Windows Security

Windows Defender exclusions (when safe)

Practical Windows guide: windows Defender exclusions (when safe) without the usual guesswork.

10 min read Beginner Updated 9 Jun 2026
Windows library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

Warning

Exclusions reduce protection. Only exclude paths or processes you trust completely — never entire drives or Downloads folders.

What you will achieve

Add Windows Defender exclusions for legitimate development or backup tools without disabling real-time protection entirely.

1) When an exclusion is reasonable

  1. Local development folders with constant file changes (node_modules, build output) cause false-positive scans and CPU spikes.
  2. Trusted backup agents or VM disk images that Defender repeatedly quarantines after vendor verification.
  3. Never exclude because a random website told you to — that is how malware keeps running.

2) Add exclusion in Windows Security

  1. Open Windows Security → Virus & threat protection → Manage settings under Virus & threat protection settings.
  2. Scroll to Exclusions → Add or remove exclusions → Add an exclusion.
  3. Choose Folder, File, File type, or Process — prefer the narrowest option.

3) Add via PowerShell (Admin)

Add-MpPreference -ExclusionPath "D:\Dev\MyProject"
Get-MpPreference | Select-Object -ExpandProperty ExclusionPath

4) Review exclusions periodically

  1. Remove exclusions for projects you no longer use.
  2. After major Windows updates, confirm Defender is still enabled: Get-MpComputerStatus | Select-Object AMRunningMode, RealTimeProtectionEnabled.

5) Audit exclusions regularly

Get-MpPreference | Select-Object ExclusionPath, ExclusionProcess, ExclusionExtension

6) Temporary exclusion workflow

  1. Add exclusion, run trusted build, remove exclusion immediately after — do not leave permanent holes for convenience.

7) Attack Surface Reduction interaction

  1. Windows Security → App & browser control → Exploit protection — ASR rules are separate from path exclusions.

8) Controlled Folder Access vs exclusions

  1. Windows Security → Virus & threat protection → Ransomware protection → Controlled folder access blocks unauthorised writes — whitelist apps instead of disabling CFA.

9) Microsoft recommended exclusions (servers)

Microsoft publishes exclusion lists for Exchange, SQL, and SCCM — only apply on those roles, never blanket-copy to desktops.

  1. Search “Microsoft Defender Antivirus exclusions for server roles” for current KB.
  2. Document every exclusion in change control — auditors will ask.

Verification checklist

Quarterly review exclusion list against running projects. Remove paths for repos archived months ago — stale exclusions are forgotten attack surface.

  1. Reboot once after changes that affect services, drivers, or firmware.
  2. Confirm the original problem is resolved under normal daily use, not only immediately after the fix.
  3. Note date, Windows version (Settings → System → About), and what changed in your personal runbook for next time.

Quick reference paths

  • Windows Security → Virus & threat protection → Exclusions
  • Get-MpPreference
  • Add-MpPreference -ExclusionPath
  • Admin tools: press Win + X for Terminal (Admin), Device Manager, and Computer Management.

Related guides

defender exclusions safely windows

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Security
Local admin vs standard user accounts
Practical Windows guide: local admin vs standard user accounts without the usual guesswork.
Read guide
Security
Disable Remote Desktop when not needed
Practical Windows guide: disable Remote Desktop when not needed without the usual guesswork.
Read guide