Exclude folders or drives from Windows Defender scanning

  • Exclusions reduce protection: limit them with restrictions based on route, exam, trigger, and process.
  • Configure them from Windows Security, GPO/Intune/SCCM, or with PowerShell/WMI.
  • Supports wildcards and environment variables for portable and precise rules.
  • Validate with Get-MpPreference, MpCmdRun and the EICAR test file.
Lorena Figueredo

11 minutes

Exclude folders or drives from Windows Defender scanning

When Microsoft Defender scans your entire computer, it's sometimes a good idea to exclude certain elements to improve performance or avoid unnecessary crashes. Configure exclusions for files, folders, extensions, or processes It is the right way to do it, but there are important nuances to avoid reducing protection too much.

In the following lines you will find a complete and very practical guide on how to exclude what you need, both from the Windows Security app and through PowerShell, GPO, Intune/Configuration Manager, and WMI. It also includes advanced contextual exclusions (by exam type, trigger, and process), use of wildcards and environment variables, and validation methods with MpCmdRun and the EICAR test file.

What are exclusions and when to use them?

Exclusions are primarily used to mitigate performance impacts in specific scenarios (e.g., during builds, backups, or I/O-intensive tasks). Applying them implies a reduction in protection, so it is advisable to fine-tune them and not use them lightly.

In addition to basic exclusions, Microsoft Defender Antivirus supports contextual exclusions with restrictions. These restrictions limit when and how the exclusion applies.: by path type (file/folder), scan type (quick/full/targeted), trigger (on-demand, on-access, by behavior monitoring), and accessing process.

Important: Contextual exclusions are not ideal for reliably handling false positives. In the event of a real false positive, the correct course of action is send the file to Microsoft for analysis (Defender portal or the Security Intelligence site) or, temporarily in enterprise environments, use permission indicators in Defender for Endpoint.

Contextual exclusions: restriction types and syntax

The way to build a contextual exclusion is to add a suffix with curly braces to the file or folder path that defines the intent. The base syntax is <RUTA>\:{TypeName:value,TypeName:value}. Note that All type names and values ​​are case sensitive.

The four available restrictions are as follows. You can combine them to best fit the context in which the exclusion applies:

  • PathType to indicate whether the destination is “file” or “folder”.
  • Scantype to limit the exclusion to "quick" or "full" exams. The "resource/directed" exam falls under the basic exclusions when run on demand.
  • ScanTrigger for the trigger: “OnDemand” (manual or scheduled), “OnAccess” (real-time on open/read/write) or behavior monitoring (often abbreviated as “BM”).
  • to restrict the exclusion to a specific process (wildcards in path or image name are allowed).

Typical examples: refine your exclusions limiting them by type of exam or process to minimize risk.

Examples of contextual exclusions

Version requirements for contextual exclusions

To use exclusions with restrictions you need Microsoft Defender Antivirus updated. Minimum platform version: 4.18.2205.7; minimum engine version: 1.1.19300.2. Check for product updates and security intelligence to ensure compatibility.

Syntax and examples of contextual exclusions

Starting from existing exclusions, you can make them more specific by adding restrictions. Remember to respect upper/lower case in TypeName and values. Base syntax: <RUTA>\:{TypeName:value,TypeName:value}.

Example 1: Exclude only if the destination is a file and only when scanning on access. The specific file is excluded in real time: c:\documents\design.doc\:{PathType:file,ScanTrigger:OnAccess}.

Example 2: Exclude a file only if access is performed by a specific process. Here, the exclusion applies when the process whose image is called winword.exe touch the file: c:\documents\design.doc\:{Process:"winword.exe"}.

Example 3: Wildcards are allowed in file or folder paths. Excludes .doc documents in on-demand exams: c:\*\*.doc\:{PathType:file,ScanTrigger:OnDemand}.

Example 4: The process image path can include wildcards. Limit by Office version: c:\documents\design.doc\:{Process:"C:\\Program Files*\\Microsoft Office\\root\\Office??\\winword.exe"}.

Restriction by path type: file or folder

If you don't specify anything, the exclusion applies to the destination regardless of whether it's a file or folder, and to all exam types. To force it to only be valid if it is a folder uses PathType:folder. Example: C:\documents\*\:{PathType:folder}.

To ensure that an exclusion only applies to files (never a folder), use PathType:file. Example: C:\documents\*.mdb\:{PathType:file}.

Documented peculiar note: if the target is a file but you indicate that the exclusion is a folder, it is not applied; However, if the destination is a folder and you specify "file", it is applied. Keep this in mind when designing rules.

Restrict by exam type: quick, full, and directed

By default, a basic exclusion will affect any exam (quick, comprehensive, or resource-directed). To mitigate impact you can narrow it down to the type of exam you are interested in.

Example: Exclude a folder required during the full exam: C:\documents\:{ScanType:full}. So it doesn't interfere with rapid or targeted analysis.

Example: Exclude one item during quick scan only: C:\program.exe\:{ScanType:quick}. If you want to ensure that it is a file and not a folder with a similar name, add PathType:file: C:\program.exe\:{ScanType:quick,PathType:file}.

Restrict by exam trigger

The shooting categories are: OnDemand (manual/commands and also programmed), OnAccess (real-time protection) and behavior monitoring (sometimes abbreviated as BM, includes memory analysis).

Example: Exclude a folder and its contents only when scanning on access (real-time): c:\documents\:{ScanTrigger:OnAccess}. It will continue to be analyzed in manual or scheduled exams if you don't add any further restrictions.

Restrict by process accessing

This option is very useful if you don't want to exclude an entire process (which would be dangerous), but only certain accesses from that process to a specific file or folder. Wildcards are allowed in the image name or path.

Example: limit to Word, Access or the generic Office path: c:\documents\design.doc\:{Process:"winword.exe", Process:"msaccess.exe", Process:"C:\\Program Files*\\Microsoft Office\\root\\Office??\\winword.exe"}. Exclusion only operates when access is initiated by one of those processes.

How to configure exclusions in the Windows Security app

From the graphical interface, it's very simple. Open the search box and go to "Windows Security." Go to "Antivirus and threat protection" and select “Manage settings” under “Antivirus & threat protection settings.”

Scroll down to "Exclusions" and select "Add or Remove Exclusions." Click "Add Exclusion" to select the type: File, Folder, File Type, or Process. You will exclude a file, an entire folder (including subfolders), an extension in any location, or a process by name.

To exclude a folder, select “Folder,” navigate to the path, and confirm with “Select Folder.” Since then will be excluded from the analysis according to the basic exclusion rules.

If you later want to remove an exclusion, in the list of excluded items click the icon next to the entry and choose "Remove"It is an immediate and reversible process.

Configure exclusions with Intune and Configuration Manager

In corporate environments, you can deploy exclusions centrally. With Microsoft Intune You have configuration profiles for Defender that accept exclusion lists by path, extension, or process.

If you use Microsoft Configuration Manager (SCCM), configure them in the antimalware policy (current branch) within the exclusion options. These platforms make it easy to maintain consistency and compliance on all managed computers.

Configure exclusions with Group Policy (GPO)

Open the Group Policy Management Console (GPMC), locate the GPO you want to edit, and click Edit. Navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Exclusions.

For “Path Exclusions”: Set the option to “Enabled” and click “Show.” Enter each folder or file on its own line (If it's a file, include drive, full path, name, and extension.) In the "Value" column, use "0."

For "Extension Exclusions": set to "Enabled", go to "Show" and write each extension per line (with or without a period). Again, “0” in the “Value” column.

PowerShell: Add, Remove, and List Exclusions

PowerShell

Defender includes cmdlets in the built-in module. To create or override a list, use Set-MpPreference, to add elements Add-MpPreference and to remove them Remove-MpPreferenceThe general form is: <cmdlet> -<lista de exclusión> "<elemento>".

The main parameters are -ExclusionPath (specific file or folder, with subdirectories) and -ExclusionExtension (all the extensions you specify). Example to exclude an extension: Add-MpPreference -ExclusionExtension ".test". So any .test file will be left out of the analysis.

To review the full status of preferences, run Get-MpPreference. You can dump it to a variable and query properties like ExclusionPath o ExclusionExtension:

$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionExtension
$WDAVprefs.ExclusionPath

Remember that each use of Add-MpPreference add a new line to the list; if you want to rebuild it from scratch use Set-MpPreference with the complete list you wish to keep.

WMI (MSFT_MpPreference) for exclusions

You can also manage exclusions using WMI with the class MSFT_MpPreference. Use its Set, Add and Remove methods on the relevant properties, such as ExclusionPath y ExclusionExtension. The behavior is analogous to the PowerShell cmdlets: Set = overwrites, Add = adds, Remove = deletes.

Characteristics and scope of exclusion lists

Folder exclusions apply to all files and subfolders, except for subfolders that are reanalysis points (reparse points), which must be explicitly excluded. This prevents unexpected behavior on redirected routes.

Extension exclusions apply to any file with that extension, regardless of their location, as long as you do not define a specific route at the same time.

Using wildcards and environment variables

In path exclusions (folders or files) you can use asterisk (*), question mark (?) and environment variables type %ALLUSERSPROFILE%These wildcards are not interpreted exactly the same as in other languages, so it's a good idea to know their rules.

Asterisk (*): In file names and extensions, replaces any number of characters and only affects files in the last defined folder; in folder exclusions, each * replaces a folder. You can string them together with backslashes to represent multiple levels: after matching the wildcard number and names, all subfolders are included.

Question mark (?): in file names and extension replaces a single character and applies to the last folder. In folder exclusions, it replaces a character within the folder name and, once matched, includes subfolders.

Environment variables: The engine will expand the variable to a path when evaluating the exclusion. They can be combined with * and ? in the same rule.

  • Examples with *: C:\MyData\*.txt offers C:\MyData\notes.txt; C:\somepath\*\Data offers C:\somepath\Archives\Data and its subfolders; C:\Serv\*\*\Backup includes routes such as C:\Serv\Primary\Denied\Backup y C:\Serv\Secondary\Allowed\Backup.
  • Examples with ?: C:\MyData\my?.zip offers C:\MyData\my1.zip; C:\somepath\?\Data offers C:\somepath\P\Data; C:\somepath\test0?\Data offers C:\somepath\test01\Data.
  • variables: %ALLUSERSPROFILE%\CustomLogFiles covers C:\ProgramData\CustomLogFiles\Folder1\file1.txt.
  • Combination: %PROGRAMFILES%\Contoso*\v?\bin\contoso.exe includes routes such as C:\Program Files\Contoso Labs\v1\bin\contoso.exe.

System environment variables (system account)

Below is a useful list of common environment variables and their typical expansion in Windows. Use them in exclusions for more portable rules between teams:

  • % APPDATA% → C:\Windows\system32\config\systemprofile\Appdata\Roaming
  • %APPDATA%\Microsoft\Internet Explorer\Quick Launch → C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
  • %APPDATA%\Microsoft\Windows\Start Menu → C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs → C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
  • %LOCALAPPDATA% → C:\WINDOWS\system32\config\systemprofile\AppData\Local
  • %ProgramData% → C:\ProgramData
  • % ProgramFiles% → C:\Program Files
  • %ProgramFiles%\Common Files → C:\Program Files\Common Files
  • %ProgramFiles%\Windows Sidebar\Gadgets → C:\Program Files\Windows Sidebar\Gadgets
  • %ProgramFiles(x86)% → C:\Program Files (x86)
  • %ProgramFiles(x86)%\Common Files → C:\Program Files (x86)\Common Files
  • %SystemDrive% → C:
  • %SystemDrive%\Program Files → C:\Program Files
  • %SystemDrive%\Program Files (x86) → C:\Program Files (x86)
  • %SystemDrive%\Users → C:\Users
  • %SystemDrive%\Users\Public → C:\Users\Public
  • % SystemRoot% → C:\Windows
  • % Windir% → C:\Windows
  • %windir%\Fonts → C:\Windows\Fonts
  • %windir%\Resources → C:\Windows\Resources
  • %windir%\resources\0409 → C:\Windows\resources\0409
  • % Windir% \ system32 → C:\Windows\System32
  • %ALLUSERSPROFILE% → C:\ProgramData
  • %ALLUSERSPROFILE%\Application Data → C:\ProgramData\Application Data
  • %ALLUSERSPROFILE%\Documents → C:\ProgramData\Documents
  • %ALLUSERSPROFILE%\Documents\My Music\Sample Music → C:\ProgramData\Documents\My Music\Sample Music
  • %ALLUSERSPROFILE%\Documents\My Music → C:\ProgramData\Documents\My Music
  • %ALLUSERSPROFILE%\Documents\My Pictures → C:\ProgramData\Documents\My Pictures
  • %ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures → C:\ProgramData\Documents\My Pictures\Sample Pictures
  • %ALLUSERSPROFILE%\Documents\My Videos → C:\ProgramData\Documents\My Videos
  • %ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore → C:\ProgramData\Microsoft\Windows\DeviceMetadataStore
  • %ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer → C:\ProgramData\Microsoft\Windows\GameExplorer
  • %ALLUSERSPROFILE%\Microsoft\Windows\Ringtones → C:\ProgramData\Microsoft\Windows\Ringtones
  • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu → C:\ProgramData\Microsoft\Windows\Start Menu
  • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs → C:\ProgramData\Microsoft\Windows\Start Menu\Programs
  • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools → C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
  • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp → C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
  • %ALLUSERSPROFILE%\Microsoft\Windows\Templates → C:\ProgramData\Microsoft\Windows\Templates
  • %ALLUSERSPROFILE%\Start Menu → C:\ProgramData\Start Menu
  • %ALLUSERSPROFILE%\Start Menu\Programs → C:\ProgramData\Start Menu\Programs
  • %ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools → C:\ProgramData\Start Menu\Programs\Administrative Tools
  • %ALLUSERSPROFILE%\Templates → C:\ProgramData\Templates
  • %LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates → C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates
  • %LOCALAPPDATA%\Microsoft\Windows\History → C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History
  • %PUBLIC% → C:\Users\Public
  • %PUBLIC%\AccountPictures → C:\Users\Public\AccountPictures
  • %PUBLIC%\Desktop → C:\Users\Public\Desktop
  • %PUBLIC%\Documents → C:\Users\Public\Documents
  • %PUBLIC%\Downloads → C:\Users\Public\Downloads
  • %PUBLIC%\Music\Sample Music → C:\Users\Public\Music\Sample Music
  • %PUBLIC%\Music\Sample Playlists → C:\Users\Public\Music\Sample Playlists
  • %PUBLIC%\Pictures\Sample Pictures → C:\Users\Public\Pictures\Sample Pictures
  • %PUBLIC%\RecordedTV.library-ms → C:\Users\Public\RecordedTV.library-ms
  • %PUBLIC%\Videos → C:\Users\Public\Videos
  • %PUBLIC%\Videos\Sample Videos → C:\Users\Public\Videos\Sample Videos
  • % USERPROFILE% → C:\Windows\system32\config\systemprofile
  • %USERPROFILE%\AppData\Local → C:\Windows\system32\config\systemprofile\AppData\Local
  • %USERPROFILE%\AppData\LocalLow → C:\Windows\system32\config\systemprofile\AppData\LocalLow
  • %USERPROFILE%\AppData\Roaming → C:\Windows\system32\config\systemprofile\AppData\Roaming

Review and validate your exclusions

In addition to Get-MpPreference In PowerShell, you can validate specific cases with the command-line tool MpCmdRun.exe. Run a CMD as administrator, navigate to the Defender platform folder and use -CheckExclusion:

cd "%ProgramData%\Microsoft\Windows Defender\Platform"
cd 4.18.2111-5.0  (cambia a la versión de plataforma instalada)
MpCmdRun.exe -CheckExclusion -path <ruta a comprobar>

To really check that the exclusion is respected, you can use the EICAR test file. Download it with Invoke-WebRequest or with System.Net.WebClient and see if Defender reacts. If you have excluded correctly, should not detect it in the context covered by your rule.

Invoke-WebRequest "https://secure.eicar.org/eicar.com.txt" -OutFile "test.txt"
$client = New-Object System.Net.WebClient
$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt")

Without internet, you can create EICAR content locally using PowerShell: write the string exactly standard in a temporary file within a path/condition that your exclusion covers.

[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*')

Good practices and key reminders

Exclude folders or drives from Windows Defender scanning

Avoid excluding entire processes if you can replace it with a process restriction in a specific path; this way you don't skip unnecessary checks for that executable in other locations.

Whenever possible, limit exclusions to a exam type and trigger specific. For example, excluding a large folder only in the full scan and not in the on-access scan reduces risks.

Remember that the interpretation of wildcards differs from other environments. Test your rules with MpCmdRun and, if possible, with the EICAR content within the exact context (path/process) that you have excluded.

Keep Defender up to date to benefit from improvements to exclusion control. Contextual exclusions require minimum versions platform and engine. Check the product notes regularly.

Mastering Microsoft Defender exclusions allows you to fine-tune performance without overly compromising security. With contextual rules based on path type, scan, trigger, and process, plus centralized management with GPO/Intune/SCCM and the power of PowerShell/WMI, you can exclude what is fair and necessary and check it with MpCmdRun, Get-MpPreference and EICAR to be sure.