured Auto Exclusions? Through Powershell command line, registry or group policy?
    What exclusion you added?

    Make sure you find the correct path for corresponding exclusion item.
    File and folder exclusions are stored in the registry key below.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
    File type exclusions are stored in the registry key below.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions
    Process exclusions are stored in the registry key below.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes

    If you are using Group Policy to configure, try to run "gpresult /h gp.html" as administrator to check if any related information recorded.
    Did you compared those value in registry or group policy result between configured and unconfigured devices?

    I noticed the article: Add or Remove Microsoft Defender Antivirus Exclusions in Windows 10 below have a similar issue with you, and at last it resolve it by delete path key in registry key in second page.

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Bests,

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments
  2. Patrick Gfeller 11 Reputation points
    2021-02-01T13:49:49.1+00:00

    @Joy Qiao thanks for answering.

    I have tried to verify the exclusions which are created using the " Auto Exclusions " function. The function is controlled by the Group Policies, so "Turn off Auto Exclusions" -> disabled.

    For this purpose, I have set up a VM with Windows Server 2019 and installed the following roles there: Active Directory Domain Services, DHCP Server, DNS Server and the Web Servers (IIS). I have not defined any other exclusions.

    So only the exclusions should be visible, which are made by the "Auto Exclusions" function. However, these are nowhere to be found.

    62594-image.png

    0 comments
  3. Joy Qiao 5,792 Reputation points Microsoft Employee Moderator
    2021-02-03T05:21:32.483+00:00

    Hi,

    I make a test on Turn off Auto Exclusions and get the following behavior.

    After I disabled "Turn off Auto Exclusions" in group policy and configured Path Exclusions to a specific value path such as C:\Program Files\Internet Explorer\images to value 0. It will not show up in group policy result report with running gpresult. Also it will not show up in registry key as path exclusions. But it will show up in UI in security Window in Settings.

    63361-1.png

    After I run a customized scan and specific C:\Program Files\Internet Explorer to scan, it scan 31 files.
    63362-4.png

    If I deleted configured group policy path exclusion value and perform a customized scan, it scan 32 files for C:\Program Files\Internet Explorer.
    63306-6.png

    So that, even through the group policy is not show as actually configured, but it works well on clients.

    So we could feedback the issue to Microsoft through Windows build-in Feedback Hub, I will also feedback it through our internal channel about it.

    I know it could be make a confuse for IT administrator who will not know if there group policy successfully applied. At the existing status, we could choose few clients to check in Security UI windows for confirming exclusion group policy applied. Thank you for your understanding.

    Bests,

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.