How to Add an App Exclusion in Microsoft Defender on Windows 11
🔍 WiseChecker

How to Add an App Exclusion in Microsoft Defender on Windows 11

by

Quick fix: Open Windows Security → Virus & threat protection → Manage settings → Add or remove exclusions, click Add an exclusion, pick File, Folder, File type, or Process. Microsoft Defender skips scanning the excluded item.

Microsoft Defender quarantines an internal company app, slows down a large source-code folder during build, or repeatedly scans the same files inside your dev workspace. Adding an exclusion tells Defender to skip that path, file type, or process. Used carefully, this reduces false positives and improves performance without weakening protection where it matters.

Symptom: Need to whitelist a trusted file, folder, or process in Microsoft Defender to prevent false-positive quarantine or scan slowdown.
Affects: Windows 11 (and Windows 10) with Microsoft Defender enabled.
Fix time: ~3 minutes.

ADVERTISEMENT

What causes this

Microsoft Defender scans every file accessed (real-time protection) and runs scheduled scans of common paths. For trusted developer tools, internal company apps, or large dataset folders, the scans produce no security benefit but consume CPU and disk I/O. Exclusions tell Defender to skip the excluded path, type, or process during both real-time and scheduled scans.

Exclusions weaken protection only for the excluded scope — Defender still scans everything else normally.

Method 1: Add exclusions via Windows Security UI

The standard interactive approach.

  1. Open Windows Security (search “Windows Security” in Start, or click the shield icon in the system tray).
  2. Click Virus & threat protection.
  3. Under Virus & threat protection settings, click Manage settings.
  4. Scroll to Exclusions. Click Add or remove exclusions.
  5. Confirm the UAC prompt.
  6. Click Add an exclusion. Choose the type:
    • File — single .exe / data file
    • Folder — folder and all contents
    • File type — by extension (e.g., .iso, .vhdx)
    • Process — process by name (e.g., docker.exe)
  7. Pick the path or pattern from the file picker.
  8. The exclusion appears in the list immediately. Defender stops scanning the excluded scope.

Most users only need File or Folder exclusions. Process exclusions are for cases like “exclude everything docker.exe touches” — broader than path-based.

ADVERTISEMENT

Method 2: Add exclusions via PowerShell (scriptable)

Use for repeatable deployments or scripted setup.

  1. Open Terminal (Admin).
  2. Add a folder exclusion: 
    Add-MpPreference -ExclusionPath "C:\dev\internal-tool"
  3. Add a file exclusion: 
    Add-MpPreference -ExclusionPath "C:\Program Files\Vendor\app.exe"
  4. Add a process exclusion: 
    Add-MpPreference -ExclusionProcess "build-tool.exe"
  5. Add an extension exclusion: 
    Add-MpPreference -ExclusionExtension ".iso"
  6. View current exclusions: 
    Get-MpPreference | Select-Object ExclusionPath, ExclusionProcess, ExclusionExtension
  7. Remove an exclusion that’s no longer needed: 
    Remove-MpPreference -ExclusionPath "C:\dev\internal-tool"

PowerShell exclusions are scriptable, deployable via Intune/SCCM, and faster than the UI for multiple entries.

Method 3: Use Group Policy for organization-wide exclusions

For Pro/Enterprise environments where you want consistent exclusions across many PCs.

  1. Press Win + R, type gpedit.msc, press Enter.
  2. Navigate to Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Exclusions.
  3. Open Path Exclusions. Set to Enabled. Click Show, add value entries:
    • Value Name: the path (e.g., C:\dev)
    • Value: 0 (the value field is unused but required)
  4. Open Process Exclusions for process-based exclusions. Same approach.
  5. Run gpupdate /force from elevated Terminal.
  6. Confirm exclusions are applied: Get-MpPreference | Select-Object ExclusionPath.

This is the right path for IT-managed environments. Group Policy exclusions override user-added ones and are enforced at policy refresh.

How to verify the fix worked

  • Run Get-MpPreference | Select-Object ExclusionPath, ExclusionProcess in PowerShell. The expected entries appear.
  • Run Windows Security → Virus & threat protection → Quick scan. Scan completes faster than before if you excluded a large folder.
  • Build or work in your excluded development folder — no real-time scan latency.
  • Run an EICAR test file (a harmless test signature) in the excluded folder — Defender should NOT alert. If it does, the exclusion isn’t correctly applied.

If none of these work

If exclusions don’t take effect, three causes apply. Tamper Protection: when Tamper Protection is on, only Windows Security UI can modify Defender settings — PowerShell and Group Policy may not apply. Disable Tamper Protection (Windows Security → Virus & threat protection → Manage settings → Tamper Protection → Off) before adding exclusions via PowerShell. Group Policy override: corporate policies may forbid local exclusions; managed environments need IT to add exclusions at the policy level. Path normalization: Defender stores paths as you entered them. If you typed a non-canonical path (mixed case, trailing backslash, mapped drive), the exclusion may not match. Use the file picker (Method 1) or normalize paths to absolute canonical form in PowerShell.

Bottom line: Microsoft Defender exclusions are configurable in three ways — UI, PowerShell, or Group Policy. Choose based on whether you’re managing one PC interactively or many programmatically.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You