Windows Security · Microsoft Defender · Antivirus Exclusions

How to Add Exclusions in Microsoft Defender on Windows
File · Folder · File Type · Process

A practical Windows 10 and Windows 11 guide to adding, checking, and removing Microsoft Defender Antivirus exclusions safely, without disabling your main protection.

⏱ 10 min read 🪟 Windows 10 🪟 Windows 11 🛡 Microsoft Defender Antivirus ⚙️ Settings · PowerShell · Policy
Section 01

What Are Microsoft Defender Exclusions in Windows?

Microsoft Defender exclusions are trusted items that Microsoft Defender Antivirus skips during scanning. Depending on the exclusion type, Defender can stop scanning a specific file, an entire folder, a file extension, or files opened by a specified process.

Exclusions are useful when Defender repeatedly flags a trusted internal tool, slows down a development folder, scans large temporary files, or interferes with a known safe application. However, an exclusion also creates a blind spot. Anything placed in an excluded location may avoid normal antivirus checks.

⚠️
Important Do not add exclusions for cracked software, unknown downloads, suspicious scripts, your entire system drive, or folders such as Downloads, Desktop, or C:\Users. Add the narrowest possible exclusion only when you trust the file or folder.
Best for most users

Windows Security app

Use the graphical interface to add one file, folder, file type, or process exclusion.

Recommended
Best for admins

PowerShell

Use Defender cmdlets to add, list, or remove exclusions quickly and precisely.

Advanced
Best for organizations

Group Policy

Apply exclusions centrally on Windows Pro, Enterprise, Education, or domain-managed PCs.

Policy
Section 02

When Should You Add a Microsoft Defender Antivirus Exclusion?

You should add a Defender exclusion only when there is a clear reason and the item is trusted. In many cases, it is safer to restore a false positive from Protection history, update the app, or report the detection to the software vendor instead of excluding a broad folder.

Good reasons

  • A verified business application is repeatedly scanned and causes performance issues.
  • A trusted developer build folder contains many temporary files created during compilation.
  • A vendor documents a specific Defender exclusion for its product.
  • A known safe file is repeatedly detected as a false positive.
  • A lab or test folder must be excluded for controlled troubleshooting.

Bad reasons

  • A downloaded file is blocked and you do not know exactly what it does.
  • A website tells you to disable Defender or exclude a whole drive.
  • A game crack, patcher, keygen, or unknown script is detected.
  • You want to hide malware-like behavior from antivirus scanning.
  • You are excluding broad user folders instead of one trusted path.
Best practice Prefer a specific file or a dedicated application folder. Avoid file type exclusions such as .exe, .dll, .ps1, or .js, because they can weaken protection across the whole PC.
Section 03

Before You Add an Exclusion in Windows Defender

Before changing Microsoft Defender settings, confirm that the item is trustworthy. If you exclude the wrong path, malware can be saved or executed there with less chance of being detected by standard scans.

Update Defender definitions first

  1. Open Windows Security.
  2. Go to Virus & threat protection.
  3. Open Protection updates.
  4. Click Check for updates.
💡
Tip If the issue is a false positive, try updating Defender security intelligence first. Some false detections disappear after Microsoft updates its signatures.
Section 04

How to Add an Exclusion in Microsoft Defender Using Windows Security

The easiest way to add an exclusion is through the Windows Security app. The steps are almost the same in Windows 10 and Windows 11.

Open the exclusions page

  1. Open the Start menu.
  2. Type Windows Security and open the app.
  3. Select Virus & threat protection.
  4. Under Virus & threat protection settings, click Manage settings.
  5. Scroll down to Exclusions.
  6. Click Add or remove exclusions.
  7. Confirm the UAC prompt if Windows asks for administrator permission.
  8. Click Add an exclusion.
  9. Choose File, Folder, File type, or Process.
Windows Security Virus & threat protection Manage settings Add or remove exclusions

Add a folder exclusion

  1. Click Add an exclusion.
  2. Select Folder.
  3. Choose the trusted folder, for example C:\Tools\TrustedApp.
  4. Click Select Folder.
  5. Verify that the folder appears in the exclusions list.
🔒
Security note A folder exclusion applies to files inside that folder and its subfolders. Create a separate folder for the trusted application instead of excluding a general location where you save downloads or documents.
Section 05

Microsoft Defender Exclusion Types Explained

Microsoft Defender offers several exclusion types. Choosing the right one matters because some exclusions are much broader than others.

Exclusion type What it excludes Example Risk level
File One specific file. C:\Tools\app.exe Lower
Folder A folder and the files inside it, including subfolders. C:\Tools\TrustedApp Medium
File type All files with a selected extension. .test High
Process Files opened by the specified process. trustedtool.exe Medium to high

File exclusion

Choose File when only one trusted file is causing the issue. This is usually safer than excluding a folder.

Folder exclusion

Choose Folder for a trusted application directory, build output directory, virtual machine storage folder, or other controlled location. Do not use it for general-purpose folders.

File type exclusion

Choose File type only when you fully understand the impact. A file type exclusion applies everywhere on the computer, so it can weaken protection significantly.

Process exclusion

Choose Process when files opened by a specific trusted process should not be scanned. This is usually an administrator-level setting for specialized software, developer tools, or business applications.

Section 06

How to Add Microsoft Defender Exclusions with PowerShell

PowerShell is useful when you need to add exclusions quickly, document changes, or apply the same setting on several computers. Open Windows Terminal or PowerShell as administrator before running these commands.

Add a folder exclusion

Add-MpPreference -ExclusionPath "C:\Tools\TrustedApp"

Add a single file exclusion

Add-MpPreference -ExclusionPath "C:\Tools\TrustedApp\app.exe"

Add a file type exclusion

Add-MpPreference -ExclusionExtension ".test"

Add a process exclusion

Add-MpPreference -ExclusionProcess "C:\Tools\TrustedApp\trustedtool.exe"
⚙️
PowerShell warning Use Add-MpPreference to add entries to the existing list. Be careful with Set-MpPreference, because it can replace existing exclusion lists if used incorrectly.

Add multiple exclusions at once

Add-MpPreference -ExclusionPath "C:\Tools\TrustedApp","D:\VMs\TrustedLab"
Add-MpPreference -ExclusionExtension ".test",".build"

After adding exclusions, open Windows Security and confirm that the entries appear under Add or remove exclusions.

Section 07

How to Check or Remove Microsoft Defender Exclusions

It is a good idea to review Defender exclusions regularly. Remove anything you no longer need, especially old test paths, temporary folders, and exclusions created for software you have already uninstalled.

Check exclusions with Windows Security

  1. Open Windows Security.
  2. Go to Virus & threat protection.
  3. Click Manage settings.
  4. Open Add or remove exclusions.
  5. Review every listed file, folder, file type, and process.

Check exclusions with PowerShell

Get-MpPreference | Select-Object ExclusionPath, ExclusionExtension, ExclusionProcess

Remove a folder or file exclusion

Remove-MpPreference -ExclusionPath "C:\Tools\TrustedApp"

Remove a file type exclusion

Remove-MpPreference -ExclusionExtension ".test"

Remove a process exclusion

Remove-MpPreference -ExclusionProcess "C:\Tools\TrustedApp\trustedtool.exe"
🧹
Maintenance tip Review exclusions after uninstalling software, finishing a project, cleaning malware, or changing development folders. Fewer exclusions usually means better protection.
Section 08

How to Add Microsoft Defender Exclusions Using Group Policy

Group Policy is useful on Windows Pro, Enterprise, Education, and domain-managed computers. It is not available in Windows Home without unsupported workarounds.

Open the Defender exclusions policy path

  1. Press Win + R.
  2. Type gpedit.msc and press Enter.
  3. Go to Computer Configuration.
  4. Open Administrative Templates.
  5. Go to Windows Components.
  6. Open Microsoft Defender Antivirus.
  7. Open Exclusions.
📁 Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Exclusions

Common policy settings

Policy Use it for Value format
Path Exclusions Files or folders. C:\Tools\TrustedApp
Extension Exclusions File extensions. .test
Process Exclusions Files opened by specified processes. C:\Tools\TrustedApp\trustedtool.exe

Add a path exclusion with Group Policy

  1. Double-click Path Exclusions.
  2. Set the policy to Enabled.
  3. Click Show under the options list.
  4. Enter the path in the Value name column.
  5. Enter 0 in the Value column.
  6. Click OK and close the policy editor.
  7. Run gpupdate /force or restart the computer.
🏢
Managed devices On work or school computers, Defender exclusions may be controlled by Microsoft Intune, Group Policy, or another endpoint management tool. In that case, local changes may be blocked or overwritten.
Section 09

Fix Microsoft Defender Exclusions That Are Missing, Locked, or Not Working

If you cannot add or remove exclusions, or if exclusions disappear after a restart, check the items below.

Problem Possible cause What to check
The exclusions page is greyed out. The PC is managed by an organization or policy. Settings → Accounts → Access work or school; Group Policy; Intune policy.
PowerShell command fails. PowerShell is not running as administrator. Open Windows Terminal as administrator and run the command again.
Exclusion disappears later. Domain policy or security software overwrites local settings. Check applied policies and third-party endpoint protection.
Defender still detects the app. Wrong path, renamed executable, or a different protection feature is involved. Verify the exact file path and review Protection history.
Windows Security shows a warning. The exclusion is broad or risky. Narrow the exclusion to a specific file or trusted application folder.

Check whether another antivirus is active

If another antivirus product is installed, Microsoft Defender Antivirus may run in a different mode and some controls may not behave as expected. Open Windows Security → Virus & threat protection and check which provider is currently active.

Check whether the PC is managed

If you see messages such as This setting is managed by your administrator or Your organization manages some settings, local exclusion settings may be controlled by policy. On a company computer, contact the administrator instead of trying to bypass the policy.

Section 10

Microsoft Defender Exclusions FAQ

Q Is it safe to add an exclusion in Microsoft Defender?
It can be safe if the exclusion is narrow and the item is trusted. It is not safe to exclude large folders, unknown downloads, system-wide file types, or anything detected from an untrusted source.
Q Does a folder exclusion include subfolders?
Yes. A folder exclusion normally applies to the folder and files inside its subfolders. That is why you should use a dedicated folder instead of a broad location.
Q Should I exclude an entire drive from Microsoft Defender?
No, not for normal desktop use. Excluding an entire drive creates a large blind spot. Use a specific trusted folder or file instead.
Q Why is “Add or remove exclusions” locked?
The setting may be controlled by Group Policy, Microsoft Intune, a work or school account, or another security product. On a managed computer, the administrator must change the policy.
Q Can I add exclusions on Windows Home?
Yes, you can usually use the Windows Security app or PowerShell on Windows Home. Local Group Policy Editor is not included in Windows Home editions.
Q What is better: a file exclusion or a folder exclusion?
A file exclusion is usually safer because it affects only one file. A folder exclusion is more convenient for an application directory, but it also excludes future files placed inside that folder.

Conclusion

The safest way to add a Microsoft Defender exclusion is to use the smallest possible scope: one trusted file first, then a dedicated folder only if necessary. Use Windows Security for everyday changes, PowerShell for precise administration, and Group Policy for managed environments. Review exclusions regularly and remove anything that is no longer needed.