Thursday, September 3, 2020

Windows Server 2019 Defender ConfigMgr exclusions


I recently upgraded a ConfigMgr instance on a single server, from Server 2012 R2 to 2019, along with SQL (from 2014 to 2017). They use Microsoft for malware detection. As part of the in-place upgrade process, SCEP had to go, since it is not compatible with 2016 and up, as they have Defender built-in. Per this article by Brandon, Microsoft recommends several files/folders be excluded from on-access scanning for the various ConfigMgr roles.

As it was a single system, it did not make sense to use GPO, so I chose to go about it manually. 

In the GUI you can navigate to: Start > Settings > Update & Security > Windows Security > Virus & threat protection. Then under Virus & threat protection settings, select Manage settings, and then under Exclusions, select Add or remove exclusions. Select Add an exclusion, and then select from files, folders, file types, or process. While I was not interested in adding them this way, they do show there once added via other methods.


Exclusions are kept in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions. However, there are anti-tamper measures in place so you cannot write to this location even using psexec or other methods, as it is owned by BUILTIN\SYSTEM and permissions are further locked down.

Happily, you can do this via Powershell using the add-mppreference cmdlet. In my case I only had files and folders so just needed one switch – exclusionpath. There are several other switches you can use based on other types of exclusions. If I had many servers to do, I would have written a script but just did it by hand this time:

add-mppreference -exclusionpath PATHORFILETOEXCLUDE



Additionally, Defender will automatically exclude paths based on the installed role so paths for WSUS were skipped. I only added the relevant ConfigMgr ones here per the article. For the file types around SQL, I did use the GUI since I was already there vs. using the ExclusionExtension switch. Some items of note:
  • A folder exclusion not only excludes the folder and its files but also all sub-folders.
  • You can also substitute logical paths with environment variables. In the example above, %WINDIR% is an environment variable that maps to your Windows folder (for example C:\Windows).
  • While Brandon suggests the content source be excluded I did not as that is used by IT staff for various tasks such as out of band installs so rather it be scanned and this is flagged for performance anyhow.
I did have to fix a few as the ConfigMgr agent is not in the default %WINDIR%\CCM location due to NO_SMS_ON_DRIVE.SMS is on the OS volume. In this case, it is on the ConfigMgr volume under the SMS_CCM folder.

With all this done, Defender in Windows Server 2019 will exclude all the relevant directories used by Configmgr and not hinder performance. I assume this would apply to Windows server 2016 as well.